Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
01-08-2024 06:43
General
-
Target
LSW51096D32024I.exe
-
Size
653KB
-
MD5
8691b9bda57b18592afe76b9a8265ad3
-
SHA1
51c0b367762361da72cc2b36d317b188c9a51b59
-
SHA256
a8af52f378b0d8cc71513411d4af5c383147c03064981084c63125b3f57b7f6a
-
SHA512
56d80eae6b52800ebde89e6aecc2f40050dbabb82d65158f2a934bcfdc897f936f3293a557de689ce56a7223337ffa6d1b2bcee15af081c7203142d7e28563f6
-
SSDEEP
12288:QI2iNeSY+aZrwrhWAqSruftYXDEt+FL+rXu8gLvCN2avJ5S:T14/4rhWAqSruftWFK9gLvCRR5
Malware Config
Extracted
formbook
4.1
de94
way2future.net
worldnewsdailys.online
rendamaisbr.com
s485.icu
vcxwpo.xyz
imagivilleartists.com
herbatyorganics.com
xn--80ado1abokv5d.xn--p1acf
invigoratewell.com
especialistaleitura.online
pkrstg.com
performacaretechnical.com
dreamgame55.net
hkitgugx.xyz
istanlikbilgiler.click
slotter99j.vip
exploringtheoutdoors.net
triberoots.com
energiaslotsbet.com
dkforcm.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 4 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LSW51096D32024I.exe"C:\Users\Admin\AppData\Local\Temp\LSW51096D32024I.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LSW51096D32024I.exe"C:\Users\Admin\AppData\Local\Temp\LSW51096D32024I.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LSW51096D32024I.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
-
Filesize
188KB
-
Filesize
80KB
-
Filesize
188KB
-
Filesize
80KB
-
Filesize
188KB
-
Filesize
636KB
-
Filesize
636KB
-
Filesize
1.6MB
-
Filesize
636KB
-
Filesize
1.6MB
-
Filesize
824KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
472KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
680KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
188KB
-
Filesize
124KB
-
Filesize
124KB