Overview

overview

10

Static

static

3

UPDATED SOA.exe

windows7-x64

10

UPDATED SOA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2023, 07:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    UPDATED SOA.exe

  • Size

    237KB

  • MD5

    d7dce4a617bf4fd2c8a461c8100d0875

  • SHA1

    db21cd510a5bb8953fdf63ad0785ba22ccc99403

  • SHA256

    fa3a477577604a91938f7650b04d3dfaa1d8ec12578d3bb2618817529c8b5797

  • SHA512

    0a4055c55a607de7f38df43c898a3e35de536707e5ac55680a74b531e08863477f759b40cbe522f373a86adc57fecc73f49a07d09265d71495c6d3b6553ab9fa

  • SSDEEP

    6144:vYa6fnp4hNwItFltkcQJ4+DGbO7tO23Ni3PmPZGra:vYVnp4HwItTtX1qOIEOxG+

Score
10/10
formbooks28yratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s28y

Decoy

whytry.shop

readyconcreto.com

redbudvending.com

prosblogs.com

litescales.sbs

campinglager.beer

serenitysuite.health

starbytescafe.com

youbi.cyou

hg301d.cfd

nissanvideos.com

kedou25.com

relovedresses.com

contourbioinc.com

usrinfo.top

i8ep58.cfd

wildcatcreekhomes.com

mpocash.mobi

shisokj.vip

jiangwan.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
      "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe
        "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:436
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\UPDATED SOA.exe"
        3⤵
        • Deletes itself
        PID:1148

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\nso5544.tmp\dvxmcd.dll
          Filesize

          6KB

          MD5

          97676329981596a837cd318a00dc86e3

          SHA1

          aa183bc27f84370ec5df1f10c0efd8b085be5bd9

          SHA256

          78679a09fe70c5665877949fb3aa958001dae2263502d08330dbd347edf2ac74

          SHA512

          70d654eda2d8c76c18dd2f45eb4db460693eca197d6b85059075c654c8dd83d291e31642b32a97f6be057f08e002192c33af79c65d89eef3f50d6d9b5ecef38f

          Download Submit

        • memory/436-64-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/436-61-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/436-63-0x0000000000770000-0x0000000000A73000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/436-65-0x00000000004A0000-0x00000000004B5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/964-68-0x0000000000300000-0x0000000000306000-memory.dmp

          Filesize

          24KB

          Download

        • memory/964-70-0x0000000000300000-0x0000000000306000-memory.dmp

          Filesize

          24KB

          Download

        • memory/964-71-0x0000000000830000-0x0000000000B33000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/964-72-0x00000000000C0000-0x00000000000EF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/964-76-0x00000000003B0000-0x0000000000444000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1256-66-0x0000000004DC0000-0x0000000004ECF000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1256-77-0x0000000004F80000-0x0000000005071000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1256-78-0x0000000004F80000-0x0000000005071000-memory.dmp

          Filesize

          964KB

          Download

        • memory/1256-80-0x0000000004F80000-0x0000000005071000-memory.dmp

          Filesize

          964KB

          Download