Overview

overview

10

Static

static

3

Shiment PL.exe

windows7-x64

10

Shiment PL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shiment PL.exe

  • Size

    834KB

  • MD5

    1f154fdeb1f182e8e2d4bc203b5ff1f2

  • SHA1

    1950bff0632ad10bd951e0fd5d307b58874cfe9a

  • SHA256

    aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6

  • SHA512

    97dc6d4e23f3928f8895ea63fd1a62eb86e655f537a15876f398db9e392e6f786bbcbd042cdb3a2792bc289521b374bb7d31b858f90dd8b422a1f24c938136f6

  • SSDEEP

    12288:4t6HU8+sP4RbSvdVU0ClncgtmQJrx0T5ssFrHIcEooF3ArxMf4XxQ:c83PmSvdV9Cc2m1NlboBAfXxQ

Score
10/10
formbooktw7discoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tw7

Decoy

prestige-reps.com

nhakhoaquoctesmile.com

sicumplex.com

in36972.com

hikoosbyheidi.com

rayinthecity.com

mjwestwoodphotography.com

radiopeek.com

attisit.com

hdcpos.com

xn--halise-1ua.com

bossroyale.com

blstd.com

wniversitet.com

bethumb.pro

romber.info

bergundy.com

kingscoop.com

antiquefactory.net

loiseaudejade.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe
      "C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe
        "C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Shiment PL.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1708-24-0x0000000002FA0000-0x0000000002FB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1708-17-0x0000000001170000-0x00000000014BA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1708-14-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1708-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1708-19-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1708-20-0x00000000010F0000-0x0000000001104000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2456-8-0x0000000005900000-0x0000000005910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2456-5-0x00000000058F0000-0x00000000058FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2456-1-0x0000000000BE0000-0x0000000000CB6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2456-9-0x00000000748CE000-0x00000000748CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2456-10-0x00000000748C0000-0x0000000075070000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2456-11-0x0000000006680000-0x00000000066EC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2456-12-0x00000000066F0000-0x0000000006724000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2456-13-0x00000000067F0000-0x0000000006856000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2456-16-0x00000000748C0000-0x0000000075070000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2456-2-0x0000000005740000-0x00000000057DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2456-6-0x0000000005960000-0x00000000059B6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2456-7-0x00000000748C0000-0x0000000075070000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2456-4-0x00000000057E0000-0x0000000005872000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2456-3-0x0000000005D90000-0x0000000006334000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2456-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3444-25-0x00000000087B0000-0x00000000088DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3444-21-0x0000000002930000-0x0000000002A16000-memory.dmp

    Filesize

    920KB

    Download

  • memory/3444-26-0x0000000002930000-0x0000000002A16000-memory.dmp

    Filesize

    920KB

    Download

  • memory/3444-29-0x00000000087B0000-0x00000000088DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3444-32-0x0000000002A40000-0x0000000002AF4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3444-34-0x0000000002A40000-0x0000000002AF4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/3444-35-0x0000000002A40000-0x0000000002AF4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/4016-27-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4016-28-0x0000000000220000-0x000000000022C000-memory.dmp

    Filesize

    48KB

    Download