Overview

overview

10

Static

static

3979bd4374...7c.exe

windows7_x64

10

3979bd4374...7c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    187s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe

  • Size

    747KB

  • MD5

    3cd2595e3d20f8200d3ddf84b81932de

  • SHA1

    c05f5a5fd2e0da7be16621a5482541f3d492891c

  • SHA256

    3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

  • SHA512

    fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

Score
10/10
404keyloggerformbookcixcollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cix

Decoy

stephaniperold.com

sorairo12.com

palumasteknik.com

marketing4proptech.com

iwanttoheargod.com

structured-waters.com

sunvalleyvacations.net

sanketweb.com

tmasco.com

d-valentine.com

engmousavi.com

lithiumtolashes.com

texastramper.com

shoemall.store

beginningguitarbook.com

wonderlustnfairytales.com

bizinabox.store

kmacg.net

cashgold4cash.com

smtpguide.com

Signatures

  • 404 Keylogger

    Information stealer and keylogger first seen in 2019.

    stealerkeylogger404keylogger
  • 404 Keylogger Main Executable 4 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
      "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
        "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Users\Admin\Pinatype\Coseismic.scr
          "C:\Users\Admin\Pinatype\Coseismic.scr" /S
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Users\Admin\Pinatype\Coseismic.scr
            "C:\Users\Admin\Pinatype\Coseismic.scr" /S
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:524
        • C:\Users\Admin\Payment receipt.exe
          "C:\Users\Admin\Payment receipt.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1952
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\Pinatype\Coseismic.scr"
        3⤵
          PID:1760

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Payment receipt.exe
      Filesize

      98KB

      MD5

      f064015d967ac5fbedbe21c01689f388

      SHA1

      4f2044ea34938b045c5e62c389f3c62c44cb5392

      SHA256

      980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

      SHA512

      2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

      Download Submit

    • C:\Users\Admin\Payment receipt.exe
      Filesize

      98KB

      MD5

      f064015d967ac5fbedbe21c01689f388

      SHA1

      4f2044ea34938b045c5e62c389f3c62c44cb5392

      SHA256

      980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

      SHA512

      2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

      Download Submit

    • C:\Users\Admin\Pinatype\Coseismic.scr
      Filesize

      747KB

      MD5

      3cd2595e3d20f8200d3ddf84b81932de

      SHA1

      c05f5a5fd2e0da7be16621a5482541f3d492891c

      SHA256

      3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

      SHA512

      fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

      Download Submit

    • C:\Users\Admin\Pinatype\Coseismic.scr
      Filesize

      747KB

      MD5

      3cd2595e3d20f8200d3ddf84b81932de

      SHA1

      c05f5a5fd2e0da7be16621a5482541f3d492891c

      SHA256

      3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

      SHA512

      fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

      Download Submit

    • C:\Users\Admin\Pinatype\Coseismic.scr
      Filesize

      747KB

      MD5

      3cd2595e3d20f8200d3ddf84b81932de

      SHA1

      c05f5a5fd2e0da7be16621a5482541f3d492891c

      SHA256

      3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

      SHA512

      fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

      Download Submit

    • C:\Windows\win.ini
      Filesize

      509B

      MD5

      d2a2412bddba16d60ec63bd9550d933f

      SHA1

      deb3d3bdc9055f0b4909b31d3048446848fae0e1

      SHA256

      79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

      SHA512

      8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

      Download Submit

    • C:\Windows\win.ini
      Filesize

      509B

      MD5

      d2a2412bddba16d60ec63bd9550d933f

      SHA1

      deb3d3bdc9055f0b4909b31d3048446848fae0e1

      SHA256

      79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

      SHA512

      8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

      Download Submit

    • C:\Windows\win.ini
      Filesize

      509B

      MD5

      d2a2412bddba16d60ec63bd9550d933f

      SHA1

      deb3d3bdc9055f0b4909b31d3048446848fae0e1

      SHA256

      79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

      SHA512

      8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

      Download Submit

    • \Users\Admin\Payment receipt.exe
      Filesize

      98KB

      MD5

      f064015d967ac5fbedbe21c01689f388

      SHA1

      4f2044ea34938b045c5e62c389f3c62c44cb5392

      SHA256

      980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

      SHA512

      2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

      Download Submit

    • \Users\Admin\Pinatype\Coseismic.scr
      Filesize

      747KB

      MD5

      3cd2595e3d20f8200d3ddf84b81932de

      SHA1

      c05f5a5fd2e0da7be16621a5482541f3d492891c

      SHA256

      3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

      SHA512

      fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

      Download Submit

    • \Users\Admin\Pinatype\Coseismic.scr
      Filesize

      747KB

      MD5

      3cd2595e3d20f8200d3ddf84b81932de

      SHA1

      c05f5a5fd2e0da7be16621a5482541f3d492891c

      SHA256

      3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

      SHA512

      fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

      Download Submit

    • memory/524-99-0x0000000001C10000-0x0000000001C1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/524-97-0x0000000003390000-0x00000000034EC000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/524-96-0x000000001F920000-0x000000001FC23000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/524-93-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/524-92-0x0000000000400000-0x00000000004BE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/524-100-0x0000000076FF0000-0x0000000077199000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/804-77-0x0000000076FF0000-0x0000000077199000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/804-79-0x00000000771E0000-0x00000000772B6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/804-75-0x0000000000350000-0x000000000035A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/952-62-0x0000000000370000-0x000000000037A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/952-63-0x0000000076FF0000-0x0000000077199000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/952-80-0x00000000771D0000-0x0000000077350000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/952-64-0x00000000771D0000-0x0000000077350000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/952-56-0x00000000751C1000-0x00000000751C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/952-69-0x00000000771D0000-0x0000000077350000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/952-74-0x00000000771D0000-0x0000000077350000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1256-111-0x0000000004B20000-0x0000000004C16000-memory.dmp

      Filesize

      984KB

      Download

    • memory/1256-109-0x0000000004B20000-0x0000000004C16000-memory.dmp

      Filesize

      984KB

      Download

    • memory/1256-98-0x00000000048C0000-0x0000000004A33000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1436-94-0x0000000076FF0000-0x0000000077199000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1436-95-0x00000000771D0000-0x0000000077350000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1436-91-0x00000000002B0000-0x00000000002BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1668-106-0x0000000000080000-0x00000000000AA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1668-105-0x0000000000C90000-0x0000000000CAC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1668-107-0x00000000020B0000-0x00000000023B3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1668-108-0x0000000000990000-0x0000000000A23000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1668-110-0x0000000000080000-0x00000000000AA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1952-88-0x0000000001350000-0x000000000136E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1952-112-0x0000000004E35000-0x0000000004E46000-memory.dmp

      Filesize

      68KB

      Download