Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.1MB

  • MD5

    6a48cce91cb89eb4405f9ba2c2124cd6

  • SHA1

    5de7e1fd1eac0078123e4c9b63f11ce6d0527152

  • SHA256

    46c11187b0eeba2ad55a36d97fc897cd2612a4cdf491405826346092af6e261e

  • SHA512

    bc95a9a76dd49db6669bf9ccb2acbf23db77fd4f774eca37483768ef87b6319c8525b6acdd67ceb82fad17fcfa52f6c445367aa525775a422095a5fa20d65d34

  • SSDEEP

    24576:szq5gh/aw3XyilFIUM7jP9o71sURfUHvB32Dz:szqKh/d3Xy8FIUMvPIXfkU

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        3⤵
          PID:4764
        • C:\Users\Admin\AppData\Local\Temp\file.exe
          "C:\Users\Admin\AppData\Local\Temp\file.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:4604

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2844-148-0x0000000000000000-mapping.dmp

        Download

      • memory/2844-156-0x0000000001100000-0x000000000112D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2844-154-0x0000000001740000-0x00000000017CF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2844-153-0x0000000001100000-0x000000000112D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2844-152-0x00000000018D0000-0x0000000001C1A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2844-151-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

        Filesize

        92KB

        Download

      • memory/3092-147-0x00000000081D0000-0x00000000082CE000-memory.dmp

        Filesize

        1016KB

        Download

      • memory/3092-155-0x0000000007DE0000-0x0000000007E7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3092-157-0x0000000007DE0000-0x0000000007E7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3432-150-0x0000000000401000-0x000000000042E000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3432-149-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3432-145-0x0000000000422000-0x0000000000424000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3432-141-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3432-146-0x0000000001150000-0x0000000001160000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-138-0x0000000000000000-mapping.dmp

        Download

      • memory/3432-139-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3432-144-0x0000000001240000-0x000000000158A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3432-142-0x0000000000401000-0x000000000042E000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4764-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4960-136-0x00000000095E0000-0x000000000967C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4960-135-0x0000000005740000-0x000000000574A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4960-134-0x00000000057A0000-0x0000000005832000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4960-133-0x0000000005CB0000-0x0000000006254000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4960-132-0x0000000000C80000-0x0000000000D9A000-memory.dmp

        Filesize

        1.1MB

        Download