Overview

overview

10

Static

static

3

order #6122-001.exe

windows7-x64

10

order #6122-001.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2023 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order #6122-001.exe

  • Size

    242KB

  • MD5

    f51456d6ef5bc0e72c16b65dd5b4776b

  • SHA1

    6773d982b2daf7f2a253841e47fd65dfb4f4962d

  • SHA256

    8cfdf661efbae4657da9021a442cc1598eb969be3f6ef598041e496d293f75d1

  • SHA512

    cf8b8b7c7cd6f76b3239b1272b2c9c1af45802571849b05c9803f7e8c3f6373fb2fbb4ca204f9547654ef2ccfa7778513a39087ed1a14037671244fb64a77245

  • SSDEEP

    3072:3fY/TU9fE9PEtuabkIcXE//kcXYSZtE6+YIrH4ZVL8WdPl5XIlI9G9S41NJyWDbB:vYa6KpcXpofgiIrcBslI9G9S8JyW/B

Score
10/10
formbooksn26ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn26

Decoy

resenha10.bet

gulshan-rajput.com

xbus.tech

z813my.cfd

wlxzjlny.cfd

auntengotiempo.com

canada-reservation.com

thegiftcompany.shop

esthersilveirapropiedades.com

1wapws.top

ymjblnvo.cfd

termokimik.net

kushiro-artist-school.com

bmmboo.com

caceresconstructionservices.com

kentuckywalkabout.com

bringyourcart.com

miamiwinetour.com

bobcatsocial.site

thirdmind.network

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\order #6122-001.exe
      "C:\Users\Admin\AppData\Local\Temp\order #6122-001.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Users\Admin\AppData\Local\Temp\order #6122-001.exe
        "C:\Users\Admin\AppData\Local\Temp\order #6122-001.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4692
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\order #6122-001.exe"
        3⤵
          PID:2064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsh7F15.tmp\chrqbxkxz.dll
      Filesize

      45KB

      MD5

      3369816188e971e4163f3013a8120f01

      SHA1

      532dbc33b6d853773e2b6038efc9f09b6a9d5485

      SHA256

      bb1c9952d5e01475bea5195623ed2117a069327760c1b662664ffd8f69ee335e

      SHA512

      838be5920a6879f468cb668ec643698c49e5b9e36481b8f86efffde10c0bfd24ab86209ad621bbc971d4af0c66ee3143f901810926d9a1b635587aa933af7085

      Download Submit

    • memory/772-153-0x0000000008640000-0x0000000008760000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/772-145-0x0000000008640000-0x0000000008760000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/772-160-0x0000000008180000-0x0000000008306000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/772-158-0x0000000008180000-0x0000000008306000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/772-157-0x0000000008180000-0x0000000008306000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4692-140-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4692-141-0x0000000000A80000-0x0000000000DCA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4692-144-0x00000000005E0000-0x00000000005F5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4692-143-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4980-139-0x0000000003280000-0x0000000003282000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5104-150-0x0000000000FD0000-0x000000000110A000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/5104-154-0x0000000000DC0000-0x0000000000DEF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5104-156-0x0000000002ED0000-0x0000000002F64000-memory.dmp

      Filesize

      592KB

      Download

    • memory/5104-152-0x0000000003130000-0x000000000347A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5104-151-0x0000000000DC0000-0x0000000000DEF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5104-146-0x0000000000FD0000-0x000000000110A000-memory.dmp

      Filesize

      1.2MB

      Download