Overview

overview

10

Static

static

1

b4510b5db7...b5.exe

windows7-x64

10

b4510b5db7...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    08-04-2023 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4510b5db7db58da65f4d1bd545a5ca892fbd9c8ed6551abd90f64241bdeb4b5.exe

  • Size

    463KB

  • MD5

    4d4d6884fc7d0bfd244994a57a299c66

  • SHA1

    74f63690ee02781983d81405d4acf43bed038c6c

  • SHA256

    b4510b5db7db58da65f4d1bd545a5ca892fbd9c8ed6551abd90f64241bdeb4b5

  • SHA512

    d9f074fd06fd50a2ec887a6219caa123db8bc1590f1e481f48396f42de77b0eaa837f06a4208972e6f64bb3702346ba001ace910dd3a379b0d89b51caa821e27

  • SSDEEP

    6144:A3SUuzCaxOPyxKMQV6WjBZI3kqegi5+ck5hyrGaMvaZecVa+:A3rAePqQhBS3UKy/UcV

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

QYZ6iE9Y+CsiZpCBareS0uU=

N2FQLAaH6xXE

Vc6t0MQXN+Llxsqg

ElBedmSvYGGm6yLDhHqzAtmlCxWl

4VpIWShqHR5cpjfQ4bs=

mepO9miu/iFiQQ==

Z8Owqh54IlwEpDfQ4bs=

qcq4uT5HecWZG3EVwKTiUE7slrGQGiyo

IaYYoJikKDDqgV/NigZCLA==

4Xz5pfoCCW/76NnOUrFEOw==

xiijSkVJ3Yuh9OKDcmui/d2lCxWl

cr8MmfpCEu0ULsO3p6w=

JLm2yKHo7hdVb8O3p6w=

Hriy5svWm2Qfq9mPQib9jJI65gOr

2G3nkRpidunlxsqg

gPHUAeXmi8Q9ARy3

6l5WaOf8BxhQDkp5gKQ=

KHHiXs4WOqXZdPhpaw==

+UQ5Vz5O0Ms9ARy3

pNQygKu0OziAvjOHRGLnJA==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\b4510b5db7db58da65f4d1bd545a5ca892fbd9c8ed6551abd90f64241bdeb4b5.exe
      "C:\Users\Admin\AppData\Local\Temp\b4510b5db7db58da65f4d1bd545a5ca892fbd9c8ed6551abd90f64241bdeb4b5.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        3⤵
          PID:1692
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1380
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:660
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1212

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\khl4hxeh.zip
        Filesize

        486KB

        MD5

        1e73cacce02ae20026a81f1e56416aa3

        SHA1

        f491a7301ce11cf11a92c0245c7e03d927422286

        SHA256

        0dd0dd38cde5a14e7d6d0830db62cc7037e521fd042b0b8da0763128b2c0b3f2

        SHA512

        afe77facd8b16cc744ac2277414ffaf83436999d15eb8ac707f8098e2f8ed4cb29b430392ebe46b7fa65b20730615bc33dee9416f7141da5032a630894980a0a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite3.dll
        Filesize

        927KB

        MD5

        7fd80b1cc72dc580c02ca4cfbfb2592d

        SHA1

        18da905af878b27151b359cf1a7d0a650764e8a1

        SHA256

        1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

        SHA512

        13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

        Download Submit
      • memory/660-69-0x0000000000C60000-0x0000000000C74000-memory.dmp
        Filesize

        80KB

        Download
      • memory/660-126-0x0000000061E00000-0x0000000061ED2000-memory.dmp
        Filesize

        840KB

        Download
      • memory/660-78-0x0000000000AD0000-0x0000000000B5F000-memory.dmp
        Filesize

        572KB

        Download
      • memory/660-76-0x0000000000120000-0x000000000014D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/660-75-0x0000000002210000-0x0000000002513000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/660-74-0x0000000000120000-0x000000000014D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/660-73-0x0000000000C60000-0x0000000000C74000-memory.dmp
        Filesize

        80KB

        Download
      • memory/660-71-0x0000000000C60000-0x0000000000C74000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1220-68-0x0000000004B90000-0x0000000004CA1000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1220-79-0x0000000004DC0000-0x0000000004E9A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/1220-66-0x0000000000010000-0x0000000000020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1220-83-0x0000000004DC0000-0x0000000004E9A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/1220-80-0x0000000004DC0000-0x0000000004E9A000-memory.dmp
        Filesize

        872KB

        Download
      • memory/1236-54-0x0000000000E20000-0x0000000000E96000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1236-55-0x00000000003D0000-0x0000000000418000-memory.dmp
        Filesize

        288KB

        Download
      • memory/1236-56-0x00000000002C0000-0x00000000002CC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1236-57-0x0000000000460000-0x0000000000468000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1380-64-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1380-58-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1380-59-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1380-61-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1380-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1380-63-0x00000000008F0000-0x0000000000BF3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1380-67-0x0000000000140000-0x0000000000150000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1380-70-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download