Overview

overview

10

Static

static

1

0b793ae840...03.exe

windows7-x64

10

0b793ae840...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b793ae840102dff93fa1ec0a38bd603.exe

  • Size

    430KB

  • MD5

    0b793ae840102dff93fa1ec0a38bd603

  • SHA1

    ac9a73ff2b30557949547e4b1d30fb2a2dd3f06c

  • SHA256

    6ae760d9b669fbcc87fd61647e1904de552f09b6af8d36d48eff89df60b06cd8

  • SHA512

    374a7258257a3735bed3e9aa7c941058388d4411d486077e7e77b3b3be6e2f7d9de1ed4496330c6d472482a84ca156780390faca795e5a926dd8e2b6874d1bb7

  • SSDEEP

    6144:AbUTp1kKX7AB/N0A6SgZUNuhYHOrq9V56lSN0WFOnxMfEa+pvLf+xM+Y:AIFEzDgZUYyurc/2KEa4vLfH

Score
10/10
formbookguloaderu34fdiscoverydownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u34f

Decoy

carpool.bar

badburyparkbakery.co.uk

aigooglebot.com

arihantautogas.com

specmart.online

newschatgpt.net

mmcroberts.com

ativeerrtechnologies.com

pheonix-blog-lomg-1098.com

simplisetup.com

teorikatapublishing.com

stephanyvgrfingle.click

tropicoa.com

isystem.world

tiger-lion.space

mackenziefarms.net

tl8841.buzz

alfabank.credit

lockdaccesactolapqqk.com

directaccesspetroleum.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 1 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
    "C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe
      "C:\Users\Admin\AppData\Local\Temp\0b793ae840102dff93fa1ec0a38bd603.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsm6799.tmp\System.dll
    Filesize

    11KB

    MD5

    7399323923e3946fe9140132ac388132

    SHA1

    728257d06c452449b1241769b459f091aabcffc5

    SHA256

    5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

    SHA512

    d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

    Download Submit
  • memory/1836-151-0x0000000000400000-0x0000000001654000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/1836-152-0x0000000001660000-0x0000000002448000-memory.dmp
    Filesize

    13.9MB

    Download
  • memory/1836-153-0x0000000000400000-0x0000000001654000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/1836-163-0x0000000001660000-0x0000000002448000-memory.dmp
    Filesize

    13.9MB

    Download
  • memory/1836-167-0x0000000000400000-0x0000000001654000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/1836-168-0x0000000001660000-0x0000000002448000-memory.dmp
    Filesize

    13.9MB

    Download
  • memory/1836-169-0x0000000001660000-0x0000000002448000-memory.dmp
    Filesize

    13.9MB

    Download
  • memory/1836-170-0x0000000032A10000-0x0000000032D5A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3216-149-0x0000000004A20000-0x0000000005808000-memory.dmp
    Filesize

    13.9MB

    Download
  • memory/3216-150-0x0000000004A20000-0x0000000005808000-memory.dmp
    Filesize

    13.9MB

    Download