Overview

overview

10

Static

static

10

2.exe

windows7-x64

10

2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    185KB

  • MD5

    cb90c75f8cbbbcc3f74ee22288c800a1

  • SHA1

    1c84ad88465e6eb1b91dfaf099bf2697e44ccc0d

  • SHA256

    b3d45d85cba27f6900215868e9e6e9a97fb95648a42396305cd8bcb50c8e80d0

  • SHA512

    22e8fd5f34e92ffb92e362efdc3866c9bfab68a5f6f463f64ae4f16876722dd4595e0cff34f970dd87140859b58e6acdb20c8b82f27ed42bbf7cc80f46e7a314

  • SSDEEP

    3072:8MHDFaMPRIjxWcy4C9y30XclW6Qilinp0fJ4XNZkAC581h/dgHG0uD1X4/qZa:e7UL4Co3js6QilinA4XN+zKh/uG0u5XC

Score
10/10
formbookl26ndiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

l26n

Decoy

vtxapg.bond

iscussatthetable.net

q5b2.vip

urculturalbuzz.buzz

0xfulisuo.xyz

iz-kyc.online

atladies4kamala.vote

aison-maison.xyz

codom73.online

aosecurity.online

szxart.xyz

ergecast.net

ealker.pro

hickensforkfc.net

ldoradocasino-uee.top

afiqgroup.net

ercania.net

sdc.ngo

raphic-design-degree-37012.bond

888yl123.vip

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\2.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/460-0-0x0000000000C70000-0x0000000000FBA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/460-2-0x0000000000630000-0x000000000065F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/460-1-0x000000000064F000-0x0000000000650000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1040-4-0x00000000009C0000-0x00000000009E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1040-5-0x00000000009C0000-0x00000000009E7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1040-6-0x0000000000980000-0x00000000009AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3544-3-0x0000000004CB0000-0x0000000004D86000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3544-7-0x0000000004CB0000-0x0000000004D86000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3544-11-0x00000000094D0000-0x0000000009655000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3544-12-0x00000000094D0000-0x0000000009655000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3544-14-0x00000000094D0000-0x0000000009655000-memory.dmp

    Filesize

    1.5MB

    Download