Overview

overview

10

Static

static

3

STATEMENT ...xs.exe

windows7-x64

10

STATEMENT ...xs.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    267s
  • max time network
    260s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    STATEMENT OF ACCOUNT_xlxs.exe

  • Size

    888KB

  • MD5

    2a63c7d093ec7a63a4fabf61452e2206

  • SHA1

    501c0f22803da5b0ce77f915efac3567644c47ca

  • SHA256

    a51862c42a347c96969bb5e511b81d1beb31d50f850acf4fbf041087911c92f0

  • SHA512

    2bbfda19a986bec80b79beb33412fec220ab864ef15d3897a6e3e023e214a0fa7e0c4376d241476911ac5813571db1c07aa65aa8c00d62aaabdd668c5fe25a0f

  • SSDEEP

    12288:lRrzL0BkOhDPswBw4nP/CBx21t+TZY44s2WvbcWqOOav/qjqPaK:lJzpOLi4m0fCZsNWpOaHqDK

Score
10/10
formbookoa21persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oa21

Decoy

towinglyons.top

dunia-togel.xyz

alabnm.com

1stsole.com

uio3222d.store

little9.site

educationexperienced.com

tjautoline.com

twinzcreationzllc.com

sinsegoldenwolf.com

seeks6.studio

monetatowing.top

hqgroupiq.com

e8f4.com

mayasaccessoriesofficial.com

cribllc.us

homeremodelee.today

etl8ryc.site

danielbrennerreality.com

telcotechmelboure.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe
      "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe
        "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT_xlxs.exe"
        3⤵
        • Deletes itself
        PID:1312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\fouette.ini
    Filesize

    44B

    MD5

    eb4da25d6c0d919bbe9ebc480cee0d05

    SHA1

    dfaeae9c23e9b282a82b1abb971599a5bcd51b27

    SHA256

    70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3

    SHA512

    1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Carmind.ini
    Filesize

    78B

    MD5

    bb31c56868208274e7db9562b2d6928e

    SHA1

    92de51663b04d18740e4a3130966a01d7820d619

    SHA256

    66c13b9b8b4a293e8779ea59b23c13a92147af5d14f6b9a53e901dd67eb8a91e

    SHA512

    824b2360eb53f6995e80d61ce0a789700f87add6bde8adc54d6bcf4e787d7df34f8571a07a2fd657c4f51853059ccd22901cebdf7b67d561ef2cadbd7f650992

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsi48E4.tmp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • memory/1196-649-0x00000000072C0000-0x00000000073BF000-memory.dmp

    Filesize

    1020KB

    Download

  • memory/1196-646-0x00000000072C0000-0x00000000073BF000-memory.dmp

    Filesize

    1020KB

    Download

  • memory/1196-645-0x00000000072C0000-0x00000000073BF000-memory.dmp

    Filesize

    1020KB

    Download

  • memory/1196-632-0x0000000003C40000-0x0000000003D1E000-memory.dmp

    Filesize

    888KB

    Download

  • memory/1196-629-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1492-628-0x0000000035130000-0x0000000035433000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1492-602-0x00000000774C0000-0x0000000077596000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1492-604-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1492-627-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1492-601-0x00000000774F6000-0x00000000774F7000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1492-600-0x00000000772D0000-0x0000000077479000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1492-631-0x0000000034C30000-0x0000000034C45000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1492-630-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1492-599-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1732-634-0x00000000001E0000-0x00000000001F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1732-636-0x00000000001E0000-0x00000000001F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1732-637-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-638-0x0000000001F50000-0x0000000002253000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1732-639-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-641-0x0000000001D70000-0x0000000001E04000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3052-598-0x0000000074990000-0x0000000074997000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3052-597-0x00000000774C0000-0x0000000077596000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3052-596-0x00000000772D0000-0x0000000077479000-memory.dmp

    Filesize

    1.7MB

    Download