Overview

overview

10

Static

static

3979bd4374...7c.exe

windows7_x64

10

3979bd4374...7c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe

  • Size

    747KB

  • MD5

    3cd2595e3d20f8200d3ddf84b81932de

  • SHA1

    c05f5a5fd2e0da7be16621a5482541f3d492891c

  • SHA256

    3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

  • SHA512

    fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

Score
10/10
404keyloggerformbookcixcollectionkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cix

Decoy

stephaniperold.com

sorairo12.com

palumasteknik.com

marketing4proptech.com

iwanttoheargod.com

structured-waters.com

sunvalleyvacations.net

sanketweb.com

tmasco.com

d-valentine.com

engmousavi.com

lithiumtolashes.com

texastramper.com

shoemall.store

beginningguitarbook.com

wonderlustnfairytales.com

bizinabox.store

kmacg.net

cashgold4cash.com

smtpguide.com

Signatures

  • 404 Keylogger

    Information stealer and keylogger first seen in 2019.

    stealerkeylogger404keylogger
  • 404 Keylogger Main Executable 3 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
      "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
        "C:\Users\Admin\AppData\Local\Temp\3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe"
        3⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\Users\Admin\Pinatype\Coseismic.scr
          "C:\Users\Admin\Pinatype\Coseismic.scr" /S
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Users\Admin\Pinatype\Coseismic.scr
            "C:\Users\Admin\Pinatype\Coseismic.scr" /S
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4532
        • C:\Users\Admin\Payment receipt.exe
          "C:\Users\Admin\Payment receipt.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:2752
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\Pinatype\Coseismic.scr"
        3⤵
          PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:4420

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        Filesize

        40KB

        MD5

        b608d407fc15adea97c26936bc6f03f6

        SHA1

        953e7420801c76393902c0d6bb56148947e41571

        SHA256

        b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

        SHA512

        cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NN42N073\NN4logim.jpeg
        Filesize

        79KB

        MD5

        dbf920ee36eac7dab3ba462b4c9d25ea

        SHA1

        405f760f2f64e68a1e92e31fd85282a94eb1e701

        SHA256

        dffc56bf06f08a517b24c17c9c4767f22ab7f55c80fa62393353f47787641e36

        SHA512

        e04e338f025e2a9eee7879dae969f1e00fbdb67db9ceedc4e7b6ed74467d2786c3cdc0eafb57373d9f7bf7c25483730d113ba87f11fed65c25e73eda27484567

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NN42N073\NN4logrg.ini
        Filesize

        38B

        MD5

        4aadf49fed30e4c9b3fe4a3dd6445ebe

        SHA1

        1e332822167c6f351b99615eada2c30a538ff037

        SHA256

        75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

        SHA512

        eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NN42N073\NN4logri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NN42N073\NN4logrv.ini
        Filesize

        872B

        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit

      • C:\Users\Admin\Payment receipt.exe
        Filesize

        98KB

        MD5

        f064015d967ac5fbedbe21c01689f388

        SHA1

        4f2044ea34938b045c5e62c389f3c62c44cb5392

        SHA256

        980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

        SHA512

        2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

        Download Submit

      • C:\Users\Admin\Payment receipt.exe
        Filesize

        98KB

        MD5

        f064015d967ac5fbedbe21c01689f388

        SHA1

        4f2044ea34938b045c5e62c389f3c62c44cb5392

        SHA256

        980563afc8a4af6029ef7266392765e4ed9cf23eb242078701b65f5d9078b0af

        SHA512

        2bf694bbada5bc84ec2e68b4b8e4a6c3b747c14e5e4f5aae0d25c5c94a44ed3df16b2384a966da9ce1d405441eb2727af22868204cca0a2b157a7ae0efedd67f

        Download Submit

      • C:\Users\Admin\Pinatype\Coseismic.scr
        Filesize

        747KB

        MD5

        3cd2595e3d20f8200d3ddf84b81932de

        SHA1

        c05f5a5fd2e0da7be16621a5482541f3d492891c

        SHA256

        3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

        SHA512

        fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

        Download Submit

      • C:\Users\Admin\Pinatype\Coseismic.scr
        Filesize

        747KB

        MD5

        3cd2595e3d20f8200d3ddf84b81932de

        SHA1

        c05f5a5fd2e0da7be16621a5482541f3d492891c

        SHA256

        3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

        SHA512

        fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

        Download Submit

      • C:\Users\Admin\Pinatype\Coseismic.scr
        Filesize

        747KB

        MD5

        3cd2595e3d20f8200d3ddf84b81932de

        SHA1

        c05f5a5fd2e0da7be16621a5482541f3d492891c

        SHA256

        3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c

        SHA512

        fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670

        Download Submit

      • C:\Windows\win.ini
        Filesize

        123B

        MD5

        6bf517432f65eb7f0d18d574bf14124c

        SHA1

        5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

        SHA256

        6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

        SHA512

        7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

        Download Submit

      • C:\Windows\win.ini
        Filesize

        123B

        MD5

        6bf517432f65eb7f0d18d574bf14124c

        SHA1

        5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

        SHA256

        6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

        SHA512

        7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

        Download Submit

      • C:\Windows\win.ini
        Filesize

        123B

        MD5

        6bf517432f65eb7f0d18d574bf14124c

        SHA1

        5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

        SHA256

        6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

        SHA512

        7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

        Download Submit

      • memory/2752-180-0x0000000006EE0000-0x0000000006F72000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2752-181-0x0000000007150000-0x0000000007312000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2752-173-0x0000000005940000-0x00000000059DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2752-179-0x0000000006990000-0x00000000069F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2752-172-0x0000000005EF0000-0x0000000006494000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2752-182-0x0000000006F80000-0x0000000006F8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2752-171-0x0000000000F10000-0x0000000000F2E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3168-186-0x0000000002820000-0x000000000290F000-memory.dmp

        Filesize

        956KB

        Download

      • memory/3168-184-0x0000000002820000-0x000000000290F000-memory.dmp

        Filesize

        956KB

        Download

      • memory/3168-170-0x0000000007EF0000-0x0000000008023000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3580-139-0x0000000002990000-0x000000000299A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3580-151-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3580-140-0x00007FFA77990000-0x00007FFA77B85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3580-141-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4488-158-0x00007FFA77990000-0x00007FFA77B85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4488-164-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4488-159-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4524-177-0x00000000028E0000-0x0000000002C2A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4524-176-0x00000000002F0000-0x000000000030F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4524-185-0x0000000000890000-0x00000000008BA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4524-183-0x00000000026F0000-0x0000000002783000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4524-178-0x0000000000890000-0x00000000008BA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4532-163-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4532-161-0x00000000022D0000-0x00000000022DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4532-165-0x00007FFA77990000-0x00007FFA77B85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4532-167-0x00000000022D0000-0x00000000022DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4532-162-0x0000000000400000-0x00000000004BE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4532-168-0x0000000021650000-0x000000002199A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4532-169-0x0000000002BC0000-0x0000000002BD4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4532-166-0x0000000077981000-0x0000000077AA1000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4976-143-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4976-142-0x00007FFA77990000-0x00007FFA77B85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4976-138-0x0000000077980000-0x0000000077B23000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4976-137-0x00007FFA77990000-0x00007FFA77B85000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4976-136-0x00000000029E0000-0x00000000029EA000-memory.dmp

        Filesize

        40KB

        Download