Overview

overview

10

Static

static

5

MalwareBazaar.exe

windows7-x64

10

MalwareBazaar.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MalwareBazaar.exe

  • Size

    1.1MB

  • MD5

    fad2601b8d3ae921451df530f754a105

  • SHA1

    cd2e6daa5a20510ca430fd4ad0e7297f3658308e

  • SHA256

    29d57050ee10327642136e9e1a394ca996b42b95bae45d3dd44e392cec83c027

  • SHA512

    51176dd307286fc4a9b07cca80356a6c2b0f42a1fe947296a5f11f360ed54ea8299315223183e818da250a71f75a6134b6aafa4d3598310b896dbb9f8f8ac32d

  • SSDEEP

    24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aCHhItAQFbb2:BTvC/MTQYxsWR7aCH/Q9

Score
10/10
formbookdz16discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz16

Decoy

gravechill.com

goniu-6520.cyou

qbwlszmf.xyz

computingthecosmos.com

m327841.com

socradex.com

outsidewallornaments.com

emadkasndfg.top

khaleejmed.online

awaz.shop

sunkar.capital

unlimited-merch.com

deboenterprise.net

darma88win.shop

593785.com

flyingcakecompany.com

toyorgga.shop

vyrqjrwh.xyz

window-replacement-26046.bond

marucoin.live

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
      "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Local\directory\name.exe
        "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1060
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\antiprimer
    Filesize

    28KB

    MD5

    b769e9647555650f3bf9f5f141df5187

    SHA1

    6ce3042ba36f8a7779b609688cdd78c6fb1d4774

    SHA256

    cb3d3e699e9da8852d2621720ed0f72694e6743a3cf1a4e1e3c6d57c84dc0c06

    SHA512

    44ddc55edda392faf7d94d4efb9a5c15d0d441f60a4e65c40950dd9f40471b2d1be49a27986d8109d4c854f3aa12ac09b8fb80eefe4eb908e9116ca9d3861023

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    1.1MB

    MD5

    fad2601b8d3ae921451df530f754a105

    SHA1

    cd2e6daa5a20510ca430fd4ad0e7297f3658308e

    SHA256

    29d57050ee10327642136e9e1a394ca996b42b95bae45d3dd44e392cec83c027

    SHA512

    51176dd307286fc4a9b07cca80356a6c2b0f42a1fe947296a5f11f360ed54ea8299315223183e818da250a71f75a6134b6aafa4d3598310b896dbb9f8f8ac32d

    Download Submit

  • memory/1060-37-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1060-30-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1060-31-0x0000000001600000-0x000000000194A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1060-34-0x0000000001300000-0x0000000001314000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1060-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1060-38-0x0000000001370000-0x0000000001384000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3504-35-0x0000000002E40000-0x0000000002F5C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3504-39-0x0000000008220000-0x0000000008383000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3504-44-0x0000000008220000-0x0000000008383000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3504-46-0x0000000008790000-0x00000000088A8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3504-48-0x0000000008790000-0x00000000088A8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3504-50-0x0000000008790000-0x00000000088A8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4168-41-0x0000000000370000-0x0000000000377000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4168-40-0x0000000000370000-0x0000000000377000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4168-42-0x0000000000380000-0x00000000003AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4532-11-0x0000000000DB0000-0x0000000000DB4000-memory.dmp

    Filesize

    16KB

    Download