Overview

overview

10

Static

static

3

808bc55dfd...0N.exe

windows7-x64

10

808bc55dfd...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 08:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    808bc55dfd04bde28b5a81eeffa1be00N.exe

  • Size

    1.7MB

  • MD5

    808bc55dfd04bde28b5a81eeffa1be00

  • SHA1

    1ac47e1d51466f5031b1096d40816abb90d36668

  • SHA256

    1968771402227e2db604f63085104459de416107146f4d21a50c6e6e866f4324

  • SHA512

    e8b2d3e05adcb2da69780f1a4cea88c7f830d9d9d3a41abacc2cdf22b06ed5992a77a61e142c2622e210bd981fa20f710183aa2efa164b60d3c6aaed4f227c59

  • SSDEEP

    24576:0G/gSI7uzvdh53ATay0Lu9fE124K2Gzo/Xyhp4HtNLpTGLRvO4x:dgruLMayJWao/XC6B

Score
10/10
formbookdcn0credential_accessdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Users\Admin\AppData\Local\Temp\808bc55dfd04bde28b5a81eeffa1be00N.exe
      "C:\Users\Admin\AppData\Local\Temp\808bc55dfd04bde28b5a81eeffa1be00N.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
        3⤵
          PID:432
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
          3⤵
            PID:4828
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
            3⤵
              PID:4396
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
              3⤵
                PID:116
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                3⤵
                  PID:3308
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                  3⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2272
              • C:\Windows\SysWOW64\wlanext.exe
                "C:\Windows\SysWOW64\wlanext.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3756
                • C:\Program Files\Mozilla Firefox\Firefox.exe
                  "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  3⤵
                    PID:4364

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2272-11-0x0000000000400000-0x000000000042E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2272-12-0x0000000001740000-0x0000000001750000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2272-4-0x0000000000400000-0x000000000042E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2272-8-0x0000000000400000-0x000000000042E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2272-9-0x0000000001840000-0x0000000001B8A000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3432-19-0x0000000009110000-0x0000000009238000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3432-13-0x0000000009110000-0x0000000009238000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3432-23-0x0000000008F70000-0x0000000009098000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3432-32-0x0000000008F70000-0x0000000009098000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3432-22-0x0000000008F70000-0x0000000009098000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/3756-17-0x0000000000310000-0x000000000033D000-memory.dmp

                Filesize

                180KB

                Download

              • memory/3756-14-0x0000000000EE0000-0x0000000000EF7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/3756-16-0x0000000000EE0000-0x0000000000EF7000-memory.dmp

                Filesize

                92KB

                Download

              • memory/3760-1-0x000002428E780000-0x000002428E942000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3760-3-0x00007FF99E430000-0x00007FF99EEF1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3760-2-0x00000242907E0000-0x0000024290852000-memory.dmp

                Filesize

                456KB

                Download

              • memory/3760-7-0x00007FF99E430000-0x00007FF99EEF1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3760-0-0x00007FF99E433000-0x00007FF99E435000-memory.dmp

                Filesize

                8KB

                Download