Malware Analysis Report

2024-10-19 09:26

Sample ID 240712-xe277awaqj
Target cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe
SHA256 cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50
Tags
formbook pt46 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50

Threat Level: Known bad

The file cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe was found to be: Known bad.

Malicious Activity Summary

formbook pt46 rat spyware stealer trojan

Formbook

Formbook payload

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-12 18:46

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 18:46

Reported

2024-07-12 18:49

Platform

win7-20240704-en

Max time kernel

141s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 836 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 set thread context of 1192 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 836 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 836 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 836 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 836 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 1192 wrote to memory of 2236 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msiexec.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\WerFault.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\WerFault.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\WerFault.exe
PID 2236 wrote to memory of 2856 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe

"C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 268

Network

N/A

Files

memory/836-10-0x0000000000560000-0x0000000000564000-memory.dmp

memory/2528-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2528-13-0x0000000000700000-0x0000000000A03000-memory.dmp

memory/2528-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1192-15-0x00000000043C0000-0x00000000045C0000-memory.dmp

memory/2528-14-0x0000000000180000-0x0000000000194000-memory.dmp

memory/1192-17-0x0000000004FE0000-0x00000000050BE000-memory.dmp

memory/2236-18-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

memory/2236-19-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

memory/2236-21-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

memory/1192-24-0x0000000004FE0000-0x00000000050BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 18:46

Reported

2024-07-12 18:49

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4268 set thread context of 1480 N/A C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe C:\Windows\SysWOW64\svchost.exe
PID 1480 set thread context of 3468 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 3248 set thread context of 3468 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe

"C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\cb94f7e2d32391ffa226f27e39543a099f2867c9cc7602fb964b4358132b6a50.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.promotegetpaid.info udp
US 15.197.148.33:80 www.promotegetpaid.info tcp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 www.kingchuxing.com udp
US 104.21.72.245:80 www.kingchuxing.com tcp
US 8.8.8.8:53 245.72.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.seclameh.com udp
US 8.8.8.8:53 216.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.98169.club udp
HK 147.92.35.81:80 www.98169.club tcp
US 8.8.8.8:53 81.35.92.147.in-addr.arpa udp
US 8.8.8.8:53 www.dental-implants-89083.bond udp
DE 185.53.179.94:80 www.dental-implants-89083.bond tcp
US 8.8.8.8:53 94.179.53.185.in-addr.arpa udp

Files

memory/4268-10-0x0000000003E00000-0x0000000003E04000-memory.dmp

memory/1480-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1480-12-0x0000000001A00000-0x0000000001D4A000-memory.dmp

memory/1480-15-0x0000000001E80000-0x0000000001E94000-memory.dmp

memory/1480-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3468-16-0x0000000009120000-0x0000000009246000-memory.dmp

memory/3248-17-0x0000000000C60000-0x0000000000D9A000-memory.dmp

memory/3248-19-0x0000000000C60000-0x0000000000D9A000-memory.dmp

memory/3248-20-0x00000000010A0000-0x00000000010CF000-memory.dmp

memory/3468-22-0x0000000009120000-0x0000000009246000-memory.dmp

memory/3468-25-0x0000000002B00000-0x0000000002C36000-memory.dmp

memory/3468-26-0x0000000002B00000-0x0000000002C36000-memory.dmp

memory/3468-29-0x0000000002B00000-0x0000000002C36000-memory.dmp