Overview

overview

10

Static

static

1

813a7be3fa...9b.exe

windows7-x64

10

813a7be3fa...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2023 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    813a7be3fa8ab0b17f948d72a113a29b.exe

  • Size

    354KB

  • MD5

    813a7be3fa8ab0b17f948d72a113a29b

  • SHA1

    e1358bfd4233eacb9edd86b8d2189c06d25119e1

  • SHA256

    7cfe9185c121eeb52ee3f946c6773e9779d64a4860bd34efb3adf55485dedace

  • SHA512

    ac7f117eef90f51e6973cc0db2f31abb089a24c25a027771180559d0e2d6577cd7a3b7553311f673614d4d0c43d7fc77aa8cbb2e62d9c30eb28e243234d00db0

  • SSDEEP

    6144:/Ya6eJV6XVBQkWePa7WcsJcG93Ow7UmWaPpwTDDvQ8mVlisMlAZSl:/YAJVPkWDps+w3OwAmWa6THQHHfMlUSl

Score
10/10
formbooksa79ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sa79

Decoy

aidigify.com

angelavamundson.xyz

glicotoday.fun

agencyforbuyers.com

blacklifecoachquiz.com

4e6aqw.site

huawei1990.com

diyetcay.online

chesirechefs.co.uk

generalhospitaleu.africa

hfewha.xyz

lemons2cents.com

rahilprakash.com

kave.tech

netlexfrance.net

youthexsa.africa

car-covers-40809.com

bambooactive.store

fotobugil48.com

kuhler.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\813a7be3fa8ab0b17f948d72a113a29b.exe
      "C:\Users\Admin\AppData\Local\Temp\813a7be3fa8ab0b17f948d72a113a29b.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Users\Admin\AppData\Local\Temp\sxtur.exe
        "C:\Users\Admin\AppData\Local\Temp\sxtur.exe" C:\Users\Admin\AppData\Local\Temp\bkbzrok.e
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Users\Admin\AppData\Local\Temp\sxtur.exe
          "C:\Users\Admin\AppData\Local\Temp\sxtur.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:472
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\sxtur.exe"
        3⤵
          PID:1756

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bkbzrok.e
      Filesize

      5KB

      MD5

      f2e927e979fd2a40edeae0302ecec08c

      SHA1

      a668c67838605c4b1175321759c7c1b849d76415

      SHA256

      af31445bb4f2e7ae53ec7f3eae9362f3f0f016c27adc6909f219342da05a1614

      SHA512

      dea78adcb81e29f3db7428b3652f623bfef3327dc0a186441f07c7b3a4be0c80c130e85e04fe2bace5cd746e94160b213660ba3341c00097d4714c531ae2d9a7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sxtur.exe
      Filesize

      284KB

      MD5

      0ed509e2adbb9012d9f4fe787bff8676

      SHA1

      69d50c8a20ae5c4c1a035dd36657c2141b4f754c

      SHA256

      0cdb9859d9c9493ffc74e3b33ad4fe2cb6e3506460b1a24f5d2fdb4e8b0a841d

      SHA512

      b188e985c0f3b5d435fe4bd1516f853341e979e6106b0b9e1a96fa22dce858027d938104c100a452d63c5f8924f626a0ec73cec6f064a3218db0ae144cf6bd03

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sxtur.exe
      Filesize

      284KB

      MD5

      0ed509e2adbb9012d9f4fe787bff8676

      SHA1

      69d50c8a20ae5c4c1a035dd36657c2141b4f754c

      SHA256

      0cdb9859d9c9493ffc74e3b33ad4fe2cb6e3506460b1a24f5d2fdb4e8b0a841d

      SHA512

      b188e985c0f3b5d435fe4bd1516f853341e979e6106b0b9e1a96fa22dce858027d938104c100a452d63c5f8924f626a0ec73cec6f064a3218db0ae144cf6bd03

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\sxtur.exe
      Filesize

      284KB

      MD5

      0ed509e2adbb9012d9f4fe787bff8676

      SHA1

      69d50c8a20ae5c4c1a035dd36657c2141b4f754c

      SHA256

      0cdb9859d9c9493ffc74e3b33ad4fe2cb6e3506460b1a24f5d2fdb4e8b0a841d

      SHA512

      b188e985c0f3b5d435fe4bd1516f853341e979e6106b0b9e1a96fa22dce858027d938104c100a452d63c5f8924f626a0ec73cec6f064a3218db0ae144cf6bd03

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xrxmv.s
      Filesize

      205KB

      MD5

      f937bb46c48dd2a7c7ed33bc685e80f0

      SHA1

      206902e0631bb128111efe674a801c95e1b1cdb5

      SHA256

      6b92a11204eeffd8d0b4c81636da1b82fba55b41b689cb07cb9089c260d8c2eb

      SHA512

      1125ac12481ab7afb70e5a6cdfe09f3c83e80b5fc1ebace33e65bab9ba69afaa6cfb82d9f64381d8a172d783f97daf4fb6bd5f597130abf45f2fd9b6cb2ae1ec

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sxtur.exe
      Filesize

      284KB

      MD5

      0ed509e2adbb9012d9f4fe787bff8676

      SHA1

      69d50c8a20ae5c4c1a035dd36657c2141b4f754c

      SHA256

      0cdb9859d9c9493ffc74e3b33ad4fe2cb6e3506460b1a24f5d2fdb4e8b0a841d

      SHA512

      b188e985c0f3b5d435fe4bd1516f853341e979e6106b0b9e1a96fa22dce858027d938104c100a452d63c5f8924f626a0ec73cec6f064a3218db0ae144cf6bd03

      Download Submit
    • \Users\Admin\AppData\Local\Temp\sxtur.exe
      Filesize

      284KB

      MD5

      0ed509e2adbb9012d9f4fe787bff8676

      SHA1

      69d50c8a20ae5c4c1a035dd36657c2141b4f754c

      SHA256

      0cdb9859d9c9493ffc74e3b33ad4fe2cb6e3506460b1a24f5d2fdb4e8b0a841d

      SHA512

      b188e985c0f3b5d435fe4bd1516f853341e979e6106b0b9e1a96fa22dce858027d938104c100a452d63c5f8924f626a0ec73cec6f064a3218db0ae144cf6bd03

      Download Submit
    • memory/472-71-0x00000000008E0000-0x0000000000BE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/472-70-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/472-65-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/472-72-0x0000000000340000-0x0000000000354000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1292-84-0x0000000006520000-0x00000000065E7000-memory.dmp
      Filesize

      796KB

      Download
    • memory/1292-73-0x00000000063B0000-0x000000000651D000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1292-92-0x000007FF07910000-0x000007FF0791A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1292-69-0x0000000002E30000-0x0000000002F30000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1292-88-0x0000000006520000-0x00000000065E7000-memory.dmp
      Filesize

      796KB

      Download
    • memory/1292-85-0x0000000006520000-0x00000000065E7000-memory.dmp
      Filesize

      796KB

      Download
    • memory/1884-77-0x0000000000D40000-0x0000000000D62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1884-83-0x0000000000A50000-0x0000000000AE3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1884-80-0x0000000000070000-0x000000000009F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1884-78-0x0000000000070000-0x000000000009F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1884-79-0x0000000002170000-0x0000000002473000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1884-74-0x0000000000D40000-0x0000000000D62000-memory.dmp
      Filesize

      136KB

      Download