Analysis

  • max time kernel
    157s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 21:00 UTC

General

  • Target

    tmp.exe

  • Size

    605KB

  • MD5

    cb62322bf94c2372c0c4c0383f3c2a23

  • SHA1

    7b628d08dde66fe82002c908a1cdca11db5d54ed

  • SHA256

    f641f1a87ee2a760b79417b410c52137c114e2618529bb90a0f281967975476e

  • SHA512

    8a43cc7a3d2f6ebd5bd3bddc6577d435ac421697a3a8ca34074a29bdc716b589e87684e1cc5ae8d1007ef22e69e72cb0393c45c2f9f681fee3e0a7acec7f4237

  • SSDEEP

    12288:FYmXlA7G3NFi0b7BMAsSMMT6sOhOIbw9SopRGdovnyo6VNglbXT:F5aS9Fi0b7BPl569I4p4G6vn32SbXT

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tf6p

Decoy

poolcleanerskingsland.com

nieveslandscapee.com

wb263.com

smartlubetrading.com

linuowen.com

fna-seattle.com

jobgenie-ai.com

mycocktailmind.com

openai-invite.com

tnndjf5kyxz.com

mclane.attorney

somwear.xyz

spliffstudios.com

grupofaace.com

wuuwo.com

bigtimerushcharlotte.com

yourercchecks.com

arportablepottyrentals.biz

sbtsanantonio.com

explantationsbegleitung.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Deletes itself
        PID:2016

Network

  • flag-us
    DNS
    www.clarasecurity.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.clarasecurity.com
    IN A
    Response
    www.clarasecurity.com
    IN CNAME
    proxy-ssl.webflow.com
    proxy-ssl.webflow.com
    IN CNAME
    proxy-ssl-geo.webflow.com
    proxy-ssl-geo.webflow.com
    IN A
    35.79.138.241
    proxy-ssl-geo.webflow.com
    IN A
    13.115.92.205
    proxy-ssl-geo.webflow.com
    IN A
    13.115.182.240
  • flag-jp
    GET
    http://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi
    Explorer.EXE
    Remote address:
    35.79.138.241:80
    Request
    GET /tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi HTTP/1.1
    Host: www.clarasecurity.com
    Connection: close
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 05 May 2023 23:14:15 GMT
    Content-Type: text/html
    Content-Length: 166
    Connection: close
    Location: https://www.clarasecurity.com/tf6p?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi
  • flag-us
    DNS
    www.hallspropertyenhancements.com
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.hallspropertyenhancements.com
    IN A
    Response
    www.hallspropertyenhancements.com
    IN CNAME
    gcdn0.wixdns.net
    gcdn0.wixdns.net
    IN CNAME
    td-ccm-168-233.wixdns.net
    td-ccm-168-233.wixdns.net
    IN A
    34.117.168.233
  • flag-us
    GET
    http://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFi
    Explorer.EXE
    Remote address:
    34.117.168.233:80
    Request
    GET /tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFi HTTP/1.1
    Host: www.hallspropertyenhancements.com
    Connection: close
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 05 May 2023 23:14:36 GMT
    Content-Length: 0
    location: https://www.hallspropertyenhancements.com/tf6p?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI%2FIapS1bdDsDtXHRJr&sF=WpeHzFi
    strict-transport-security: max-age=3600
    x-wix-request-id: 1683328476.871880306155619668
    Age: 0
    X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMdZC7UaugUgerpaeZTvgu4f,qquldgcFrj2n046g4RNSVKTl6x/3To9sxSa0HYDttpo=,2d58ifebGbosy5xc+FRaltopQ9/hOUX/iGCnr+He7gE0q2b2Dt9FTx53GyRQNwLLEQ+kwAkbhrBM0pumcIm/ZbifaLV3vkcVsw4LEEhXxbM=,2UNV7KOq4oGjA5+PKsX47H9uI8JOdunVpSRDzMPCPTFYgeUJqUXtid+86vZww+nL,7npGRUZHWOtWoP0Si3wDp4lj1YeYp6WzYc638Kp14Hs=,xTu8fpDe3EKPsMR1jrheELutYhRjSyU//OgaNdL6scg=,ywkbhDzHLtjhjmon1ohv97r+RA+ENj/6/yls+DMVmwdT7tnkj/1IkxFu8UpERCLrmuOkfcTSJaUOHlD2KQbqrA==
    Cache-Control: no-cache
    server-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw1_g
    X-Content-Type-Options: nosniff
    Server: Pepyaka/1.19.10
    Via: 1.1 google
    Connection: close
  • flag-us
    DNS
    www.arportablepottyrentals.biz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.arportablepottyrentals.biz
    IN A
    Response
    www.arportablepottyrentals.biz
    IN A
    104.21.37.151
    www.arportablepottyrentals.biz
    IN A
    172.67.209.187
  • flag-us
    GET
    http://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFi
    Explorer.EXE
    Remote address:
    104.21.37.151:80
    Request
    GET /tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFi HTTP/1.1
    Host: www.arportablepottyrentals.biz
    Connection: close
    Response
    HTTP/1.1 403 Forbidden
    Date: Fri, 05 May 2023 23:15:00 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4eNlxDNgHN5VOsLRqDl2CKgzuuUiC8vQe%2Fa3sBdKal19BeiV3%2F8gAJEtRHSkoiA1QMd5JlLDXNNoqX8faHY82OKfugugoYTussZJDlQjnDHnA3ASD7gnp%2BGdRiIuOs5rjm9o0ZfmpC0z2ZsCiRUCwrQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 7c2caed72824b77c-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • 35.79.138.241:80
    http://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi
    http
    Explorer.EXE
    389 B
    641 B
    5
    5

    HTTP Request

    GET http://www.clarasecurity.com/tf6p/?8pFx=EL7vYuPxrp+WqwxVFEBG40mNBIXJDBlJpFSQVsJ9fO9xyvSpu5Fr0h5v80X7BEc+&sF=WpeHzFi

    HTTP Response

    301
  • 34.117.168.233:80
    http://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFi
    http
    Explorer.EXE
    401 B
    1.2kB
    5
    5

    HTTP Request

    GET http://www.hallspropertyenhancements.com/tf6p/?8pFx=JbQ+I8x4UnBSL8G4n3uT3ckl1a9T8798V6l4YCxKpmmTFCI/IapS1bdDsDtXHRJr&sF=WpeHzFi

    HTTP Response

    301
  • 104.21.37.151:80
    http://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFi
    http
    Explorer.EXE
    398 B
    995 B
    5
    5

    HTTP Request

    GET http://www.arportablepottyrentals.biz/tf6p/?8pFx=7xjxzWQKGgcU/kBiYUQALfg39rCA/Zex7op0sPyorExEL43rYkojummfVQUWk46o&sF=WpeHzFi

    HTTP Response

    403
  • 8.8.8.8:53
    www.clarasecurity.com
    dns
    Explorer.EXE
    67 B
    175 B
    1
    1

    DNS Request

    www.clarasecurity.com

    DNS Response

    35.79.138.241
    13.115.92.205
    13.115.182.240

  • 8.8.8.8:53
    www.hallspropertyenhancements.com
    dns
    Explorer.EXE
    79 B
    154 B
    1
    1

    DNS Request

    www.hallspropertyenhancements.com

    DNS Response

    34.117.168.233

  • 8.8.8.8:53
    www.arportablepottyrentals.biz
    dns
    Explorer.EXE
    76 B
    108 B
    1
    1

    DNS Request

    www.arportablepottyrentals.biz

    DNS Response

    104.21.37.151
    172.67.209.187

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/336-66-0x0000000000AB0000-0x0000000000DB3000-memory.dmp

    Filesize

    3.0MB

  • memory/336-68-0x00000000001D0000-0x00000000001E4000-memory.dmp

    Filesize

    80KB

  • memory/336-67-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/336-61-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/336-62-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/336-64-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/336-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1200-80-0x0000000004DC0000-0x0000000004F3D000-memory.dmp

    Filesize

    1.5MB

  • memory/1200-78-0x0000000004DC0000-0x0000000004F3D000-memory.dmp

    Filesize

    1.5MB

  • memory/1200-77-0x0000000004DC0000-0x0000000004F3D000-memory.dmp

    Filesize

    1.5MB

  • memory/1200-69-0x0000000004CA0000-0x0000000004DB5000-memory.dmp

    Filesize

    1.1MB

  • memory/1368-70-0x0000000000A50000-0x0000000000A59000-memory.dmp

    Filesize

    36KB

  • memory/1368-71-0x0000000000A50000-0x0000000000A59000-memory.dmp

    Filesize

    36KB

  • memory/1368-72-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

  • memory/1368-73-0x00000000021E0000-0x00000000024E3000-memory.dmp

    Filesize

    3.0MB

  • memory/1368-76-0x0000000002050000-0x00000000020E3000-memory.dmp

    Filesize

    588KB

  • memory/1568-60-0x0000000001F90000-0x0000000001FC8000-memory.dmp

    Filesize

    224KB

  • memory/1568-59-0x0000000007E20000-0x0000000007E90000-memory.dmp

    Filesize

    448KB

  • memory/1568-58-0x00000000004F0000-0x00000000004FC000-memory.dmp

    Filesize

    48KB

  • memory/1568-54-0x0000000000A10000-0x0000000000AAE000-memory.dmp

    Filesize

    632KB

  • memory/1568-57-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

  • memory/1568-56-0x00000000004E0000-0x00000000004F4000-memory.dmp

    Filesize

    80KB

  • memory/1568-55-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.