Overview

overview

10

Static

static

7

92b1f2ee51...70.exe

windows7-x64

10

92b1f2ee51...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    03/08/2024, 01:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe

  • Size

    595KB

  • MD5

    ee2875f921602d7f7f26f0b788f1b3f7

  • SHA1

    3690ccea99c4399ef2990ca3dc3d79eb29666794

  • SHA256

    92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70

  • SHA512

    85c813d764baba7a8a9f246cfa26208a886c64c1df8cca3863e8898342382a4dd7a0734b34fc904fb6637f1dec215da92a714d01c1fb430a811933dfd99275e5

  • SSDEEP

    12288:6YV6MorX7qzuC3QHO9FQVHPF51jgcEQ433ZwrXUuunukKlkA:pBXu9HGaVHOwrXUuepDA

Score
10/10
formbookephbdiscoveryratspywarestealertrojanupx

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ephb

Decoy

chertsey-estates.com

zeushomeservices.com

2ax4z.com

leihuluofkauai.com

sunshinespd.com

lifeexplorer.today

holywellspringwater.com

clip-on-veneers.today

jaspershousekeeping.com

tcyd123.top

aimpets.com

n11ni5.cfd

oplmanager.dev

parisolympicgamesguide.com

askwhtevr.com

usino.online

pa6yy8h.xyz

tabomediaa.com

iwill3d.com

piqhome.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe
      "C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1188-19-0x0000000004EE0000-0x0000000004FB9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1188-26-0x0000000004EE0000-0x0000000004FB9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1188-24-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2320-23-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2320-22-0x0000000000870000-0x0000000000886000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2320-20-0x0000000000870000-0x0000000000886000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2384-17-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2384-18-0x0000000000350000-0x0000000000364000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2384-15-0x0000000000700000-0x0000000000A03000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2384-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2452-0-0x0000000000870000-0x00000000009C7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2452-14-0x0000000000870000-0x00000000009C7000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2452-11-0x0000000000770000-0x0000000000774000-memory.dmp

    Filesize

    16KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.