Overview

overview

10

Static

static

3

04413299.exe

windows7-x64

10

04413299.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/06/2023, 15:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    04413299.exe

  • Size

    255KB

  • MD5

    28a73f327157c5f56e666607b184de43

  • SHA1

    7d1e96ee1bbc229453fc30a15a8f2ebccfee4f12

  • SHA256

    f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8

  • SHA512

    8935b1f159857d7b2c0726625bddb3905dfda552bd87bcdd7c2c7a13a68d099846e64b57cb89b087663b78bf0d296615a4351ff49467bdf9765b90eaed40eef2

  • SSDEEP

    6144:/Ya6IAxKmCd9OsUOOXk12w5LLMlaxBTNrZj:/YeAqnaMvZTNVj

Score
10/10
formbookj0c7ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j0c7

Decoy

dvyuansu.com

flyersfirst.com

lbvasd.xyz

samodeling.com

lsty.net

agreels.com

gptvai.com

tyec.xyz

infercn.top

restinpeace.website

flaxtest.com

manaroo.com

altyazi-hub.xyz

devrijeweide.store

thebestfurnitureplace.com

combatsportsacademyus.com

segui276.pics

starseedalignment.com

fish-pay.com

letsbet.life

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\Temp\04413299.exe
      "C:\Users\Admin\AppData\Local\Temp\04413299.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Users\Admin\AppData\Local\Temp\04413299.exe
        "C:\Users\Admin\AppData\Local\Temp\04413299.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\04413299.exe"
        3⤵
          PID:2240

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nso9206.tmp\fawxxi.dll
            Filesize

            44KB

            MD5

            be44b99756f0c34c7873d839f0f49736

            SHA1

            5a0477f1ffa4b4cbe1a5c5edaf2a1878d265ab5c

            SHA256

            2c6d8b2075cf8e73b671608a197b8d9ea80f4b96bcbe5931232405f19e8d1885

            SHA512

            832ace74cff4d764589a6754b2e2723f67083af45516a08e66038658949ef94266b38207d13739ee8998e36ae3d5764fb833814ba162e388715a2caeea80e235

            Download Submit

          • memory/1476-148-0x0000000000A40000-0x0000000000A55000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1476-151-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1476-141-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1476-144-0x0000000000A80000-0x0000000000DCA000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1476-145-0x00000000005E0000-0x00000000005F5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1476-147-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3188-149-0x0000000008900000-0x0000000008A91000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/3188-146-0x0000000008750000-0x00000000088F8000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3188-160-0x0000000007F10000-0x0000000008032000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3188-161-0x0000000007F10000-0x0000000008032000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3188-163-0x0000000007F10000-0x0000000008032000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3532-150-0x0000000000150000-0x000000000028A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-154-0x0000000000150000-0x000000000028A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3532-156-0x0000000003180000-0x00000000034CA000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3532-155-0x0000000000F20000-0x0000000000F4F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3532-157-0x0000000000F20000-0x0000000000F4F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/3532-159-0x0000000002EF0000-0x0000000002F84000-memory.dmp

            Filesize

            592KB

            Download

          • memory/4260-140-0x0000000003170000-0x0000000003172000-memory.dmp

            Filesize

            8KB

            Download