Overview

overview

10

Static

static

3

Shipping_D...df.exe

windows7-x64

10

Shipping_D...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping_Document_Consignments HAWB R129724.pdf.exe

  • Size

    744KB

  • MD5

    208a2a0346f4de47649b9f11ef7f28b8

  • SHA1

    44398e1ff6731e22ca02455797a7bee1a9ecba09

  • SHA256

    1e99e3da65f03e0389c065ab12566c02229a89bbf524131cb079d625dc179e74

  • SHA512

    281876bf918f5d3d9d20d804209fe217300e196543111a41ba1f463223e8c8d6e5b31e325f02c2fdd0485cb4c0e01248934ec8632454622b1cf6d532ed7b37eb

  • SSDEEP

    12288:0gFHPawHmUpAj2FXb1/CliGZ8VZKVAql7zhFTmfhMFbWVfpXalGT+wwce:0kBHTlVK/8V8lJFTAiZWVRXZT+Se

Score
10/10
formbooktsgdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tsg

Decoy

cascadebioclean.com

awdgrp.com

365itnet.net

securingthelegacy.com

tecksnapz.com

faithfernandes.com

greyboxautomation.com

appliancetechhub.com

objectif.digital

thesearsgroupnc.com

ladojrp.net

keitakora.com

sendaproveedores.com

freedomdigitalagency.com

w5vyy.com

wsilhavy.net

andrenoforte.com

realonlineseller.com

impetusprime.com

amsengineeringinternational.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\Shipping_Document_Consignments HAWB R129724.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping_Document_Consignments HAWB R129724.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Users\Admin\AppData\Local\Temp\Shipping_Document_Consignments HAWB R129724.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipping_Document_Consignments HAWB R129724.pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3868
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Shipping_Document_Consignments HAWB R129724.pdf.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3396-26-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3396-25-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3452-19-0x0000000002E20000-0x0000000002EEE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3452-33-0x0000000008610000-0x000000000875E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3452-32-0x0000000008610000-0x000000000875E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3452-30-0x0000000008610000-0x000000000875E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3452-27-0x0000000008500000-0x0000000008603000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3452-24-0x0000000002E20000-0x0000000002EEE000-memory.dmp

    Filesize

    824KB

    Download

  • memory/3452-23-0x0000000008500000-0x0000000008603000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3868-15-0x0000000001A00000-0x0000000001D4A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3868-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3868-22-0x0000000001990000-0x00000000019A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3868-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3868-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3868-18-0x0000000001520000-0x0000000001534000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4688-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4688-10-0x0000000006600000-0x000000000669E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4688-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4688-14-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4688-11-0x000000000A0E0000-0x000000000A144000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4688-8-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4688-7-0x0000000005150000-0x0000000005166000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4688-6-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4688-5-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4688-4-0x0000000004F30000-0x0000000004FCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4688-3-0x0000000004DF0000-0x0000000004E82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4688-2-0x00000000053A0000-0x0000000005944000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4688-1-0x0000000000360000-0x0000000000420000-memory.dmp

    Filesize

    768KB

    Download