Overview

overview

10

Static

static

3

Ylvjcujvcjtsqv.exe

windows7-x64

10

Ylvjcujvcjtsqv.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2023 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ylvjcujvcjtsqv.exe

  • Size

    2.8MB

  • MD5

    9036abae6529a51f5d50825d88dc95a4

  • SHA1

    5c10c6dc6146db9f545dd1e8fbac70fe2c333a8a

  • SHA256

    1117ea5185a8c16dbc9af96cbb580f5ac55a5f4bc0963e149c83a6c9c35dba7a

  • SHA512

    d9a9ce7096cc24985e8f2731e67e57abf7f24ea5213051b15a7951731db263f7a741b955fa672157c46d9e69ef5df614148b95ffbff246f7999df610be854c47

  • SSDEEP

    49152:Xm/PpH8yc0/wU2lpe63ZrxKrVEbRIqiPt41uFehg1mQzZ:XOpcyV/wjpdZrxEVEtI14wqnY

Score
10/10
formbookmodiloaderao65persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ao65

Decoy

spins2023.pro

foodontario.com

jsnmz.com

canwealljustagree.com

shopthedivine.store

thelakahealth.com

kuis-raja-borong.website

hbqc2.com

optimusvisionlb.com

urdulatest.com

akhayarplus.com

info-antai-service.com

kermisbedrijfkramer.online

epansion.com

gxqingmeng.top

maltsky.net

ictwath.com

sharmafootcare.com

mycheese.net

portfoliotestkitchen.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Formbook payload 4 IoCs
    rat
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\Ylvjcujvcjtsqv.exe
      "C:\Users\Admin\AppData\Local\Temp\Ylvjcujvcjtsqv.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\SysWOW64\SndVol.exe
        C:\Windows\System32\SndVol.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2396
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\SndVol.exe"
        3⤵
          PID:4828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2396-14-0x0000000002570000-0x0000000003570000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2396-15-0x0000000015D80000-0x0000000015D95000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2396-10-0x0000000002570000-0x0000000003570000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2396-12-0x0000000015F70000-0x00000000162BA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3172-29-0x0000000007D00000-0x0000000007DE5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/3172-26-0x0000000007D00000-0x0000000007DE5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/3172-25-0x0000000007D00000-0x0000000007DE5000-memory.dmp

      Filesize

      916KB

      Download

    • memory/3172-16-0x00000000082D0000-0x0000000008452000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4804-22-0x0000000001260000-0x000000000128F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4804-17-0x0000000000080000-0x0000000000087000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4804-18-0x0000000000080000-0x0000000000087000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4804-20-0x0000000001260000-0x000000000128F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4804-21-0x0000000001A10000-0x0000000001D5A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4804-24-0x00000000017B0000-0x0000000001844000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4896-9-0x00000000007E0000-0x00000000007E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4896-5-0x0000000000400000-0x00000000006DA000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4896-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4896-3-0x0000000004520000-0x0000000005520000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4896-2-0x0000000000400000-0x00000000006DA000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4896-1-0x0000000004520000-0x0000000005520000-memory.dmp

      Filesize

      16.0MB

      Download