Malware Analysis Report

2025-01-18 12:25

Sample ID 240830-19mmrsyhjf
Target 139f804af6727f40136efc05b3810f07.zip
SHA256 7093704bdad688cbdb775de4b07daf5e586a9a7c065537d870e4aa07c4fa2075
Tags
formbook hs3h discovery evasion rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7093704bdad688cbdb775de4b07daf5e586a9a7c065537d870e4aa07c4fa2075

Threat Level: Known bad

The file 139f804af6727f40136efc05b3810f07.zip was found to be: Known bad.

Malicious Activity Summary

formbook hs3h discovery evasion rat spyware stealer trojan

Formbook

Contains code to disable Windows Defender

Formbook payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 22:21

Reported

2024-08-30 22:23

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 4064 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 4064 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 4064 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe

"C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NUBPFhaQFiQqDs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp635.tmp"

C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4064-0-0x000000007530E000-0x000000007530F000-memory.dmp

memory/4064-1-0x0000000000EA0000-0x0000000000F5C000-memory.dmp

memory/4064-2-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/4064-3-0x00000000059E0000-0x0000000005A72000-memory.dmp

memory/4064-4-0x0000000005A80000-0x0000000005B1C000-memory.dmp

memory/4064-5-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/4064-6-0x0000000005950000-0x000000000595A000-memory.dmp

memory/4064-7-0x0000000005300000-0x0000000005314000-memory.dmp

memory/4064-8-0x000000007530E000-0x000000007530F000-memory.dmp

memory/4064-9-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/4064-10-0x0000000007240000-0x00000000072C6000-memory.dmp

memory/4064-11-0x0000000005E80000-0x0000000005EB4000-memory.dmp

memory/4064-12-0x0000000008470000-0x00000000084D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp635.tmp

MD5 0160dba7a6ba82d62ace458e76981674
SHA1 ad764aa70538bb3a45d8ab1c8bda16d435b3f13b
SHA256 a733fda92ebad189c48c27f2855a93983e245b9171da669c74b6974510d3e663
SHA512 25673aa95f4535c86438e9868bd112e64121be179c42ea0923265767855386a846e503f758026a1f21a83d3d390c3a9de40917bb1fcfd1506b4a190c18d57b88

memory/5116-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4064-18-0x0000000075300000-0x0000000075AB0000-memory.dmp

memory/5116-19-0x0000000001980000-0x0000000001CCA000-memory.dmp

memory/5116-20-0x0000000001980000-0x0000000001CCA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 22:21

Reported

2024-08-30 22:23

Platform

win7-20240705-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe"

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\schtasks.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 2772 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe
PID 704 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\WerFault.exe
PID 704 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\WerFault.exe
PID 704 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\WerFault.exe
PID 704 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe

"C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NUBPFhaQFiQqDs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9CB.tmp"

C:\Users\Admin\AppData\Local\Temp\2d660b816d3e2c96db56d5d2e6743b8e649c63dda5e46327b5dbffdceab1d499.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 36

Network

N/A

Files

memory/2772-0-0x000000007493E000-0x000000007493F000-memory.dmp

memory/2772-1-0x0000000001350000-0x000000000140C000-memory.dmp

memory/2772-2-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2772-3-0x0000000000480000-0x0000000000494000-memory.dmp

memory/2772-4-0x000000007493E000-0x000000007493F000-memory.dmp

memory/2772-5-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2772-6-0x0000000004AF0000-0x0000000004B76000-memory.dmp

memory/2772-7-0x0000000000BE0000-0x0000000000C14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD9CB.tmp

MD5 363fa84fbc7ead6740a79799c603b757
SHA1 5ab283428882bfc0057813444be2892b62ca29cf
SHA256 6de2218fdb7b32608fd50a82eed489763fec18f1cc39cc954c8c7f7cac026927
SHA512 01cbc51433893b5daa119b16047fb1ec98ab49fe38104e4c3e690abf9eecb66c8681bb96fc33ade22735aaf2f67c15e48619b1890bdeb40b7261b85fb89b4abf

memory/704-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/704-13-0x0000000000400000-0x000000000042F000-memory.dmp

memory/704-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/704-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-17-0x0000000074930000-0x000000007501E000-memory.dmp