Overview

overview

10

Static

static

5

Maersk Ar...58.exe

windows7-x64

10

Maersk Ar...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Maersk Arrival Notice ready for Bill of Lading 238591458.exe

  • Size

    1.1MB

  • MD5

    7d8eba7ae0e5cb213b8b3c8d202d69eb

  • SHA1

    2f4fdf21a78bf6128a3cffe55e916b7daad175c9

  • SHA256

    d67c467e851c6f18a79386dbbae7049d07c9c6381a98d141638eef7d83106373

  • SHA512

    38de5d3e64362d445e4d4469fded251d29a5502f980fe9a6fce710111f26f3efeb5e41ca8839ec391905cec46fc20cff16303412f84356f38456b5dac3193e43

  • SSDEEP

    24576:bAHnh+eWsN3skA4RV1Hom2KXMmHaDeipba5:2h+ZkldoPK8YaDTU

Score
10/10
formbookss63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss63

Decoy

catpig.xyz

chatladyanzensei7.site

onewayonepaydroptaxi.com

bima188.lol

wealth-km.online

seepao27200.top

6c958u9.lol

fbyu57ytsd.shop

baranetentegre.com

webaichimie.com

h3k38q2.lol

abicomsrl.com

338kp.vip

rescuecube.com

bubatz-t.com

psgluxuryapartments.com

goodfellowlawfirm.com

bais141.com

imingchu.com

ekzeanjfolzaks.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe
      "C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\Maersk Arrival Notice ready for Bill of Lading 238591458.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:2392

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1196-23-0x00000000051B0000-0x00000000052A0000-memory.dmp
      Filesize

      960KB

      Download
    • memory/1196-31-0x00000000075A0000-0x0000000007732000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1196-28-0x00000000075A0000-0x0000000007732000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1196-27-0x00000000075A0000-0x0000000007732000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1196-16-0x0000000003B00000-0x0000000003C00000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1196-17-0x00000000051B0000-0x00000000052A0000-memory.dmp
      Filesize

      960KB

      Download
    • memory/2176-10-0x00000000000B0000-0x00000000000B4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2368-15-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2368-14-0x0000000000260000-0x0000000000275000-memory.dmp
      Filesize

      84KB

      Download
    • memory/2368-13-0x0000000000700000-0x0000000000A03000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2368-11-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3020-20-0x0000000000FC0000-0x0000000000FCB000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3020-21-0x00000000000D0000-0x00000000000FF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3020-18-0x0000000000FC0000-0x0000000000FCB000-memory.dmp
      Filesize

      44KB

      Download