Overview

overview

10

Static

static

1

fde11e6f4e...ef.exe

windows7-x64

10

fde11e6f4e...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe

  • Size

    297KB

  • MD5

    af2b8f5ab74b832d8afdeb31bbbedf7a

  • SHA1

    843c977f2763e00215798252df9d72e705be2049

  • SHA256

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef

  • SHA512

    d01f8c2d03e4ea2db7e4c308e45e99cdabddae25a4260d685d00c57fd515b6a011683cdb6ef9beb7ab3c5997d2aead36dbff0d0cda1dec141e95b12b0b345ce1

  • SSDEEP

    6144:nYa6cjfjA7IUkIDhzdQoz9FDJuWYtfX5Nyu6YtSXiOJF:nYYfSxkDcuWwHdsn

Score
10/10
formbookrs11ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rs11

Decoy

brigtsidefinancial.com

kotteri-mannish.com

black-iron-fences-bros.com

fnixo.com

gondes.net

cutleryknives-store.com

cabledahmercadillacvip.com

redstaing.com

cateri.africa

cgadminservices.com

wilwin.net

moteru40.net

floraandfate.com

aram-eyes.com

bcrazy55.com

courierpay.buzz

discovervielven.com

mymansshirt.com

junglesmp.online

classic-workshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
      "C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe" C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1928
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1048
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              6⤵
                PID:1864

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      Filesize

      112KB

      MD5

      7ede9a999ded9de662e54cbfd90680d8

      SHA1

      ad00efdf39b85309b1fde0ec304f3fcd15c5f927

      SHA256

      d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

      SHA512

      01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      Filesize

      112KB

      MD5

      7ede9a999ded9de662e54cbfd90680d8

      SHA1

      ad00efdf39b85309b1fde0ec304f3fcd15c5f927

      SHA256

      d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

      SHA512

      01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      Filesize

      112KB

      MD5

      7ede9a999ded9de662e54cbfd90680d8

      SHA1

      ad00efdf39b85309b1fde0ec304f3fcd15c5f927

      SHA256

      d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

      SHA512

      01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kbfotrqmze.ug
      Filesize

      205KB

      MD5

      3656da71ef457ff4aa9628cf15739006

      SHA1

      d252fea8ae881f4bc02807e32da34fe1e8c84155

      SHA256

      2f74419a2cc131c46271d0f19c2235d42e08c101be938a381edda3af46aeb003

      SHA512

      090495799c91cbea31ab70779d61f08be4902f015f05accf91551e1901962b502bc3c53ec4a0871b69cf6d553c70f7e747aa3416d7146c3395be274d3ca56ca5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
      Filesize

      5KB

      MD5

      2a18b621f690f6724e332ba8dc46d39e

      SHA1

      b079a6cee56e6d46953b7a3fa558c96a76c98954

      SHA256

      ad1b6b65ae61388f101d313e46c232cdfa5e4b4c278b1d966681c2540ad67018

      SHA512

      fc06a8bc96135125ffd26617dafd6d893f23eb5519f6e4a266ca671921efdab86e5aab1fd573ddef0fb6013df87be351cc42b12f07c40dfc156e3974fe2c5fa2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\96709-4S\967logim.jpeg
      Filesize

      68KB

      MD5

      17e9a01c606a3b7051bc4a17542750e0

      SHA1

      dbb52da65851ce5efa4b652ae42b87530b3e7359

      SHA256

      09fdcaf7240d06c403ebf8201e29661731eceaba7690bf5abb7683e6de924634

      SHA512

      4fe39d18adbde0791f4882532a01fe8c49082841928da6cc15149e5b59c0481457f6edbeb86f161323b7a777a3fc1e697c54cecfbf3548020cefa7162c670800

      Download Submit
    • C:\Users\Admin\AppData\Roaming\96709-4S\967logrf.ini
      Filesize

      40B

      MD5

      2f245469795b865bdd1b956c23d7893d

      SHA1

      6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

      SHA256

      1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

      SHA512

      909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\96709-4S\967logri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\96709-4S\967logrv.ini
      Filesize

      40B

      MD5

      ba3b6bc807d4f76794c4b81b09bb9ba5

      SHA1

      24cb89501f0212ff3095ecc0aba97dd563718fb1

      SHA256

      6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

      SHA512

      ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

      Download Submit
    • \Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      Filesize

      112KB

      MD5

      7ede9a999ded9de662e54cbfd90680d8

      SHA1

      ad00efdf39b85309b1fde0ec304f3fcd15c5f927

      SHA256

      d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

      SHA512

      01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      Filesize

      112KB

      MD5

      7ede9a999ded9de662e54cbfd90680d8

      SHA1

      ad00efdf39b85309b1fde0ec304f3fcd15c5f927

      SHA256

      d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

      SHA512

      01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

      Download Submit
    • memory/1048-77-0x0000000000B20000-0x0000000000BB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1048-76-0x00000000023F0000-0x00000000026F3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1048-79-0x0000000000B20000-0x0000000000BB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1048-74-0x0000000000C30000-0x0000000000C44000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1048-75-0x0000000000090000-0x00000000000BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1048-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-70-0x0000000004CF0000-0x0000000004DAA000-memory.dmp
      Filesize

      744KB

      Download
    • memory/1324-68-0x0000000004A70000-0x0000000004B33000-memory.dmp
      Filesize

      780KB

      Download
    • memory/1324-78-0x0000000006AF0000-0x0000000006C6D000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1324-80-0x0000000006AF0000-0x0000000006C6D000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1664-54-0x0000000075981000-0x0000000075983000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1836-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-72-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1928-69-0x0000000000320000-0x0000000000334000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1928-67-0x00000000002C0000-0x00000000002D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1928-66-0x0000000000840000-0x0000000000B43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1928-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1928-63-0x000000000041F160-mapping.dmp
      Download