Overview

overview

10

Static

static

3

Shipping D...ts.exe

windows7-x64

10

Shipping D...ts.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2023 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Documents.exe

  • Size

    1.1MB

  • MD5

    501077473c7260aa94be655173c8ad40

  • SHA1

    dc677d38541268f2c4a42eb8ba71a6960a04efb3

  • SHA256

    34834d278c8c71e3cc9d152c073cc444781465c285648630a1be19afab1abd24

  • SHA512

    17a8e6021f6dccb9b5848ca6bc02146bd4a8242cf51f6bacbf6b732e7d0e97297337df729b4fd1f7f0abc0a0756122f0fd2a8495416504be65b275208b7e2ae3

  • SSDEEP

    12288:5TLaa0X6S2iN6dn1tWKeMTmHY31v8nhaIdpMdZHs747yr5i6cNOYV2nw:Y510313TC0JIdks7iIv1bw

Score
10/10
formbookca82ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ca82

Decoy

idunresearch.com

loiioo1.site

aimobilify.com

limousineswebdesign.com

darshan-enterprises.online

javad.top

dd-spy.com

metamysme.co.uk

earticlesdirect.com

ldkj78v.vip

dariusevory.com

bestyoutubepromoter.com

dogcoinacademy.com

mestredosexo.net

mrnofree.africa

plan.rsvp

hoangnam.site

cadcamperform.com

091888.net

artwaylogistics.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
        3⤵
          PID:4640
        • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
          "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
          3⤵
            PID:4460
          • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
            "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2032
        • C:\Windows\SysWOW64\cmmon32.exe
          "C:\Windows\SysWOW64\cmmon32.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
            3⤵
              PID:3716

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2032-148-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2032-140-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2032-142-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2032-144-0x0000000001740000-0x0000000001754000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2616-134-0x0000000005210000-0x00000000057B4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2616-135-0x0000000004D40000-0x0000000004DD2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2616-136-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2616-137-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2616-138-0x0000000004E60000-0x0000000004E70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2616-139-0x00000000081F0000-0x000000000828C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2616-133-0x0000000000270000-0x0000000000388000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3116-145-0x0000000008BA0000-0x0000000008CC1000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3116-154-0x00000000092B0000-0x000000000939A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3116-155-0x00000000092B0000-0x000000000939A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3116-157-0x00000000092B0000-0x000000000939A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/5080-147-0x0000000000D60000-0x0000000000D6C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5080-146-0x0000000000D60000-0x0000000000D6C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/5080-149-0x00000000009C0000-0x00000000009EF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/5080-150-0x0000000002B00000-0x0000000002E4A000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5080-151-0x00000000009C0000-0x00000000009EF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/5080-153-0x0000000002A50000-0x0000000002AE3000-memory.dmp

          Filesize

          588KB

          Download