Overview

overview

10

Static

static

3

37c2f744f5...fb.exe

windows7-x64

10

37c2f744f5...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37c2f744f5c480d0b4bf96c78da15dfb.exe

  • Size

    760KB

  • MD5

    37c2f744f5c480d0b4bf96c78da15dfb

  • SHA1

    1626c779d458416a559f95ac5d21b62aba381ae0

  • SHA256

    ab2f8c8398a0233c6d9b0308b3499e7cababf65a1ec913c4a88c895edaa822c7

  • SHA512

    a2571c4ee5f0c3c662ef529fee2b5c528a95075944781bc6e6c4aaa98fd991ef41a6f29bfc2728518de39354da656fed6558c48d8ea10510963541d995bd9956

  • SSDEEP

    12288:rWSZjnSnDs/65nfND/2Iokna8XAp2sixvMWBRF:runDs/6VNL2IoBaEW

Score
10/10
formbookvd9nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vd9n

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Local\Temp\37c2f744f5c480d0b4bf96c78da15dfb.exe
      "C:\Users\Admin\AppData\Local\Temp\37c2f744f5c480d0b4bf96c78da15dfb.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LtkyJzyTd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53C8.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1692
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:3056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1184-27-0x0000000000170000-0x0000000000187000-memory.dmp

      Filesize

      92KB

      Download

    • memory/1184-34-0x0000000000C30000-0x0000000000C5E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1184-31-0x00000000011F0000-0x0000000001283000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1184-29-0x0000000001300000-0x000000000164A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1184-28-0x0000000000C30000-0x0000000000C5E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1184-25-0x0000000000170000-0x0000000000187000-memory.dmp

      Filesize

      92KB

      Download

    • memory/2144-20-0x0000000001410000-0x000000000175A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2144-17-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2144-23-0x00000000013E0000-0x00000000013F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2144-22-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3560-24-0x0000000009440000-0x00000000095B0000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3560-32-0x0000000009440000-0x00000000095B0000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3560-40-0x00000000095B0000-0x000000000973C000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3560-37-0x00000000095B0000-0x000000000973C000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3560-35-0x00000000095B0000-0x000000000973C000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4984-9-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-8-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-7-0x0000000007120000-0x00000000071BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4984-6-0x0000000005F20000-0x0000000005F3C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4984-5-0x0000000005C30000-0x0000000005C3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4984-4-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-3-0x0000000005A90000-0x0000000005B22000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4984-2-0x0000000005F60000-0x0000000006504000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4984-11-0x00000000097F0000-0x0000000009824000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4984-1-0x0000000000FD0000-0x0000000001094000-memory.dmp

      Filesize

      784KB

      Download

    • memory/4984-0-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-19-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4984-10-0x0000000007080000-0x00000000070EA000-memory.dmp

      Filesize

      424KB

      Download