Overview

overview

10

Static

static

1

FT - 20221202.exe

windows7-x64

8

FT - 20221202.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2022 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FT - 20221202.exe

  • Size

    257KB

  • MD5

    48761a585f2cb5ffa54ef767bb18abdb

  • SHA1

    71483ebc4e70dfee81e108c38522a4f915b19600

  • SHA256

    6edd37fb895163628297cdcf7898da03027b960434bcae3404cd9fec27de1012

  • SHA512

    2594db7912073a8a69b632efd832eb800519a87af1045816ee4735d650ea410156c9cab93cc7ee8b6e06994bdd2f4fad62fafcbac399dc92a9fcba3af4ffa284

  • SSDEEP

    6144:QBn1PrZO0xliJYVYpu0OSmzleoJuou5KjfByDdDC0U0:gz40xkVu0BoSKdiCN0

Score
10/10
formbookb31bratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b31b

Decoy

deltafxtrading.com

alisonangl.com

cdfqs.com

easyentry.vip

dentalinfodomain.com

hiphoppianyc.com

pools-62911.com

supportteam26589.site

delldaypa.one

szanody.com

diaper-basket.art

ffscollab.com

freediverconnect.com

namesbrun.com

theprimone.top

lenzolab.com

cikmas.com

genyuei-no.space

hellofstyle.com

lamagall.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\FT - 20221202.exe
      "C:\Users\Admin\AppData\Local\Temp\FT - 20221202.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe
        "C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe" C:\Users\Admin\AppData\Local\Temp\cyshbvjb.men
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4960
        • C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe
          "C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4272
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe"
        3⤵
          PID:4868

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cyshbvjb.men
      Filesize

      5KB

      MD5

      34eb14fa108cef3da9bf1a3c901e1bb5

      SHA1

      163fea65826f9d7b1fe30382a4b1dd0f62ab7254

      SHA256

      5a27704746938fbeca4805c7118cf55fec8a27d1fca58f4de02f1669afa6acd0

      SHA512

      02a63bc1b0be2708ade2d0ffec4ecd764b24d37782f8ee1613328879992d4c7e6cdedb509983fd232ea30c9e1c25546c11f0a2102f22de9889b3a3236176e566

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gmahhpyci.f
      Filesize

      185KB

      MD5

      863475a522f98bedd23f27df24fe3034

      SHA1

      83d4ee3921f70a4b155613406db2b5a031c6d97b

      SHA256

      e2f62070d38a9ccb2db6f33192b531a9186d4f1bd0ca679316475023286cc28f

      SHA512

      3f97e5fb8a6fcc518688ffba31f75e396feef5ec787873a33cd71a20f7e9127acc67415f445e6174f657f41c8aa55ea473b678ba92cc963cfecfabf8a8b5ea72

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe
      Filesize

      98KB

      MD5

      83d019341be3db33e14ddbcc713c905f

      SHA1

      d269752bc4e10f6b7ed674eed9271ff757b90f44

      SHA256

      4221ebc46f4573eb3513ce9d5eb47dae76e30209813ce0ab3714bcecf134fcc3

      SHA512

      cc599e59fa987c366c3f6c65ad469e312f796243c91f6b9ec454b845fa1fb1fffcdd9f4bfb86c3fe963128452d903e4d962fe53605ad061cd892c3125e349465

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe
      Filesize

      98KB

      MD5

      83d019341be3db33e14ddbcc713c905f

      SHA1

      d269752bc4e10f6b7ed674eed9271ff757b90f44

      SHA256

      4221ebc46f4573eb3513ce9d5eb47dae76e30209813ce0ab3714bcecf134fcc3

      SHA512

      cc599e59fa987c366c3f6c65ad469e312f796243c91f6b9ec454b845fa1fb1fffcdd9f4bfb86c3fe963128452d903e4d962fe53605ad061cd892c3125e349465

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vprdqzqmrr.exe
      Filesize

      98KB

      MD5

      83d019341be3db33e14ddbcc713c905f

      SHA1

      d269752bc4e10f6b7ed674eed9271ff757b90f44

      SHA256

      4221ebc46f4573eb3513ce9d5eb47dae76e30209813ce0ab3714bcecf134fcc3

      SHA512

      cc599e59fa987c366c3f6c65ad469e312f796243c91f6b9ec454b845fa1fb1fffcdd9f4bfb86c3fe963128452d903e4d962fe53605ad061cd892c3125e349465

      Download Submit

    • memory/376-142-0x0000000008B70000-0x0000000008CEA000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/376-151-0x0000000008CF0000-0x0000000008E00000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/376-149-0x0000000008CF0000-0x0000000008E00000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4272-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4272-141-0x0000000000D40000-0x0000000000D54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4272-140-0x00000000013F0000-0x000000000173A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4272-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4868-144-0x0000000000000000-mapping.dmp

      Download

    • memory/4960-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4968-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4968-146-0x00000000006A0000-0x00000000006CF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4968-145-0x0000000000D90000-0x0000000000D9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4968-147-0x0000000001200000-0x000000000154A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4968-148-0x00000000010A0000-0x0000000001133000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4968-150-0x00000000006A0000-0x00000000006CF000-memory.dmp

      Filesize

      188KB

      Download