Overview

overview

10

Static

static

1

fde11e6f4e...ef.exe

windows7-x64

10

fde11e6f4e...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe

  • Size

    297KB

  • MD5

    af2b8f5ab74b832d8afdeb31bbbedf7a

  • SHA1

    843c977f2763e00215798252df9d72e705be2049

  • SHA256

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef

  • SHA512

    d01f8c2d03e4ea2db7e4c308e45e99cdabddae25a4260d685d00c57fd515b6a011683cdb6ef9beb7ab3c5997d2aead36dbff0d0cda1dec141e95b12b0b345ce1

  • SSDEEP

    6144:nYa6cjfjA7IUkIDhzdQoz9FDJuWYtfX5Nyu6YtSXiOJF:nYYfSxkDcuWwHdsn

Score
10/10
formbookrs11ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rs11

Decoy

brigtsidefinancial.com

kotteri-mannish.com

black-iron-fences-bros.com

fnixo.com

gondes.net

cutleryknives-store.com

cabledahmercadillacvip.com

redstaing.com

cateri.africa

cgadminservices.com

wilwin.net

moteru40.net

floraandfate.com

aram-eyes.com

bcrazy55.com

courierpay.buzz

discovervielven.com

mymansshirt.com

junglesmp.online

classic-workshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
      "C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe" C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1436
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4124
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:4928
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3852

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\DB1
          Filesize

          40KB

          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          Filesize

          112KB

          MD5

          7ede9a999ded9de662e54cbfd90680d8

          SHA1

          ad00efdf39b85309b1fde0ec304f3fcd15c5f927

          SHA256

          d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

          SHA512

          01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          Filesize

          112KB

          MD5

          7ede9a999ded9de662e54cbfd90680d8

          SHA1

          ad00efdf39b85309b1fde0ec304f3fcd15c5f927

          SHA256

          d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

          SHA512

          01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          Filesize

          112KB

          MD5

          7ede9a999ded9de662e54cbfd90680d8

          SHA1

          ad00efdf39b85309b1fde0ec304f3fcd15c5f927

          SHA256

          d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

          SHA512

          01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\kbfotrqmze.ug
          Filesize

          205KB

          MD5

          3656da71ef457ff4aa9628cf15739006

          SHA1

          d252fea8ae881f4bc02807e32da34fe1e8c84155

          SHA256

          2f74419a2cc131c46271d0f19c2235d42e08c101be938a381edda3af46aeb003

          SHA512

          090495799c91cbea31ab70779d61f08be4902f015f05accf91551e1901962b502bc3c53ec4a0871b69cf6d553c70f7e747aa3416d7146c3395be274d3ca56ca5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
          Filesize

          5KB

          MD5

          2a18b621f690f6724e332ba8dc46d39e

          SHA1

          b079a6cee56e6d46953b7a3fa558c96a76c98954

          SHA256

          ad1b6b65ae61388f101d313e46c232cdfa5e4b4c278b1d966681c2540ad67018

          SHA512

          fc06a8bc96135125ffd26617dafd6d893f23eb5519f6e4a266ca671921efdab86e5aab1fd573ddef0fb6013df87be351cc42b12f07c40dfc156e3974fe2c5fa2

          Download Submit
        • C:\Users\Admin\AppData\Roaming\96709-4S\967logim.jpeg
          Filesize

          79KB

          MD5

          03503911d22a2f6b87ecc6acd7d0f9a9

          SHA1

          a55c025edb5096f8c86d617ea0e735c48c4794bb

          SHA256

          1c90b7ac48263ab63aedfe05936994afe4b99a9ea7c673b8522032980b323b59

          SHA512

          8213e1711829da17b38fea48e1722027c911eb576cd667d1262e0fdbbb65b03143d3e3f6b1ea70889fc5c08696d952b1725a298d62a6d25ce5b9cc443f708bd5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\96709-4S\967logrf.ini
          Filesize

          40B

          MD5

          2f245469795b865bdd1b956c23d7893d

          SHA1

          6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

          SHA256

          1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

          SHA512

          909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\96709-4S\967logrg.ini
          Filesize

          38B

          MD5

          4aadf49fed30e4c9b3fe4a3dd6445ebe

          SHA1

          1e332822167c6f351b99615eada2c30a538ff037

          SHA256

          75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

          SHA512

          eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

          Download Submit
        • C:\Users\Admin\AppData\Roaming\96709-4S\967logri.ini
          Filesize

          40B

          MD5

          d63a82e5d81e02e399090af26db0b9cb

          SHA1

          91d0014c8f54743bba141fd60c9d963f869d76c9

          SHA256

          eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

          SHA512

          38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

          Download Submit
        • C:\Users\Admin\AppData\Roaming\96709-4S\967logrv.ini
          Filesize

          872B

          MD5

          bbc41c78bae6c71e63cb544a6a284d94

          SHA1

          33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

          SHA256

          ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

          SHA512

          0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

          Download Submit
        • memory/1028-150-0x0000000002740000-0x0000000002818000-memory.dmp
          Filesize

          864KB

          Download
        • memory/1028-151-0x0000000002740000-0x0000000002818000-memory.dmp
          Filesize

          864KB

          Download
        • memory/1028-142-0x00000000080E0000-0x0000000008239000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2160-139-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/2160-137-0x0000000000000000-mapping.dmp
          Download
        • memory/2160-141-0x00000000008D0000-0x00000000008E4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2160-140-0x0000000000990000-0x0000000000CDA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/4124-145-0x0000000001870000-0x0000000001BBA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/4124-146-0x0000000000F10000-0x0000000000F3F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/4124-143-0x0000000000000000-mapping.dmp
          Download
        • memory/4124-149-0x00000000016A0000-0x0000000001733000-memory.dmp
          Filesize

          588KB

          Download
        • memory/4124-144-0x0000000000A80000-0x0000000000A97000-memory.dmp
          Filesize

          92KB

          Download
        • memory/4296-132-0x0000000000000000-mapping.dmp
          Download
        • memory/4928-147-0x0000000000000000-mapping.dmp
          Download