Overview

overview

10

Static

static

1

a2b43ba6d6...64.exe

windows7-x64

10

a2b43ba6d6...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe

  • Size

    413KB

  • MD5

    a2b43ba6d6a6af9f0fa07cab1a1ffd64

  • SHA1

    0d63ee2545439dff61486e040fb8d921bee79ae3

  • SHA256

    9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f

  • SHA512

    2a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb

  • SSDEEP

    6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy

Score
10/10
formbook8rmtratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

8rmt

Decoy

3472cc.com

takecareyourhair.com

kontolajigasd21.xyz

daihaitrinh.net

syncmostlatestinfo-file.info

lovesolutionsastrologist.info

angelapryan.com

rio727casino.com

jjsgagets.com

devyatkina.online

thegoldenbeautyqatar.com

czytaj-unas24live.monster

timepoachers.com

gayxxxporn.site

72308.xyz

kristanolivo.com

hijrahfwd.com

bmfighters.com

alfamx.website

handfulofbabesbows.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
      "C:\Users\Admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
        "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
          "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1740
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
        3⤵
          PID:1344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dxlnbanzq.e
      Filesize

      185KB

      MD5

      f6710918e3ecdba55aa451fb1b08742d

      SHA1

      4ef0c29c55d0d532ceb1a5a324b62ff98d08dd70

      SHA256

      cc573825aba59339f11629b7fe1ed9adf098e5f12004f441948fe45fcc12a5a7

      SHA512

      fc35b518211c758cc7f00820a6dd8d5b8543b5e069cb3f837859b98c40027256c11459dfff85dde653a1137cd20c3e5a6bc1cfd3f7b82a094fe94e16d549a4f2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
      Filesize

      5KB

      MD5

      45cbfd24b9943772008f524a20e0a56f

      SHA1

      b4b00712aa448298ed165890245d8c916d2d0f64

      SHA256

      afef884e713661b15d8639ac7268b667742ebe67b0e031e7d617f2dd2d5813ff

      SHA512

      4f01cb3c9eb01dcd9e359322605d88e1c0d4b1dde3ecabc594dcb7ab44b6e937880c13cf595cff506df317cb7c928c2d30ebfb3249548ff3832c19a802e07f0d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      Filesize

      11KB

      MD5

      d3749f4e6710b8d5beb987f07a5e8580

      SHA1

      17d39d416576972ecdf7deb2dce4275941497a29

      SHA256

      edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

      SHA512

      6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      Filesize

      11KB

      MD5

      d3749f4e6710b8d5beb987f07a5e8580

      SHA1

      17d39d416576972ecdf7deb2dce4275941497a29

      SHA256

      edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

      SHA512

      6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      Filesize

      11KB

      MD5

      d3749f4e6710b8d5beb987f07a5e8580

      SHA1

      17d39d416576972ecdf7deb2dce4275941497a29

      SHA256

      edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

      SHA512

      6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      Filesize

      11KB

      MD5

      d3749f4e6710b8d5beb987f07a5e8580

      SHA1

      17d39d416576972ecdf7deb2dce4275941497a29

      SHA256

      edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

      SHA512

      6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      Filesize

      11KB

      MD5

      d3749f4e6710b8d5beb987f07a5e8580

      SHA1

      17d39d416576972ecdf7deb2dce4275941497a29

      SHA256

      edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

      SHA512

      6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

      Download Submit
    • memory/276-54-0x00000000753C1000-0x00000000753C3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1220-68-0x0000000007060000-0x000000000716B000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1220-78-0x0000000007170000-0x000000000729F000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1220-76-0x0000000007170000-0x000000000729F000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1344-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1740-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1740-67-0x00000000001D0000-0x00000000001E5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/1740-66-0x0000000000A80000-0x0000000000D83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1740-63-0x000000000041F080-mapping.dmp
      Download
    • memory/2028-69-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-71-0x0000000000B50000-0x0000000000C54000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2028-72-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2028-73-0x0000000002060000-0x0000000002363000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2028-75-0x00000000008E0000-0x0000000000974000-memory.dmp
      Filesize

      592KB

      Download
    • memory/2028-77-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2036-56-0x0000000000000000-mapping.dmp
      Download