Overview

overview

10

Static

static

3

be75358ef1...18.exe

windows7-x64

10

be75358ef1...18.exe

windows10-2004-x64

10

$TEMP/29.opends60.dll

windows7-x64

1

$TEMP/29.opends60.dll

windows10-2004-x64

1

$TEMP/Ster...ap.dll

windows7-x64

3

$TEMP/Ster...ap.dll

windows10-2004-x64

3

$TEMP/WebN...mes.js

windows7-x64

3

$TEMP/WebN...mes.js

windows10-2004-x64

3

$TEMP/aspnetisapi.dll

windows7-x64

3

$TEMP/aspnetisapi.dll

windows10-2004-x64

3

$TEMP/autolayt.dll

windows7-x64

3

$TEMP/autolayt.dll

windows10-2004-x64

3

$TEMP/coyote.exe

windows7-x64

4

$TEMP/coyote.exe

windows10-2004-x64

10

$TEMP/cvtres.exe

windows7-x64

3

$TEMP/cvtres.exe

windows10-2004-x64

3

$TEMP/disco.exe

windows7-x64

1

$TEMP/disco.exe

windows10-2004-x64

1

$TEMP/emcmp.ko

ubuntu-24.04-amd64

$TEMP/ltv350qv.ko

ubuntu-22.04-amd64

$TEMP/sl-modem.py

windows7-x64

3

$TEMP/sl-modem.py

windows10-2004-x64

3

$TEMP/syst...er.vbs

windows7-x64

1

$TEMP/syst...er.vbs

windows10-2004-x64

1

$TEMP/vsslnui.dll

windows7-x64

1

$TEMP/vsslnui.dll

windows10-2004-x64

1

$TEMP/webb...35.pyc

windows7-x64

3

$TEMP/webb...35.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/coyote.exe

  • Size

    50KB

  • MD5

    07b54aa737d16f89c80e6da5a2de5013

  • SHA1

    bcad8a5a09597086ce2df3ed4d833ca6a188f12e

  • SHA256

    e4ee0e4c5533fad0ece32849b37dec5c22ad662ce3dd1376880200eb6011de5f

  • SHA512

    e92ed0a39dd645c60319739b86a06e7643cfb14f28eb6d1bb3ec97febf0405eb5ad4d3e6aaf3374bfebdeb1bbfa1371764790810aa904f1cd9f63b17c62fbe61

  • SSDEEP

    768:EsPebzrf3MbrOcnT9c/onP99Fg7APq+As006t++yD:O3MXr99nP9zgsD100x+

Score
10/10
formbooka8ccredential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

a8c

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Formbook payload 2 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\$TEMP\coyote.exe
      "C:\Users\Admin\AppData\Local\Temp\$TEMP\coyote.exe"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:4588
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3932
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
        • System Location Discovery: System Language Discovery
        PID:6012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DB1
    Filesize

    40KB

    MD5

    a182561a527f929489bf4b8f74f65cd7

    SHA1

    8cd6866594759711ea1836e86a5b7ca64ee8911f

    SHA256

    42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

    SHA512

    9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    Download Submit

  • C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogim.jpeg
    Filesize

    84KB

    MD5

    2a333386e9c2f22f0d38e625ee5287ff

    SHA1

    58fb538528f9f5446be8c51623a2466f76c63b51

    SHA256

    5d1989cc27299dbc995188c5ba2f098cd1fa58d94c01c41140effbce75d3c236

    SHA512

    192d116c270f9072e6721a95fa7023f1839cc886a8d0dda31d66fb1ef9fce0d1c0080b07ec7ff93a093439bacbeed744387f23b90f0481e8650a188235855a53

    Download Submit

  • C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogrg.ini
    Filesize

    38B

    MD5

    4aadf49fed30e4c9b3fe4a3dd6445ebe

    SHA1

    1e332822167c6f351b99615eada2c30a538ff037

    SHA256

    75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

    SHA512

    eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

    Download Submit

  • C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\N4NA3DEA\N4Nlogrv.ini
    Filesize

    872B

    MD5

    bbc41c78bae6c71e63cb544a6a284d94

    SHA1

    33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

    SHA256

    ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

    SHA512

    0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

    Download Submit

  • C:\Windows\win.ini
    Filesize

    131B

    MD5

    9848e4efb0abd437d65e6d3d1d973adb

    SHA1

    f427ac7c50b19f66658ae7f92cbaf21110b49a47

    SHA256

    c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

    SHA512

    f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

    Download Submit

  • memory/1068-1-0x0000000000D80000-0x0000000000D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1068-2-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1068-10007-0x0000000003180000-0x00000000031A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1068-0-0x0000000000D70000-0x0000000000D74000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3508-10013-0x0000000008B20000-0x0000000008C44000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3508-10016-0x0000000008B20000-0x0000000008C44000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3508-10019-0x0000000008FB0000-0x0000000009101000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3528-10015-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3528-10011-0x0000000003800000-0x0000000003B4A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3528-10010-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3528-10008-0x0000000000D70000-0x0000000000D76000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4588-10014-0x0000000000D70000-0x0000000000D7A000-memory.dmp

    Filesize

    40KB

    Download