Malware Analysis Report

2024-10-23 22:20

Sample ID 240507-azeajaae41
Target b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d
SHA256 b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d
Tags
formbook sk evasion rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d

Threat Level: Known bad

The file b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d was found to be: Known bad.

Malicious Activity Summary

formbook sk evasion rat spyware stealer trojan

Formbook

Looks for VirtualBox Guest Additions in registry

Formbook payload

Detects executables packed with Cassandra/CyaX

Detects executables packed with ConfuserEx Custom; outside of GIT

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 00:38

Reported

2024-05-07 00:41

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

Signatures

Formbook

trojan spyware stealer formbook

Detects executables packed with Cassandra/CyaX

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Custom; outside of GIT

Description Indicator Process Target
N/A N/A N/A N/A

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 2220 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiTdunToFK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD99D.tmp"

C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

Network

N/A

Files

memory/2220-0-0x000000007406E000-0x000000007406F000-memory.dmp

memory/2220-1-0x0000000000FD0000-0x0000000001068000-memory.dmp

memory/2220-2-0x0000000000880000-0x000000000088A000-memory.dmp

memory/2220-3-0x0000000000960000-0x00000000009A4000-memory.dmp

memory/2220-4-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2220-5-0x000000007406E000-0x000000007406F000-memory.dmp

memory/2220-6-0x0000000074060000-0x000000007474E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD99D.tmp

MD5 d1fd5e12f227eb93901f97339ee5c7ad
SHA1 8172342fde605f8d3d31cf1113227f1a942df3d9
SHA256 f8456f237ca2428c6b1976ffc7a71df83ed0f9826643a3b67659cf1f8f7087d9
SHA512 7d3fd324abc3a46c89082dcbfc62dd1bcc21dffb5f966d4ec423d603d1053c231efdc68f5290790494fe61910376c167337e9e4805d3f472803e929796f6a755

memory/2220-12-0x0000000000350000-0x000000000035A000-memory.dmp

memory/2132-13-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2132-14-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2132-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2132-20-0x0000000000910000-0x0000000000C13000-memory.dmp

memory/2220-19-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2132-18-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 00:38

Reported

2024-05-07 00:41

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

Signatures

Formbook

trojan spyware stealer formbook

Detects executables packed with Cassandra/CyaX

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Custom; outside of GIT

Description Indicator Process Target
N/A N/A N/A N/A

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 552 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Windows\SysWOW64\schtasks.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe
PID 552 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IiTdunToFK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF01D.tmp"

C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe

"C:\Users\Admin\AppData\Local\Temp\b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 184

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 219.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/552-0-0x000000007513E000-0x000000007513F000-memory.dmp

memory/552-1-0x00000000000E0000-0x0000000000178000-memory.dmp

memory/552-2-0x0000000004920000-0x000000000492A000-memory.dmp

memory/552-3-0x00000000049D0000-0x0000000004A62000-memory.dmp

memory/552-4-0x0000000004E20000-0x0000000004E64000-memory.dmp

memory/552-5-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/552-6-0x00000000073D0000-0x000000000746C000-memory.dmp

memory/552-7-0x000000007513E000-0x000000007513F000-memory.dmp

memory/552-8-0x0000000075130000-0x00000000758E0000-memory.dmp

memory/552-9-0x00000000076E0000-0x0000000007746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF01D.tmp

MD5 b6641dc5108adc81d3db7aae9b3c40b3
SHA1 1cea02170cd91f8503e3aecd9790484e701e6427
SHA256 8650820b765908d94d24b5824599b04ace28ad0ba0e70c85d0595c3a100ae71c
SHA512 5d13d7ee183c23cc44c20d6efdc70deb70c5c4229f1a66953cadd16a3bfdcb391d2d17fa2b9c873e35deb1ad7ee1f9a64f03e7a7bf7e58a87512a856f6b1bdb3

memory/552-15-0x0000000007860000-0x000000000786A000-memory.dmp

memory/552-16-0x00000000087E0000-0x0000000008D84000-memory.dmp

memory/4992-18-0x0000000000710000-0x000000000073A000-memory.dmp

memory/552-21-0x0000000075130000-0x00000000758E0000-memory.dmp