Overview

overview

10

Static

static

SecuriteIn...82.exe

windows7-x64

10

SecuriteIn...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.1725.22096.15782.exe

  • Size

    947KB

  • MD5

    fa16f4fdb2d9ad31bbb18a35ed5aa8e8

  • SHA1

    9cbe9ad8ae95765033c303abe150cec63642c32a

  • SHA256

    21e08bb00bf5a84ec339e16296437ef3f5fc98b93d62da5a2e26bebbb2eb5861

  • SHA512

    06a71d2636af52bc63524cace2066f5e5287d4d68fbb5f7db6f965d6cddbc9b0d92340f8a1e938d2b11acb5eeeff2e5abd15b9e7ab15cb489df351936a74f943

  • SSDEEP

    12288:k2lmLFCXGPtdUA7pY+ZmBjHUk+qTBcrovP4uo7T2TwmiaY+A7e6u6Z/knOY9y5NI:1YCWl9FhZmBHQronA7TwioA7cO9Lgx

Score
10/10
formbookf9r5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1725.22096.15782.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1725.22096.15782.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JhJajGFqWxtP.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JhJajGFqWxtP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6A0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1280
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1725.22096.15782.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1725.22096.15782.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA6A0.tmp
    Filesize

    1KB

    MD5

    b3b72052f4b7f4bd953e6a0d48e7c76c

    SHA1

    8f9fb7194da4de5829575094bb9600b61ecabd3c

    SHA256

    9d4cc5a94b70c271d3ac1495d768077f1eb5b08b8aafe5f000e004acc206e635

    SHA512

    6264f0bf0c7f68824e9fe8cefb0bea2ed3fa7504e6deedfe23dd38023534637186c3880a98856150595349cea591c8fabbe3a9e8661ad1bad87d357011090746

    Download Submit
  • memory/864-145-0x00000000014E0000-0x000000000182A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/864-143-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/864-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1280-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2592-144-0x0000000005940000-0x0000000005962000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2592-153-0x0000000007C80000-0x0000000007C9A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2592-139-0x0000000002FC0000-0x0000000002FF6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2592-158-0x0000000007FA0000-0x0000000007FA8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2592-141-0x0000000005C00000-0x0000000006228000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2592-157-0x0000000007FB0000-0x0000000007FCA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2592-156-0x0000000007EB0000-0x0000000007EBE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2592-155-0x0000000007EF0000-0x0000000007F86000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2592-154-0x0000000007CF0000-0x0000000007CFA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2592-146-0x0000000005B70000-0x0000000005BD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2592-147-0x00000000062A0000-0x0000000006306000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2592-148-0x0000000006980000-0x000000000699E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2592-149-0x0000000006F40000-0x0000000006F72000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2592-150-0x0000000070ED0000-0x0000000070F1C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2592-151-0x0000000007B40000-0x0000000007B5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2592-152-0x00000000082D0000-0x000000000894A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2592-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4800-133-0x0000000005830000-0x0000000005DD4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4800-132-0x0000000000870000-0x0000000000962000-memory.dmp
    Filesize

    968KB

    Download
  • memory/4800-134-0x0000000005320000-0x00000000053B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4800-135-0x0000000005300000-0x000000000530A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4800-136-0x00000000062F0000-0x000000000638C000-memory.dmp
    Filesize

    624KB

    Download