Overview

overview

10

Static

static

1

fde11e6f4e...ef.exe

windows7-x64

10

fde11e6f4e...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe

  • Size

    297KB

  • MD5

    af2b8f5ab74b832d8afdeb31bbbedf7a

  • SHA1

    843c977f2763e00215798252df9d72e705be2049

  • SHA256

    fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef

  • SHA512

    d01f8c2d03e4ea2db7e4c308e45e99cdabddae25a4260d685d00c57fd515b6a011683cdb6ef9beb7ab3c5997d2aead36dbff0d0cda1dec141e95b12b0b345ce1

  • SSDEEP

    6144:nYa6cjfjA7IUkIDhzdQoz9FDJuWYtfX5Nyu6YtSXiOJF:nYYfSxkDcuWwHdsn

Score
10/10
formbookrs11ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rs11

Decoy

brigtsidefinancial.com

kotteri-mannish.com

black-iron-fences-bros.com

fnixo.com

gondes.net

cutleryknives-store.com

cabledahmercadillacvip.com

redstaing.com

cateri.africa

cgadminservices.com

wilwin.net

moteru40.net

floraandfate.com

aram-eyes.com

bcrazy55.com

courierpay.buzz

discovervielven.com

mymansshirt.com

junglesmp.online

classic-workshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
      "C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe" C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
          "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4608
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
          PID:1984
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1432

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        Filesize

        40KB

        MD5

        b608d407fc15adea97c26936bc6f03f6

        SHA1

        953e7420801c76393902c0d6bb56148947e41571

        SHA256

        b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

        SHA512

        cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        Filesize

        112KB

        MD5

        7ede9a999ded9de662e54cbfd90680d8

        SHA1

        ad00efdf39b85309b1fde0ec304f3fcd15c5f927

        SHA256

        d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

        SHA512

        01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        Filesize

        112KB

        MD5

        7ede9a999ded9de662e54cbfd90680d8

        SHA1

        ad00efdf39b85309b1fde0ec304f3fcd15c5f927

        SHA256

        d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

        SHA512

        01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
        Filesize

        112KB

        MD5

        7ede9a999ded9de662e54cbfd90680d8

        SHA1

        ad00efdf39b85309b1fde0ec304f3fcd15c5f927

        SHA256

        d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

        SHA512

        01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\kbfotrqmze.ug
        Filesize

        205KB

        MD5

        3656da71ef457ff4aa9628cf15739006

        SHA1

        d252fea8ae881f4bc02807e32da34fe1e8c84155

        SHA256

        2f74419a2cc131c46271d0f19c2235d42e08c101be938a381edda3af46aeb003

        SHA512

        090495799c91cbea31ab70779d61f08be4902f015f05accf91551e1901962b502bc3c53ec4a0871b69cf6d553c70f7e747aa3416d7146c3395be274d3ca56ca5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
        Filesize

        5KB

        MD5

        2a18b621f690f6724e332ba8dc46d39e

        SHA1

        b079a6cee56e6d46953b7a3fa558c96a76c98954

        SHA256

        ad1b6b65ae61388f101d313e46c232cdfa5e4b4c278b1d966681c2540ad67018

        SHA512

        fc06a8bc96135125ffd26617dafd6d893f23eb5519f6e4a266ca671921efdab86e5aab1fd573ddef0fb6013df87be351cc42b12f07c40dfc156e3974fe2c5fa2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96709-4S\967logim.jpeg
        Filesize

        79KB

        MD5

        f6260dbed91212813ee30d9bc23e3d21

        SHA1

        d54b1e1959efefbc3baebdf275d70e71c98bab77

        SHA256

        4dfeaf3c06f27bb31a1ae7a6bb6caba312b7dd7539a0a38ed11a7807928d30e5

        SHA512

        a41d086f6f705c703defdd6f45351d59cd102f27e1f6cb8b8a9e0de910da3eb36364ec7523bdb9e3eb6672d49440e06029816e74b85937fb1c0d4fcf91820bbc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96709-4S\967logrf.ini
        Filesize

        40B

        MD5

        2f245469795b865bdd1b956c23d7893d

        SHA1

        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

        SHA256

        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

        SHA512

        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96709-4S\967logrg.ini
        Filesize

        38B

        MD5

        4aadf49fed30e4c9b3fe4a3dd6445ebe

        SHA1

        1e332822167c6f351b99615eada2c30a538ff037

        SHA256

        75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

        SHA512

        eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96709-4S\967logri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit
      • C:\Users\Admin\AppData\Roaming\96709-4S\967logrv.ini
        Filesize

        872B

        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit
      • memory/1984-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2396-142-0x0000000002800000-0x0000000002905000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2396-152-0x0000000002910000-0x00000000029E4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/2396-151-0x0000000002910000-0x00000000029E4000-memory.dmp
        Filesize

        848KB

        Download
      • memory/4356-150-0x0000000002B70000-0x0000000002C03000-memory.dmp
        Filesize

        588KB

        Download
      • memory/4356-147-0x0000000000C20000-0x0000000000C4F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4356-146-0x0000000002D30000-0x000000000307A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4356-145-0x0000000000D30000-0x0000000000D57000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4356-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4608-144-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4608-141-0x0000000000E50000-0x0000000000E64000-memory.dmp
        Filesize

        80KB

        Download
      • memory/4608-140-0x0000000000AE0000-0x0000000000E2A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4608-139-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4608-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4788-132-0x0000000000000000-mapping.dmp
        Download