Malware Analysis Report

2024-10-23 22:11

Sample ID 240718-d7ccpawhrf
Target f6ed869b733b1f2aa3bdd06040f3372a.bin
SHA256 9bf158493325eef78727b2115b1046a345fbefea0d14c45d801dc0504c04ec0c
Tags
formbook rn94 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bf158493325eef78727b2115b1046a345fbefea0d14c45d801dc0504c04ec0c

Threat Level: Known bad

The file f6ed869b733b1f2aa3bdd06040f3372a.bin was found to be: Known bad.

Malicious Activity Summary

formbook rn94 rat spyware stealer trojan

Formbook

Formbook payload

Loads dropped DLL

Executes dropped EXE

Drops startup file

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-18 03:38

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 03:38

Reported

2024-07-18 03:41

Platform

win7-20240708-en

Max time kernel

147s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3028 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 set thread context of 1216 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2668 set thread context of 1216 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2828 set thread context of 1216 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1484 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1484 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1484 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3028 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 3028 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 3028 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 3028 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 3028 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 2668 wrote to memory of 2828 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\help.exe
PID 2668 wrote to memory of 2828 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\help.exe
PID 2668 wrote to memory of 2828 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\help.exe
PID 2668 wrote to memory of 2828 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\help.exe
PID 2828 wrote to memory of 2604 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2604 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2604 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2604 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

N/A

Files

memory/1484-10-0x0000000000320000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 f6ed869b733b1f2aa3bdd06040f3372a
SHA1 7075acf1c62e44653f5c834a14b56cd342f0ae5a
SHA256 05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
SHA512 cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582

memory/1484-16-0x0000000000320000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\niellists

MD5 58078733b08c9abd4a1d6945eedd33f7
SHA1 9d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2
SHA256 b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7
SHA512 87b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40

C:\Users\Admin\AppData\Local\Temp\Mazatl

MD5 e0a5cf114d58f8ee0ff4291a867fd137
SHA1 1b158ff65388347954508f5b7f199371e19223e3
SHA256 eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e
SHA512 8546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4

memory/3028-30-0x0000000000110000-0x0000000000114000-memory.dmp

memory/2668-32-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2668-33-0x0000000000930000-0x0000000000C33000-memory.dmp

memory/2668-36-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2668-35-0x0000000000150000-0x0000000000165000-memory.dmp

memory/1216-37-0x00000000043A0000-0x00000000045A0000-memory.dmp

memory/1216-38-0x0000000004B00000-0x0000000004C00000-memory.dmp

memory/1216-42-0x0000000004FE0000-0x000000000513A000-memory.dmp

memory/2668-41-0x0000000000280000-0x0000000000295000-memory.dmp

memory/2668-40-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2828-44-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/2828-43-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/2828-45-0x00000000000C0000-0x00000000000EF000-memory.dmp

memory/1216-46-0x0000000004FE0000-0x000000000513A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 03:38

Reported

2024-07-18 03:41

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 4208 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Windows\SysWOW64\svchost.exe
PID 4208 set thread context of 3460 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4208 set thread context of 3460 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3080-10-0x0000000000D90000-0x0000000000D94000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 f6ed869b733b1f2aa3bdd06040f3372a
SHA1 7075acf1c62e44653f5c834a14b56cd342f0ae5a
SHA256 05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
SHA512 cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582

C:\Users\Admin\AppData\Local\Temp\Mazatl

MD5 e0a5cf114d58f8ee0ff4291a867fd137
SHA1 1b158ff65388347954508f5b7f199371e19223e3
SHA256 eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e
SHA512 8546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4

C:\Users\Admin\AppData\Local\Temp\niellists

MD5 58078733b08c9abd4a1d6945eedd33f7
SHA1 9d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2
SHA256 b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7
SHA512 87b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40

memory/4208-28-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4208-29-0x0000000001400000-0x000000000174A000-memory.dmp

memory/4208-31-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4208-32-0x0000000001920000-0x0000000001935000-memory.dmp

memory/3460-33-0x00000000030B0000-0x0000000003176000-memory.dmp

memory/4208-35-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4208-36-0x00000000032C0000-0x00000000032D5000-memory.dmp

memory/3460-37-0x0000000008CA0000-0x0000000008E35000-memory.dmp

memory/3460-38-0x0000000008CA0000-0x0000000008E35000-memory.dmp