Overview

overview

10

Static

static

3

Order conf...ce.exe

windows7-x64

10

Order conf...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2023 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order confirmation, Invoice.exe

  • Size

    1.8MB

  • MD5

    08be0b23f7706fcfddf96ae258a67249

  • SHA1

    54b9491995dda5b4849c5f10afc53175e0f67bd9

  • SHA256

    66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1

  • SHA512

    716a7751942e38f097c881bed9e6389043ed6360ca3f1dd65dd7ae644f6967ecaa9a9445295c31ac9d7e58ec316672d6b1c3b165a0473c8da2b276dfb2239a44

  • SSDEEP

    49152:aD4+yRMXpcOX8IxTqh0eJa3DZEe9sRuCVCW4FMyqChsyfue9T:aDqRMXpcOXX8Za31CuCchMXC+yf

Score
10/10
formbookmodiloaderao65persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ao65

Decoy

spins2023.pro

foodontario.com

jsnmz.com

canwealljustagree.com

shopthedivine.store

thelakahealth.com

kuis-raja-borong.website

hbqc2.com

optimusvisionlb.com

urdulatest.com

akhayarplus.com

info-antai-service.com

kermisbedrijfkramer.online

epansion.com

gxqingmeng.top

maltsky.net

ictwath.com

sharmafootcare.com

mycheese.net

portfoliotestkitchen.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Formbook payload 4 IoCs
    rat
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Users\Admin\AppData\Local\Temp\Order confirmation, Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Order confirmation, Invoice.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\SysWOW64\colorcpl.exe
        C:\Windows\System32\colorcpl.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1080
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\colorcpl.exe"
        3⤵
          PID:2484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1080-10-0x0000000005020000-0x0000000006020000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1080-12-0x000000001D160000-0x000000001D4AA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1080-14-0x0000000005020000-0x0000000006020000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1080-15-0x000000001D040000-0x000000001D055000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1172-0-0x00000000008C0000-0x00000000008C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1172-1-0x0000000004530000-0x0000000005530000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1172-2-0x0000000000400000-0x00000000005D0000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1172-3-0x0000000004530000-0x0000000005530000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1172-5-0x0000000000400000-0x00000000005D0000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1172-6-0x00000000008C0000-0x00000000008C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3328-16-0x0000000007240000-0x000000000733F000-memory.dmp

      Filesize

      1020KB

      Download

    • memory/3328-28-0x0000000008410000-0x0000000008552000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3328-29-0x0000000008410000-0x0000000008552000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3328-32-0x0000000008410000-0x0000000008552000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3516-18-0x00000000005B0000-0x00000000005C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3516-20-0x00000000005B0000-0x00000000005C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3516-22-0x00000000005B0000-0x00000000005C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3516-23-0x0000000000EE0000-0x0000000000F0F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3516-24-0x0000000002EC0000-0x000000000320A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3516-25-0x0000000000EE0000-0x0000000000F0F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3516-27-0x0000000002C00000-0x0000000002C94000-memory.dmp

      Filesize

      592KB

      Download