Malware Analysis Report

2025-04-14 08:32

Sample ID 240921-zgjvqssekf
Target 4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN
SHA256 4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33a
Tags
discovery formbook c24t rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33a

Threat Level: Known bad

The file 4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN was found to be: Known bad.

Malicious Activity Summary

discovery formbook c24t rat spyware stealer trojan

Formbook

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-21 20:41

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-21 20:41

Reported

2024-09-21 20:43

Platform

win7-20240903-en

Max time kernel

73s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe

"C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe"

Network

N/A

Files

memory/1740-2-0x00000000036C0000-0x0000000003AC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-21 20:41

Reported

2024-09-21 20:43

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3912 set thread context of 5064 N/A C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe C:\Windows\SysWOW64\svchost.exe
PID 5064 set thread context of 3444 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 5064 set thread context of 3444 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4824 set thread context of 3444 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe

"C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\4b0562351e83e3d40dfa638ce4811a2699562c3bb4ea1d3afb4f76d00ad0b33aN.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.7395.asia udp
US 8.8.8.8:53 www.lc-driving-school.net udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.est-life-insurance-2507.today udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.sx9u.shop udp

Files

memory/3912-2-0x0000000004280000-0x0000000004480000-memory.dmp

memory/5064-3-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5064-4-0x0000000001B00000-0x0000000001E4A000-memory.dmp

memory/5064-7-0x0000000001990000-0x00000000019A4000-memory.dmp

memory/5064-6-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3444-8-0x0000000008790000-0x000000000893A000-memory.dmp

memory/5064-11-0x00000000039A0000-0x00000000039B4000-memory.dmp

memory/5064-10-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3444-12-0x0000000002A10000-0x0000000002AF8000-memory.dmp

memory/3444-13-0x0000000008790000-0x000000000893A000-memory.dmp

memory/4824-16-0x0000000000240000-0x000000000024E000-memory.dmp

memory/4824-14-0x0000000000240000-0x000000000024E000-memory.dmp

memory/4824-17-0x0000000000A80000-0x0000000000AAF000-memory.dmp

memory/3444-18-0x0000000002A10000-0x0000000002AF8000-memory.dmp

memory/3444-21-0x0000000002C30000-0x0000000002D52000-memory.dmp

memory/3444-23-0x0000000002C30000-0x0000000002D52000-memory.dmp

memory/3444-24-0x0000000002C30000-0x0000000002D52000-memory.dmp