Overview

overview

10

Static

static

Bill Of La...95.exe

windows7-x64

10

Bill Of La...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bill Of Lading - VNSEA4331295.exe

  • Size

    919KB

  • MD5

    fa2b3a90b953f1919563c4494d8ada0b

  • SHA1

    2c515413532fada3621210c7e2101146e6f5a5fa

  • SHA256

    61667ea581c9bfc633099ba839280ee1086d68e7e9f98fb3e9d8b09a0a1ae404

  • SHA512

    7b33069526852e1bc5595efa16a801894ec521d6a2a9410dad5a689827e28610ad1e80184826b4933b8581607f35e2c8177241870ca23183aeb53018b51b8b68

  • SSDEEP

    12288:MGFDutOg6duUKLo2BPLDRNZSeqJrtVq6dG7xH1/dcR49w9WSGEtDdLrz5BEPHBSq:MpLDHEeIDq6g7xVimwPLAf9OBGN48

Score
10/10
formbookntzbratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

ntzb

Decoy

ec/NM1mI984Gb/9r

LIh84/7lSr8jyCJjNRy3cy5K/w==

ywyL4wf5IYKQvdNGr5hpUcZk

ibXIRT7wwpAGb/9r

jvlCCTIkf3aEc0yrhiKei9M=

JpvChtpFpghexluRIQ==

ufPzZvM9cUyAySmfh3VZ

IWlUsdnOG2qvOYvJMp9v2/IU7Q==

AShx1yFdwhMDEvts6yKei9M=

G0s8BkB7oPAhNESxLJisov0O4g==

5whNpsfrfGq6bT5VM5c=

7YrOda8xKRZpbX55Rp0=

lff5IDBTuCxnxluRIQ==

s/nqUHamCtIGb/9r

IqvUNFmH8soGb/9r

l8GtEDwvaHre8/VBHFv+wQ==

cb4m5SZjvr4EuU20ORuv4zoQMrY=

msP5quMgh5TOcT5VM5c=

yvEWmNz1G6jvgN1EHFv+wQ==

ZfcqLcYYqRdu9EWF7mUynGEx7sib

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe
      "C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe
        "C:\Users\Admin\AppData\Local\Temp\Bill Of Lading - VNSEA4331295.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4388

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1588-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1588-145-0x00000000014B0000-0x00000000014C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1588-144-0x0000000001A60000-0x0000000001DAA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1588-143-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1588-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1588-141-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1588-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1932-148-0x00000000004C0000-0x00000000004D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1932-150-0x0000000002EC0000-0x000000000320A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1932-153-0x00000000010C0000-0x00000000010ED000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1932-151-0x0000000003210000-0x000000000329F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1932-149-0x00000000010C0000-0x00000000010ED000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1932-147-0x0000000000000000-mapping.dmp
      Download
    • memory/3076-146-0x00000000082B0000-0x00000000083B8000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3076-152-0x00000000032D0000-0x00000000033C3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/3076-154-0x00000000032D0000-0x00000000033C3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/4832-133-0x0000000005AE0000-0x0000000006084000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4832-132-0x0000000000B90000-0x0000000000C7C000-memory.dmp
      Filesize

      944KB

      Download
    • memory/4832-134-0x0000000005610000-0x00000000056A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4832-137-0x0000000005960000-0x00000000059FC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4832-135-0x00000000056B0000-0x0000000005726000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4832-136-0x0000000005780000-0x000000000579E000-memory.dmp
      Filesize

      120KB

      Download