Overview

overview

10

Static

static

1

51411372b2...82.exe

windows7-x64

10

51411372b2...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe

  • Size

    273KB

  • MD5

    e549341d5f45d8ac49bd6e75d4d72d35

  • SHA1

    f25f8f48778b995e408bd84f58800ad1c7a7328f

  • SHA256

    51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882

  • SHA512

    3e37e90128974062766a2de3bf4647853da2d04a407a37ea3b55107a3cb18315e2929aedce12871361447bfd0d4c58c56bba098b0cd4b332c541271cb2410437

  • SSDEEP

    6144://UFQEmfXkLoIeTB/CEj4kCK8ASHLeqe6z22p7h9guq/xG:XUiEmfULagEj4kb89njZguq/s

Score
10/10
formbooki3twdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

i3tw

Decoy

016XYOaa546POq6CaRVpEfQ=

6WCLUcRz6K7qTqIK

bIa/9uWTepQa6eQd

32urdxWXgrknUIeDYktb

EojfLVA0GyB2mYgMgzdT

jFbHYJhPwpebnHjAY0pZ

gxSusEwA30uVtrErCrQ=

EeJOmOn63OaCHIw=

r3K0jTvKtOR4EV3q1dOdHgYVCLVG

6LEakplWzoSSLXZH3t6XDQ==

MThmlLavncxvAo1f3t6XDQ==

SqUmLs+BeJfa69kp7qSmIfuU5K3ZMg==

GuIYfF0o7zGPJY4=

AEd4Wd7JRsdzBX9dPgO7KNJY6NX2Sga4

E1SDU8MxGoZaPFgn9w==

cIq96QyWC/k1XDBRTR9FQOaLosd4Og==

/zRZMuaxmZnX291wZQCXhiq1his=

+47IMmwvk2jyx7MA

IGKz6DH4iraNLQ==

Kh1gHpxbw0MDkwSyaOqjKgTlK69R

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe
      "C:\Users\Admin\AppData\Local\Temp\51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1404-9-0x0000000074680000-0x0000000074E30000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1404-1-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/1404-2-0x0000000002730000-0x000000000273C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1404-3-0x00000000027C0000-0x00000000027C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1404-0-0x000000007468E000-0x000000007468F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1404-6-0x0000000074680000-0x0000000074E30000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1824-10-0x0000000001130000-0x000000000147A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1824-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1824-4-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1824-13-0x0000000000A70000-0x0000000000A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1824-12-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3128-15-0x0000000000A70000-0x0000000000A89000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3128-16-0x0000000000A70000-0x0000000000A89000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3128-17-0x0000000000450000-0x000000000047D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3516-14-0x00000000079E0000-0x0000000007B54000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3516-18-0x00000000079E0000-0x0000000007B54000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3516-19-0x0000000007F30000-0x00000000080AD000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3516-20-0x0000000007F30000-0x00000000080AD000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3516-22-0x0000000007F30000-0x00000000080AD000-memory.dmp

      Filesize

      1.5MB

      Download