Overview

overview

10

Static

static

3

REQ-22-TM-0421.exe

windows7-x64

10

REQ-22-TM-0421.exe

windows10-2004-x64

10

avzthbaywy.exe

windows7-x64

3

avzthbaywy.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REQ-22-TM-0421.exe

  • Size

    339KB

  • MD5

    03c5bcabede556bfc4239b8b5cd82c96

  • SHA1

    f4adc8324ab83478fd1e8d276bde2fec5a37cdef

  • SHA256

    345c796d9c9e422f8d60c79b8979b9de8df2748c6c3e5b78ff3f44a99024b31b

  • SHA512

    5ea449eb53ff8cf669fcd6cffea586cc1a1d88b67fa70c0ff2f72a2e9e8c575edcb0073fa0608cd729e6c7d353480044b6d1cfd10f57089dfac45a7e1d467213

  • SSDEEP

    6144:9kwNabEIE9NpesIQroOyxdbt4v3AWP147fIYSp4CNuVszpRj6ZlXzQ4xypW:HIEPpC8SfbY/4kDVDpRjExyY

Score
10/10
formbookm5oeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\REQ-22-TM-0421.exe
      "C:\Users\Admin\AppData\Local\Temp\REQ-22-TM-0421.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\avzthbaywy.exe
        "C:\Users\Admin\AppData\Local\Temp\avzthbaywy.exe" C:\Users\Admin\AppData\Local\Temp\jndtnuycnvd.r
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Users\Admin\AppData\Local\Temp\avzthbaywy.exe
          "C:\Users\Admin\AppData\Local\Temp\avzthbaywy.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4796
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3732

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\avzthbaywy.exe
      Filesize

      289KB

      MD5

      13c80abd753e9c38782524743504a0dd

      SHA1

      709129996e9d1474f57ed77eb38794d82f9805c4

      SHA256

      d718c0c41640eefcd910fd40f970e3e47a025352602bd8c0e53ab7baeaba1aa0

      SHA512

      828830e4ac3c8757ae9d8602415570768903620912d8dcaac87207b9cf054e6ae5a14b2372451160776901a067079a853ef5606114848afee2b440f6279b662f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gfcscamx.xf
      Filesize

      185KB

      MD5

      bd816dca0e1567244d663d7aa2df97cc

      SHA1

      a9502193aa173a9a08f7065c91d22fe530502d5d

      SHA256

      95b69b89e0b9a28a697a7191873431cc4bf37f45b7cbbb6c2980e96ce35332ef

      SHA512

      fbd62496698edb400702babefa306d37def3a8550598a647d77e5bcbc03ef8cfe436fa962fcca7e8d67ce0a3744746d3a5531a569bb4c151b44ca4915fabbd9c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jndtnuycnvd.r
      Filesize

      5KB

      MD5

      e51ae249af6e2d93c78cbd20d825fe00

      SHA1

      c0c3b47d4b4b00923d1e488a8752bf6345c04f23

      SHA256

      ae9c90758dc2e2eca3589500b04e29ff8ecf242726b82339b185eeaa6fe05906

      SHA512

      a72ecde32a10182218bd89b7dbaf5d38ce9f038b72ea3cb4cb1b235059987759024cb675207e144a0613c1e57b7e654d6770680a4413583c4d9021ca8ff63a6f

      Download Submit
    • memory/2120-7-0x0000000000A50000-0x0000000000A52000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3500-18-0x0000000007960000-0x0000000007A15000-memory.dmp
      Filesize

      724KB

      Download
    • memory/3500-40-0x0000000008970000-0x0000000008A0B000-memory.dmp
      Filesize

      620KB

      Download
    • memory/3500-30-0x0000000008970000-0x0000000008A0B000-memory.dmp
      Filesize

      620KB

      Download
    • memory/3500-29-0x0000000008970000-0x0000000008A0B000-memory.dmp
      Filesize

      620KB

      Download
    • memory/3500-27-0x0000000007960000-0x0000000007A15000-memory.dmp
      Filesize

      724KB

      Download
    • memory/3988-26-0x0000000002430000-0x00000000024BF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/3988-19-0x0000000000320000-0x000000000045A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3988-21-0x0000000000320000-0x000000000045A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3988-22-0x0000000000460000-0x000000000048D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3988-23-0x0000000002700000-0x0000000002A4A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3988-24-0x0000000000460000-0x000000000048D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4796-17-0x00000000017E0000-0x00000000017F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4796-16-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4796-14-0x0000000001A00000-0x0000000001D4A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4796-12-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4796-9-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download