Overview

overview

10

Static

static

3

2.exe

windows7-x64

10

2.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    06/06/2024, 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    36KB

  • MD5

    c2a39ff0162982b5b32cd40095681c40

  • SHA1

    14a7a60b9dc574b066ea39f59d72711dab9639c0

  • SHA256

    ea8636131cfb69ab935f05201fe8c285b53ccd379928825386b015ae7bb43809

  • SHA512

    3452c2dfa51691cc5da766542630a87c6e68cf93e5094981ab8905f7696e0c3c45acbf8f4a09b4410a3d5848d29d00b431b4b904472d7dbd1ed63478404172a2

  • SSDEEP

    768:pCpjO4tnumCBsT15CBHCrUCoTtBDtCYPB0t0/qigiltBN:OvnmCxXiltv

Score
10/10
formbookbtrdpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "2" /t REG_SZ /F /D "C:\Users\Admin\Documents\2.pif"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "2" /t REG_SZ /F /D "C:\Users\Admin\Documents\2.pif"
          4⤵
          • Adds Run key to start application
          PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\2.exe" "C:\Users\Admin\Documents\2.pif"
        3⤵
          PID:2512
        • C:\Users\Admin\AppData\Local\Temp\2.exe
          "C:\Users\Admin\AppData\Local\Temp\2.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\2.exe"
          3⤵
          • Deletes itself
          PID:2524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1204-17-0x0000000006D40000-0x0000000006E8A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1204-28-0x0000000007290000-0x00000000073CB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1204-27-0x0000000007920000-0x0000000007A46000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1204-22-0x0000000007290000-0x00000000073CB000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1204-19-0x0000000006D40000-0x0000000006E8A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2504-25-0x0000000000110000-0x000000000013F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2504-23-0x00000000008E0000-0x00000000008E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2504-24-0x00000000008E0000-0x00000000008E6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2808-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2808-8-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2808-13-0x0000000000B90000-0x0000000000E93000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2808-16-0x00000000002D0000-0x00000000002E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2808-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2808-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2808-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2808-20-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2808-21-0x0000000000330000-0x0000000000344000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3056-12-0x00000000746B0000-0x0000000074D9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3056-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3056-6-0x00000000746B0000-0x0000000074D9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3056-3-0x0000000004BC0000-0x0000000004C38000-memory.dmp

      Filesize

      480KB

      Download

    • memory/3056-2-0x00000000746B0000-0x0000000074D9E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3056-1-0x0000000000B80000-0x0000000000B8E000-memory.dmp

      Filesize

      56KB

      Download