Overview

overview

10

Static

static

10

csbdnquus.exe

windows7-x64

10

csbdnquus.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    50s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-08-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csbdnquus.exe

  • Size

    760KB

  • MD5

    c431847b601038a906219f4429c30bf4

  • SHA1

    2e31eb56b0bc1c655c8d86347398276067f0b15e

  • SHA256

    f51db63fe8be8e59e25e8363e5930309e9a9148925e583da18ea7e31bc9b0a96

  • SHA512

    84c19678c4be4a48c6759a396d93783143972ae0616ab23e6a9bb453c7ecd3c50d7fe0d3e1293e7146023cb4fc2767cbe75bd72ca51d2bb831d5ecb1c9e0104a

  • SSDEEP

    6144:/Bz+lXZtn35VWFiGP8XJD/HobegCAStpL+kmNw0Fq2ecTY668wC1:/sZt35Vy85jubwt5Ln0D3Y4wU

Score
10/10
formbook2curdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

2cur

Decoy

bedsireland.com

ant-coupon.com

dreamsconsultoria.com

ufologypublishing.com

zhenghelab.com

3c-passion-for-furniture.com

ristorantegadir.com

sxcigars.com

moss-solutions.com

uc-work.net

narutocoin.net

alettae.com

sheepnotes.com

stylemefrugal.com

equifaxsefurity2017.com

sanvalentinoday.com

islambrain.com

pahladvisors.net

tekno65.com

bets4affiliates.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\csbdnquus.exe
      "C:\Users\Admin\AppData\Local\Temp\csbdnquus.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        PID:3608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 188
          4⤵
          • Program crash
          PID:4008
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3884
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    Filesize

    41KB

    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit

  • memory/1636-31-0x0000000000E10000-0x0000000000E3E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1636-25-0x0000000000F70000-0x0000000000F87000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1636-27-0x0000000000F70000-0x0000000000F87000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1636-29-0x0000000000F70000-0x0000000000F87000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1908-24-0x0000000003250000-0x0000000003325000-memory.dmp

    Filesize

    852KB

    Download

  • memory/3608-13-0x0000000000800000-0x000000000082E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3884-23-0x00000000013E0000-0x00000000013F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3884-20-0x0000000001960000-0x0000000001C80000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3884-22-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4244-6-0x0000000006530000-0x0000000006A2E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4244-8-0x00000000731A0000-0x000000007388E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4244-19-0x00000000731A0000-0x000000007388E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4244-7-0x0000000006110000-0x00000000061A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4244-10-0x0000000006310000-0x000000000631A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4244-0-0x00000000731AE000-0x00000000731AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4244-5-0x00000000731A0000-0x000000007388E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4244-4-0x00000000731AE000-0x00000000731AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4244-3-0x00000000731A0000-0x000000007388E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4244-2-0x0000000003150000-0x0000000003164000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4244-1-0x0000000000EE0000-0x0000000000FA4000-memory.dmp

    Filesize

    784KB

    Download