Overview

overview

10

Static

static

3

b123.exe

windows7-x64

10

b123.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b123.exe

  • Size

    227KB

  • MD5

    b3104364708fa64e5242cbe54885ec56

  • SHA1

    4be2064313b2f72e472b8a81797e7b14a5b3aec8

  • SHA256

    f4abecbd1a56abc36103d0595086bfd31c50f33236b9431b53860e5c1e20c2a7

  • SHA512

    2aa6da2a189de20c9ce5d919fc6fe8e5f050151721cf496fa93f8862dcb6775d1b5f90b5666fb01659265721b81ed788e4b938961d8166d0c09245f75f8d2591

  • SSDEEP

    6144:2wVqCOiGWu2dw9r6bDo78j+JEwh3pc8aMxfcPbwoP:2KyWhw9x8spc7MiPbwoP

Score
10/10
formbooklt0hratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lt0h

Decoy

originalindigofurniture.co.uk

fl6588.com

acecademy.com

yaerofinerindalnalising.com

mendilovic.online

rishenght.com

famlees.com

myhomeofficemarket.com

bouquetarabia.com

chrisbani.com

freebandslegally.com

hernandezinsurancegroup.net

slicedandfresh.com

apnathikanas.com

chadhatesyou.com

ansilsas.com

in3development.com

nitiren.net

peespn.com

valengz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Users\Admin\AppData\Local\Temp\b123.exe
      "C:\Users\Admin\AppData\Local\Temp\b123.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Users\Admin\AppData\Local\Temp\b123.exe
        "C:\Users\Admin\AppData\Local\Temp\b123.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\b123.exe"
        3⤵
          PID:5068

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2220-8-0x0000000000410000-0x00000000004EC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/2220-17-0x00000000008F0000-0x000000000091E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2220-14-0x00000000018C0000-0x0000000001953000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2220-12-0x0000000001B20000-0x0000000001E6A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2220-11-0x00000000008F0000-0x000000000091E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2220-10-0x0000000000410000-0x00000000004EC000-memory.dmp
      Filesize

      880KB

      Download
    • memory/3312-6-0x0000000001950000-0x0000000001964000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3312-5-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3312-3-0x00000000014E0000-0x000000000182A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3312-2-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3492-7-0x0000000008D60000-0x0000000008E7C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3492-15-0x0000000008D60000-0x0000000008E7C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3492-18-0x0000000008F00000-0x000000000902B000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3492-20-0x0000000008F00000-0x000000000902B000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3492-23-0x0000000008F00000-0x000000000902B000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/5084-0-0x00000000000C0000-0x00000000000C6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/5084-1-0x0000000002B40000-0x0000000002B42000-memory.dmp
      Filesize

      8KB

      Download