Analysis
-
max time kernel
94s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 16:47
Static task
static1
Behavioral task
behavioral1
Sample
542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe
Resource
win7-20240903-en
General
-
Target
542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe
-
Size
557KB
-
MD5
42bde216c83352991cd642907bea67cb
-
SHA1
5a8b2814216d8e457d3ceb4c2df0ade4eab2671e
-
SHA256
542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8
-
SHA512
0ea1edfdc216f1625e68399cd3001a7e596ea54b701ca90504c842213e6febf0eeb3d803a7b580e08168282083e1f662cfe60b5553e0a29643d4fc1b3339dc56
-
SSDEEP
12288:aRi+dlERmJirAFRWks4n+WqUF6+KloUecMrGRuW/qDeFGVlYiKkvq:rh0FQks4nFqvloU/EgKlYQv
Malware Config
Extracted
formbook
4.1
d1n3
scrubbinsisters.com
kawuldim.com
pyttoin.xyz
iyraproperties.com
miaurora.net
cricutonlinesales.store
huangsanguai.com
chayaelements.store
giftexpress15.xyz
antiwardrobe.com
wiggly.site
avrecommendwiki.com
galabet472.com
invtips.com
tvpoy.xyz
raidencity.net
ripper66.com
ipoyce.online
xn--h6q362bj4mp5c.com
rooplaza.com
xfmm9538.com
kelaikemc.com
athlonebiokinesiology.com
thecodealchemist.net
jinwanlicai88.com
wecome.club
zhekou8.net
nuoim.com
nikahclub.com
templerestleisure.com
orino.info
oa1xs.xyz
colormusedesignco.com
okparking2013.com
reveplac.com
59208.xyz
gtm-kalisumapa.com
rowanmasonry.com
your-funds-available.com
outletscheapjordans.com
melaniewieseler.com
hqdtgyl.com
forkidofukraine.com
lvsebianzhidai.com
lonesomevalley.xyz
3pxm.xyz
boatsrentalcda.com
victoroverseas.com
xpertlockandsafe.com
newgenelectronics.com
demopanel.xyz
indianfood101.com
jogo.tech
clemons.tech
lowdowntracks.com
haotian9981.com
carseg.site
dasenlin-jiaju.com
peaceandlovebhs.com
storkbucket.online
crowd-news.com
qewuy.biz
jjshomefurniture.com
amongusleaks.com
kompanko.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral2/memory/3832-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3832-17-0x0000000001180000-0x00000000014CA000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2296 set thread context of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3832 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 3832 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91 PID 2296 wrote to memory of 3832 2296 542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe"C:\Users\Admin\AppData\Local\Temp\542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe"C:\Users\Admin\AppData\Local\Temp\542d6e28fa21ca093f75532f1dcdae0b4e4dae956cf4a0256ce28cf8c9ac05e8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832
-