Overview

overview

10

Static

static

5

LYONSOFT, ...24.exe

windows7-x64

10

LYONSOFT, ...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LYONSOFT, COOP.V. - Envío orden 240187 fecha 02-09-2024.exe

  • Size

    1.0MB

  • MD5

    6febb30bdf76d3c49b5dbfbb383c722a

  • SHA1

    80bf8a349e3fcc290bed8b2e371e3f530f09ead4

  • SHA256

    e171a6d388f4cd1e2051d0f29b720c84a52876a3208af1824e9b634c2117b4ee

  • SHA512

    8f4728cf9aa371702934f9225d6c3ed74a0cbb762d22e6914a39a2cec8102a97a26382133b0116b2c9fce8d09ad35de8e61bd7aadad1af0d091a6b980791f4f3

  • SSDEEP

    24576:YAHnh+eWsN3skA4RV1Hom2KXMmHapDXeClYMJLj5:fh+ZkldoPK8YapzpR

Score
10/10
formbookrn94discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rn94

Decoy

st68v.xyz

conciergenotary.net

qwechaotk.top

rtpdonatoto29.xyz

8ad.xyz

powermove.top

cameras-30514.bond

vanguardcoffee.shop

umoe53fxc1bsujv.buzz

consultoriamax.net

hplxx.com

ndu.wtf

yzh478c.xyz

bigbrown999.site

xiake07.asia

resdai.xyz

the35678.shop

ba6rf.rest

ceo688.com

phimxhot.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\LYONSOFT, COOP.V. - Envío orden 240187 fecha 02-09-2024.exe
      "C:\Users\Admin\AppData\Local\Temp\LYONSOFT, COOP.V. - Envío orden 240187 fecha 02-09-2024.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\LYONSOFT, COOP.V. - Envío orden 240187 fecha 02-09-2024.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1832
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:2324
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:2092
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:1852
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:2100
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:2728
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:2748
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:2864
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:2880
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:2860
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:2876
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:2916
                            • C:\Windows\SysWOW64\autofmt.exe
                              "C:\Windows\SysWOW64\autofmt.exe"
                              2⤵
                                PID:2856
                              • C:\Windows\SysWOW64\autofmt.exe
                                "C:\Windows\SysWOW64\autofmt.exe"
                                2⤵
                                  PID:2740
                                • C:\Windows\SysWOW64\autofmt.exe
                                  "C:\Windows\SysWOW64\autofmt.exe"
                                  2⤵
                                    PID:3016
                                  • C:\Windows\SysWOW64\autofmt.exe
                                    "C:\Windows\SysWOW64\autofmt.exe"
                                    2⤵
                                      PID:2732
                                    • C:\Windows\SysWOW64\help.exe
                                      "C:\Windows\SysWOW64\help.exe"
                                      2⤵
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious behavior: MapViewOfSection
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2888
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /c del "C:\Windows\SysWOW64\svchost.exe"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2900

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • memory/1180-22-0x0000000004F80000-0x000000000504B000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/1180-36-0x0000000005050000-0x0000000005176000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1180-34-0x0000000005050000-0x0000000005176000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1180-33-0x0000000005050000-0x0000000005176000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/1180-17-0x0000000003210000-0x0000000003310000-memory.dmp

                                    Filesize

                                    1024KB

                                    Download

                                  • memory/1180-18-0x0000000004F80000-0x000000000504B000-memory.dmp

                                    Filesize

                                    812KB

                                    Download

                                  • memory/1180-28-0x0000000004C60000-0x0000000004D15000-memory.dmp

                                    Filesize

                                    724KB

                                    Download

                                  • memory/1180-23-0x0000000004C60000-0x0000000004D15000-memory.dmp

                                    Filesize

                                    724KB

                                    Download

                                  • memory/1848-11-0x00000000002F0000-0x00000000002F4000-memory.dmp

                                    Filesize

                                    16KB

                                    Download

                                  • memory/2400-15-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                    Download

                                  • memory/2400-20-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                    Download

                                  • memory/2400-21-0x0000000000250000-0x0000000000265000-memory.dmp

                                    Filesize

                                    84KB

                                    Download

                                  • memory/2400-16-0x0000000000210000-0x0000000000225000-memory.dmp

                                    Filesize

                                    84KB

                                    Download

                                  • memory/2400-13-0x0000000000A60000-0x0000000000D63000-memory.dmp

                                    Filesize

                                    3.0MB

                                    Download

                                  • memory/2400-12-0x0000000000400000-0x000000000042F000-memory.dmp

                                    Filesize

                                    188KB

                                    Download

                                  • memory/2888-24-0x00000000009D0000-0x00000000009D6000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/2888-26-0x00000000009D0000-0x00000000009D6000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/2888-27-0x00000000000D0000-0x00000000000FF000-memory.dmp

                                    Filesize

                                    188KB

                                    Download