Overview

overview

10

Static

static

10

1/0178b79b...bd.exe

windows7-x64

10

1/0280cde4...60.exe

windows7-x64

10

1/08b76206...65.exe

windows7-x64

10

1/0e4fc438...91.exe

windows7-x64

3

1/0fb86a8b...05.exe

windows7-x64

10

1/25898c73...8f.exe

windows7-x64

10

1/2c2e9491...3c.exe

windows7-x64

3

1/2ef0f582...2e.exe

windows7-x64

3

1/39884fc0...82.exe

windows7-x64

10

1/3a72ecec...8a.exe

windows7-x64

10

1/3bfcb4f7...71.exe

windows7-x64

10

1/4103411f...f5.exe

windows7-x64

10

1/4e0fdb84...95.exe

windows7-x64

9

1/5297372f...33.exe

windows7-x64

5

1/68292f38...e4.exe

windows7-x64

3

1/6da4696b...e5.exe

windows7-x64

7

1/7021c9cb...78.exe

windows7-x64

10

1/752f5cc5...60.exe

windows7-x64

10

1/7c7cded8...0c.exe

windows7-x64

10

1/97d29ffc...84.exe

windows7-x64

10

1/a306cc84...03.exe

windows7-x64

3

1/ae1a168f...74.exe

windows7-x64

7

1/b13f2364...d6.exe

windows7-x64

8

1/b2a1d168...9d.bat

windows7-x64

8

1/bb29aeb6...bd.exe

windows7-x64

8

1/c8e5a24a...f5.bat

windows7-x64

8

1/c9736cdc...97.exe

windows7-x64

8

1/d58780d1...a0.exe

windows7-x64

10

1/de19e016...d0.exe

windows7-x64

3

1/e886016e...51.exe

windows7-x64

3

1/f0f496ec...f4.bat

windows7-x64

8

1/f28599b0...23.exe

windows7-x64

10

Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1/d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe

  • Size

    691KB

  • MD5

    c2ae4fdb661a151be4876289ed7f8261

  • SHA1

    f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa

  • SHA256

    d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0

  • SHA512

    2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89

  • SSDEEP

    12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6

Score
10/10
formbook45erdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\1\d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe
        "C:\Users\Admin\AppData\Local\Temp\1\d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXqUfHySpG.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXqUfHySpG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9389.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\wlanext.exe
            "C:\Windows\SysWOW64\wlanext.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9389.tmp
      Filesize

      1KB

      MD5

      8b6dace8bd24e4ea19d3b83d08a8b4f9

      SHA1

      78d2803aa8b96944e05c3b8dc41b5cf5cc1614a4

      SHA256

      f0f441c4ef97349c7f62c2f0e66ed1f832b196a38b44499209f98a1f63be2ec0

      SHA512

      3a4d0034946933e3a2b9a72f75b101d2cf312dd6b201504afb8609e60e329acdbfc73dd30004401f4febadac7e966072caec09d349f3297d79c5a53bdad1bb00

      Download Submit

    • memory/908-24-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/908-23-0x0000000000D20000-0x0000000000D36000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1208-25-0x00000000065E0000-0x000000000672E000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1208-21-0x0000000003AB0000-0x0000000003BB0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2592-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2592-18-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2592-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2592-13-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2592-22-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2704-5-0x0000000004BE0000-0x0000000004C56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2704-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2704-19-0x0000000074BB0000-0x000000007529E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2704-4-0x00000000005C0000-0x00000000005CE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2704-3-0x0000000000480000-0x000000000049A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2704-2-0x0000000074BB0000-0x000000007529E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2704-1-0x00000000000B0000-0x000000000015E000-memory.dmp

      Filesize

      696KB

      Download