Overview

overview

10

Static

static

3

LPO 92558 & 92669.exe

windows7-x64

10

LPO 92558 & 92669.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LPO 92558 & 92669.exe

  • Size

    607KB

  • MD5

    690b2cd2a36fa7511b2d935a1efdc47f

  • SHA1

    588f35c534c2ed93368446a25dde5f964119119f

  • SHA256

    a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37

  • SHA512

    5c96a1de338f2994693d0316e72a287ef0001926ca6a24d436d07d7d4e9c381a3bc1226cf567c16f5f600cd2b472130822798dd00ca9cfde09e4257c062db9ff

  • SSDEEP

    12288:tVVln+HKifVQp+l3qRzNFCRZpUEmTITBDnjgqwEi87wruW:5dCKwQpM3wZIHUypjgqri87+uW

Score
10/10
formbookhc58discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hc58

Decoy

reunioncoins.com

slot88win.today

diamondcarp.com

poke138.site

cratermaketing.com

mutokiva.website

thstocks5.online

openaquasurge.com

prodsdigital.com

exileescape.com

iqcjuetaudtj.com

bwexhaustprofl.com

indiglobalconnect.com

pushkeyclub.com

stephvin.top

lifebione.com

hannahmegery.com

brookchivell.com

bioskyline.com

nonprofitgrants.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe
      "C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe
        "C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe"
        3⤵
          PID:4152
        • C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe
          "C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\LPO 92558 & 92669.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2464-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2464-16-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2464-17-0x0000000001100000-0x0000000001115000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2464-14-0x0000000001160000-0x00000000014AA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3364-13-0x0000000074D10000-0x00000000754C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3364-6-0x0000000007A00000-0x0000000007A18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3364-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-9-0x0000000005EC0000-0x0000000005F36000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3364-10-0x0000000006120000-0x00000000061BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3364-4-0x0000000074D10000-0x00000000754C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3364-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3364-5-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3364-2-0x0000000005210000-0x00000000057B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3364-1-0x0000000000260000-0x00000000002FC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3524-18-0x0000000008740000-0x000000000884E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3524-22-0x0000000008740000-0x000000000884E000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3524-26-0x0000000008850000-0x000000000896D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3524-28-0x0000000008850000-0x000000000896D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3524-29-0x0000000008850000-0x000000000896D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4848-20-0x0000000000940000-0x0000000000947000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4848-19-0x0000000000940000-0x0000000000947000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4848-21-0x0000000000950000-0x000000000097F000-memory.dmp

      Filesize

      188KB

      Download