Overview

overview

10

Static

static

3

cf23950551...da.exe

windows7-x64

10

cf23950551...da.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-07-2023 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf239505512eadbb67efd822f3b684da.exe

  • Size

    1.1MB

  • MD5

    cf239505512eadbb67efd822f3b684da

  • SHA1

    3d661914d405692080aaf980c91b4a01a49f6304

  • SHA256

    3df8c09e0234f26d46f193fe7f83f17ce5c0eb0d158a95904a8a07400728dd0a

  • SHA512

    9daf2e52da964424bd35a0e66980b5f5ff4fa3e4cfd599d744e54afb08af9dd0084e4d406f90d25a7cfc94002997dc9484ebe7522505575934b4a6fef2ffc6c8

  • SSDEEP

    12288:6jPvA1qLETL9Vu4StmmYLz11DFJ72LkzLS5T5ZG9yuT7CcnhlOd0QAl9ChIhJf/L:6jPvNLAgChLURZa3T7CcHTf+pbZpbaG

Score
10/10
formbookmodiloadert3c9persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

shadeshmarriagemedia.com

e-russ.com

sofiashome.com

theworriedwell.com

americantechfront.com

seasonssparkling.com

maximuscanada.net

tifin-private-markets.com

amecc2.net

xuexi22.icu

injectiontek.com

enrrocastoneimports.com

marvelouslightcandleco.com

eaamedia.com

pmediaerp.com

tikivips111.com

chesterfieldcleaningcare.com

thecrowdedtablemusic.com

duncanvillepanthers.com

floriculturajoinville.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Formbook payload 1 IoCs
    rat
  • ModiLoader Second Stage 26 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf239505512eadbb67efd822f3b684da.exe
    "C:\Users\Admin\AppData\Local\Temp\cf239505512eadbb67efd822f3b684da.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4380-133-0x0000000002720000-0x0000000002721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4380-135-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-137-0x0000000000400000-0x0000000000521000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4380-138-0x0000000002720000-0x0000000002721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4380-142-0x0000000005230000-0x000000000525F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4380-143-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-144-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-145-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-147-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-148-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-149-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-146-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-150-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-151-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-152-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-154-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-155-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-156-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-153-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-157-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-158-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-159-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-160-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-161-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-162-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-163-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-164-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-166-0x0000000005900000-0x0000000005C4A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4380-167-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-168-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4380-165-0x0000000002930000-0x0000000002960000-memory.dmp
    Filesize

    192KB

    Download