Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    459KB

  • MD5

    7a51e6b13d6568f50f2bbf7650b09403

  • SHA1

    1f3f31636c54f1f021afc372fe7f97d74baaf942

  • SHA256

    3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

  • SHA512

    c0d4fbff3c1e31fa688a558340d850dcb637def55882dfe93620c8c92972757d10ffb1c9e99aa8c08a757d92989e898b4710550fbac7d8a14d777daf02c5c2db

  • SSDEEP

    12288:i/4TZ+87mkPFUy0fxws0fkrzza48I5pFhjGdiLyo7Qz+Y2wjVMJ2p:iby05ws0izza486lj8Ol7TY2wBMJ+

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1820
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1480

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      890KB

      MD5

      8402a6aa76d7787ff03943dd129e3d83

      SHA1

      895338cb761d62930ca93918011fd2cd33d5b30c

      SHA256

      49ff99d5b24f4f7d5a8ea175f35a6548c74b04e5c621c60121b5088dab19b4eb

      SHA512

      39bbe90385be35492825929296aae771fb4afb00a1f6a48f0e4ec17bc1097c3a32cea3b22033116c82695e66acbd6c847483a8da21e7302240467b58e39169ea

      Download Submit
    • memory/564-55-0x0000000000C40000-0x0000000000CB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/564-56-0x00000000008A0000-0x0000000000914000-memory.dmp
      Filesize

      464KB

      Download
    • memory/564-57-0x00000000024A0000-0x0000000002512000-memory.dmp
      Filesize

      456KB

      Download
    • memory/564-54-0x0000000000D10000-0x0000000000D88000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1236-66-0x00000000074C0000-0x0000000007649000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1236-77-0x0000000004980000-0x0000000004A36000-memory.dmp
      Filesize

      728KB

      Download
    • memory/1236-74-0x0000000004980000-0x0000000004A36000-memory.dmp
      Filesize

      728KB

      Download
    • memory/1820-59-0x00000000004012B0-mapping.dmp
      Download
    • memory/1820-62-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1820-64-0x0000000000840000-0x0000000000B43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1820-58-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1820-68-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1820-69-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1820-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1820-65-0x00000000000B0000-0x00000000000C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1940-72-0x0000000000070000-0x000000000009D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1940-73-0x0000000001ED0000-0x0000000001F5F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1940-71-0x00000000020A0000-0x00000000023A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1940-75-0x0000000000070000-0x000000000009D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1940-76-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1940-70-0x00000000009A0000-0x00000000009C6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1940-67-0x0000000000000000-mapping.dmp
      Download