Overview

overview

10

Static

static

1

0d6ad8a921...57.exe

windows7-x64

10

0d6ad8a921...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2023 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe

  • Size

    295KB

  • MD5

    87f464c47591f698e28c9356315d18ba

  • SHA1

    6473b450174907216832b6a59c56e3ad65dd5ede

  • SHA256

    0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57

  • SHA512

    954f1c1d930762ddb6fe37a2ee6191d4c457e86dbf0d53e0cbc42ca511cad7b00fb46bed9e8ee62e87ca9a0944730e180d668a90c71e2e3b2bce78e5c5fde576

  • SSDEEP

    6144:thtyHU2zOIngdEqGLpl4jxNlsEID49SrJz3PcF3qkQ841OJ1zHsUWw5LKm:th4z3aXrjRsEk49sPzkQ841Mlx5mm

Score
10/10
formbookguloadermi94downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 1 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe
    "C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe
      "C:\Users\Admin\AppData\Local\Temp\0d6ad8a921c5a4bddb51d56bb7496423ceb6996526d84fff35f595ed81093a57.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DORME.ini
    Filesize

    31B

    MD5

    3000f7f0f12b7139ea28160c52098e25

    SHA1

    9d032395f38d341881019b996e591160d542054b

    SHA256

    467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

    SHA512

    a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsd2B56.tmp\System.dll
    Filesize

    12KB

    MD5

    d968cb2b98b83c03a9f02dd9b8df97dc

    SHA1

    d784c9b7a92dce58a5038beb62a48ff509e166a0

    SHA256

    a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    SHA512

    2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

    Download Submit
  • memory/968-81-0x00000000035F0000-0x000000000521D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/968-82-0x00000000035F0000-0x000000000521D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/1752-83-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1752-84-0x0000000001470000-0x000000000309D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/1752-85-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1752-86-0x0000000001470000-0x000000000309D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/1752-88-0x0000000000400000-0x0000000001462000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/1752-89-0x0000000001470000-0x000000000309D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/1752-90-0x0000000001470000-0x000000000309D000-memory.dmp
    Filesize

    28.2MB

    Download
  • memory/1752-93-0x0000000033270000-0x0000000033573000-memory.dmp
    Filesize

    3.0MB

    Download