Overview

overview

10

Static

static

3

8f61fd5ce3...1b.exe

windows7-x64

10

8f61fd5ce3...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b.exe

  • Size

    771KB

  • MD5

    a6718dd552a34001f40ced365b16d1ee

  • SHA1

    f40747dd6f9bd62751bc2b9734dd5bbe8e92723a

  • SHA256

    8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b

  • SHA512

    fbca66394755bf974e7abe6f215048e7f19ae2b9630036e0e04fc2e420332f2f40f84de4dfb78b65c41f9855dd3963513efad1395a5cfaf73616a0dfeff9ddf5

  • SSDEEP

    12288:RblmTdKCcfCQtVKr2hXFn+8WnTN77B2qjsH0y:xlmAdE291+86d

Score
10/10
formbooko17idiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o17i

Decoy

chocolatebarreview.com

fetch-a-trabajos-canada.info

expresspestcontrol.net

tractionx.co.uk

vitalassetsecurity.com

lahtawine.ru

firedamagereports.com

bentzenphotography.com

digitalworkforces.com

divnoe.online

efefbig.buzz

melhardy.co.uk

igorsolutions.com

developmentszhuiservice.com

fookspace.com

kredaroo.com

4zpm.xyz

kycecat.cfd

singingriverhomeimprovement.com

bils.store

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b.exe
    "C:\Users\Admin\AppData\Local\Temp\8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WBJIjC.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WBJIjC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3040
    • C:\Users\Admin\AppData\Local\Temp\8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b.exe
      "C:\Users\Admin\AppData\Local\Temp\8f61fd5ce3c2fa9186c75e703ce9e38d66538b9fe2214dd78d2df4c2c7cbda1b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp
    Filesize

    1KB

    MD5

    d77a5d2a572e8c5cda9e0f4526c7c795

    SHA1

    e97ad824315b66bdafb4d262ca51d37d9567cdfb

    SHA256

    cbe7328635e24b16472f6e8c122a9356e70e6614128983622fe0b92cb7e26964

    SHA512

    0e7a93136ea2af541bbc106c971f5704d534c06c5d0a06918c76bfe991a0fc0e1303796446c6ce67fdbeb44c1c8a9926b59d7abf5f6509a5adcbd44f66714237

    Download Submit

  • memory/1876-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1876-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1876-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1876-16-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2688-6-0x0000000000950000-0x000000000095C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2688-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-7-0x0000000000ED0000-0x0000000000F40000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2688-5-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2688-13-0x0000000005200000-0x0000000005238000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2688-4-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2688-3-0x0000000000500000-0x0000000000512000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2688-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2688-1-0x0000000000F40000-0x0000000001008000-memory.dmp

    Filesize

    800KB

    Download

  • memory/2688-22-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

    Download