Overview

overview

10

Static

static

3

PO-2021-FV6ppD.exe

windows7-x64

10

PO-2021-FV6ppD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-2021-FV6ppD.exe

  • Size

    1020KB

  • MD5

    b76684163bc9667e4907b4034a0763c1

  • SHA1

    4bda936ca3dee495b15aee5378a3dc87abd7cdef

  • SHA256

    957c5b5a6f0af47354f9ed2d09522fc671b8c0af06e3f3a5b6354e111b2c8129

  • SHA512

    10182cd2737aa6f7a1e8716659b89a96ee3bea78c0144cd19d491ac444639ddb13f6dc543ac7a5744b075cc3c02ffab4b0b088712c376fc3700c27aeedab435f

  • SSDEEP

    12288:dhm2ptsj6jRPLjRPqjBjjyjBjBjBjBjLj6Pf71xLtDaGgr2KbA16sCCwpTx9EEWm:oPHLtbx16Smx9Ey75

Score
10/10
formbookllcdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

llc

Decoy

mombosslounge.com

ladybnaturalhairproductsllc.com

fincazalduendo.com

asrahealth.net

lanbrandmanual.com

hirano-gyosei.com

storywoth.com

sailde.com

jagurutech.com

greenfuturemarket.com

jaguar-marketing.com

mytherapies.net

occidentaldissent.net

onlinemarketingbusinessbd.com

blackleadership.info

leosquad.store

becauseiknewyouweremine.com

athertonsewer.com

springbiologicaldentistry.net

rockthefunnels.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\PO-2021-FV6ppD.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-2021-FV6ppD.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\PO-2021-FV6ppD.exe
        "C:\Users\Admin\AppData\Local\Temp\PO-2021-FV6ppD.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1740
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 268
        3⤵
        • Program crash
        PID:740
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1192-22-0x0000000003B00000-0x0000000003C00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1192-28-0x0000000005080000-0x00000000051C6000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1192-23-0x0000000005080000-0x00000000051C6000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1740-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1740-18-0x0000000000BC0000-0x0000000000EC3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1740-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1740-21-0x0000000000140000-0x0000000000154000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1740-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1740-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1740-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-17-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-9-0x0000000005420000-0x000000000547C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2172-8-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-6-0x0000000002100000-0x000000000210A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2172-2-0x0000000074D10000-0x00000000753FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2172-1-0x0000000000AB0000-0x0000000000BB6000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2988-24-0x0000000000E60000-0x0000000000E74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2988-25-0x0000000000E60000-0x0000000000E74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2988-27-0x0000000000E60000-0x0000000000E74000-memory.dmp

    Filesize

    80KB

    Download