Malware Analysis Report

2024-10-19 09:31

Sample ID 240510-mghlfshc7w
Target 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe
SHA256 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63
Tags
formbook se62 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63

Threat Level: Known bad

The file 29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe was found to be: Known bad.

Malicious Activity Summary

formbook se62 rat spyware stealer trojan

Formbook

Formbook payload

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-10 10:26

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 10:26

Reported

2024-05-10 10:28

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1368 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 2164 set thread context of 1284 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2916 set thread context of 1284 N/A C:\Windows\SysWOW64\wuapp.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wuapp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1368 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1368 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1368 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1368 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 1284 wrote to memory of 2916 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wuapp.exe
PID 2916 wrote to memory of 2772 N/A C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2772 N/A C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2772 N/A C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2772 N/A C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\wuapp.exe

"C:\Windows\SysWOW64\wuapp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.berbarry.com udp
US 44.227.76.166:80 www.berbarry.com tcp
US 8.8.8.8:53 www.loveisactionfoundation.com udp
US 45.88.201.36:80 www.loveisactionfoundation.com tcp
US 8.8.8.8:53 www.qw1so.us udp
DE 91.195.240.123:80 www.qw1so.us tcp
US 8.8.8.8:53 www.citylinechimneytrevosepa.us udp
GB 154.49.138.30:80 www.citylinechimneytrevosepa.us tcp
US 8.8.8.8:53 www.fafalie.buzz udp
US 8.8.8.8:53 www.hgxaf155.com udp

Files

memory/1368-10-0x0000000000120000-0x0000000000124000-memory.dmp

memory/2164-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2164-12-0x0000000000860000-0x0000000000B63000-memory.dmp

memory/2164-15-0x00000000001A0000-0x00000000001B5000-memory.dmp

memory/2164-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1284-16-0x0000000000280000-0x0000000000380000-memory.dmp

memory/1284-17-0x0000000006480000-0x0000000006583000-memory.dmp

memory/2916-18-0x00000000011A0000-0x00000000011AB000-memory.dmp

memory/2916-19-0x00000000011A0000-0x00000000011AB000-memory.dmp

memory/2916-20-0x0000000000090000-0x00000000000BF000-memory.dmp

memory/1284-22-0x00000000038D0000-0x00000000039D0000-memory.dmp

memory/1284-23-0x0000000006480000-0x0000000006583000-memory.dmp

memory/1284-27-0x0000000006660000-0x00000000067B3000-memory.dmp

memory/1284-28-0x0000000006660000-0x00000000067B3000-memory.dmp

memory/1284-31-0x0000000006660000-0x00000000067B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 10:26

Reported

2024-05-10 10:28

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 232 N/A C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe C:\Windows\SysWOW64\svchost.exe
PID 232 set thread context of 3512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 3076 set thread context of 3512 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\29c87cc9791289ada6dd99bea234651b38ce32f2099760a85d1b84819ea85f63.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 www.herendkdocsmicroviewj.com udp
US 8.8.8.8:53 www.loveisactionfoundation.com udp
US 45.88.201.36:80 www.loveisactionfoundation.com tcp
US 8.8.8.8:53 36.201.88.45.in-addr.arpa udp
US 8.8.8.8:53 www.homeinsectcontrolpros.com udp
US 216.22.1.29:80 www.homeinsectcontrolpros.com tcp
US 8.8.8.8:53 29.1.22.216.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.9072316z.vip udp
US 8.8.8.8:53 www.fitversus.com udp
US 172.67.221.245:80 www.fitversus.com tcp
US 8.8.8.8:53 245.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.fetbody.com udp
US 199.15.163.139:80 www.fetbody.com tcp
US 8.8.8.8:53 139.163.15.199.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/916-10-0x00000000013E0000-0x00000000013E4000-memory.dmp

memory/232-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/232-12-0x0000000001B00000-0x0000000001E4A000-memory.dmp

memory/232-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/232-15-0x0000000001A60000-0x0000000001A75000-memory.dmp

memory/3512-16-0x00000000026E0000-0x00000000027DA000-memory.dmp

memory/3076-17-0x0000000000EA0000-0x0000000000F7C000-memory.dmp

memory/3076-20-0x0000000000EA0000-0x0000000000F7C000-memory.dmp

memory/3076-21-0x0000000000980000-0x00000000009AF000-memory.dmp

memory/3512-23-0x00000000026E0000-0x00000000027DA000-memory.dmp

memory/3512-26-0x000000000A800000-0x000000000A944000-memory.dmp

memory/3512-27-0x000000000A800000-0x000000000A944000-memory.dmp

memory/3512-30-0x000000000A800000-0x000000000A944000-memory.dmp