Overview

overview

10

Static

static

reLwOrDA6szTYzt.exe

windows7-x64

10

reLwOrDA6szTYzt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    reLwOrDA6szTYzt.exe

  • Size

    940KB

  • MD5

    ad4afa925700586e0138bda59adaddb7

  • SHA1

    8309a84b841861ccac278fc03a5e213bd6628126

  • SHA256

    69c4f08c64ca2809ab57dfb43008d4e197bda7ce1a3613402563660afd6e6226

  • SHA512

    48ccbd2a3297246499a252f9a3028f6400ca5199a0158f893ab62a347fc887269d338ef761e8daabe723c24bbb985b242b9091ac054fe541181598b33d5bd5e0

  • SSDEEP

    24576:vzq75DWfksa2TEiYxBayY7CdTiwAAgEEY4:8Wfe2Q9xBxDTQp

Score
10/10
formbookfqwuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

fqwu

Decoy

N6XHavFRXQTRmNUkF9dn

EoaWTgFMmLFmUJ7CJNkTiGoj5A==

Dm+WNJDwSQa5cML3Q7EBiGoj5A==

nixR8ZCkOWjqrASBuic=

yvWQNApkdf4QYIih4+xUDY0=

RtmBQtDYDb50g8btXA==

8SU541y9Ec12NYK8PSOfA8OPpaphimY=

/yEvxvlAkquuY3W1QQ==

AlHZgYW4BiI9V+M=

YsHIUsAOO15j+9TnWA==

JJu1S7QIIMij0xUqlUtv

CmWBLrD98YnyUCCFvy0=

uPwhAVEvtu1rTuY=

PI6bR88GVGXmRlpxpKjtBpo=

GnL7qs9HVQAiF6ckF9dn

2zVeBFKZgO1rTuY=

2VI1VpOg7boCAFxvrWN3ys9rovE=

L1lO62zA2o1QEEZRQtgh7g==

brhF5dY1e3zmSyCFvy0=

U6m2TsEidTTdsA5kX8wh7g==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\reLwOrDA6szTYzt.exe
      "C:\Users\Admin\AppData\Local\Temp\reLwOrDA6szTYzt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Users\Admin\AppData\Local\Temp\reLwOrDA6szTYzt.exe
        "C:\Users\Admin\AppData\Local\Temp\reLwOrDA6szTYzt.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1904
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:628

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      910KB

      MD5

      d79258c5189103d69502eac786addb04

      SHA1

      f34b33681cfe8ce649218173a7f58b237821c1ef

      SHA256

      57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

      SHA512

      da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

      Download Submit
    • memory/964-73-0x00000000000E0000-0x00000000000E8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/964-75-0x0000000000830000-0x0000000000B33000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/964-74-0x00000000000F0000-0x000000000011D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/964-76-0x00000000006C0000-0x000000000074F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/964-78-0x00000000000F0000-0x000000000011D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/964-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1188-80-0x0000000004D30000-0x0000000004E52000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1188-77-0x0000000004D30000-0x0000000004E52000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1188-71-0x0000000004A80000-0x0000000004BAB000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1348-54-0x0000000001300000-0x00000000013F2000-memory.dmp
      Filesize

      968KB

      Download
    • memory/1348-59-0x0000000004EB0000-0x0000000004F06000-memory.dmp
      Filesize

      344KB

      Download
    • memory/1348-58-0x0000000005F00000-0x0000000005F8E000-memory.dmp
      Filesize

      568KB

      Download
    • memory/1348-57-0x00000000003E0000-0x00000000003EE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1348-56-0x0000000000250000-0x0000000000266000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1904-60-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1904-69-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1904-70-0x00000000000C0000-0x00000000000D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1904-68-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1904-67-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1904-66-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1904-64-0x00000000004012B0-mapping.dmp
      Download
    • memory/1904-63-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1904-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download