Overview

overview

10

Static

static

1

bb4e86fa92...05.exe

windows7-x64

10

bb4e86fa92...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2023 05:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe

  • Size

    913KB

  • MD5

    debe170f50f06aebab1d2f73f38c7e1c

  • SHA1

    4cb00e909a171eaf77e95ec8beace8940d9256bd

  • SHA256

    bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05

  • SHA512

    f56cad6bb311fde24294f39450e0fe75a70c9cffbd6ac525b554e11006401b51b18fef1c686f78da32dc29207b5e315b97fdb1c03a7b2f4b2b19a4164438f390

  • SSDEEP

    24576:sb8FUqa9ywhtVZWKqINBKXJCPXgVOKPPPD:/5a9B/bqIi8/gAiPD

Score
10/10
formbookg2fgratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g2fg

Decoy

snowcrash.website

pointman.us

newheartvalve.care

drandl.com

sandspringsramblers.com

programagubernamental.online

boja.us

mvrsnike.com

mentallyillmotherhood.com

facom.us

programagubernamental.store

izivente.com

roller-v.fr

amazonbioactives.com

metaverseapple.xyz

5gt-mobilevsverizon.com

gtwebsolutions.co

scottdunn.life

usdp.trade

pikmin.run

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe
    "C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rQEtqJzJtbIAJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rQEtqJzJtbIAJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE16A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:856
    • C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe
      "C:\Users\Admin\AppData\Local\Temp\bb4e86fa92499e118e502b2e0bc81d0389048c678e2ce9b2ffef5c81f489eb05.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE16A.tmp
    Filesize

    1KB

    MD5

    356390291837fa9f4e0594a4ce776383

    SHA1

    97bfebf52dd5335b7ca8aa2a2f7755ddf2995a81

    SHA256

    2f4dd61e37018dbc670be4760ccc972295777f34bbb9e45d3d598a923ef4d3cf

    SHA512

    70fbd908c20b2c1ae4488a43250497a7e86f2dc7f794cc37c64f9571c195ef71422ff7724d23ca335c33407a18571b47955ee9ddfaca6e0b82a472c1989a185d

    Download Submit
  • memory/588-65-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/588-69-0x0000000000A20000-0x0000000000D23000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/588-67-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/588-68-0x000000000041F160-mapping.dmp
    Download
  • memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/856-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-71-0x00000000741F0000-0x000000007479B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1636-70-0x00000000741F0000-0x000000007479B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1636-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2028-58-0x0000000005710000-0x00000000057A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2028-63-0x0000000004380000-0x00000000043DA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/2028-54-0x0000000000090000-0x000000000017A000-memory.dmp
    Filesize

    936KB

    Download
  • memory/2028-57-0x00000000003A0000-0x00000000003AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2028-56-0x0000000000300000-0x0000000000316000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2028-55-0x0000000075561000-0x0000000075563000-memory.dmp
    Filesize

    8KB

    Download