Overview

overview

10

Static

static

3

19abdec12c...73.exe

windows7-x64

10

19abdec12c...73.exe

windows10-2004-x64

7

cbpklgiv.exe

windows7-x64

3

cbpklgiv.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19abdec12c4b7f3fd7a1912867b03527e8b93548cacf14c0a9b3bec61989a573.exe

  • Size

    294KB

  • MD5

    1232d8adee3eacc8a6d6757cb2b2850d

  • SHA1

    b55e8f7f49e2db9c3279fe71214cf54a4e81c69f

  • SHA256

    19abdec12c4b7f3fd7a1912867b03527e8b93548cacf14c0a9b3bec61989a573

  • SHA512

    fc0808dc711eb04ebc204cf9e9e3b28cd583fe91037698152a4dca8b5be62d1443175570f444c546a737ff2510007f65e217de707d94010d13d76d2e371896ee

  • SSDEEP

    6144:owpg4eB/W8sfYIUAXvjBkPloYw/C/Yz2K1A3pDlzE3iMMknvxw:Vg4eB+8p1CvValoYwak2KS3tlQz7nS

Score
10/10
formbookg09ediscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g09e

Decoy

flyinglarkgp.com

spiritsyncing.net

sushikreci.com

drssdup.com

mobileappsus.com

lvrcprbrisbane.com

nfjnwa.icu

ottenbruch.immo

strinosoft.com

portershoecollection.com

electriccarsus.com

lecai.icu

piplespnd.quest

talkrecords.com

lowcodeconnection.com

lastwagenfahrerjobshierorg.com

kpallman.com

dcrdr.com

chainalysisinfo.com

einayaa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\19abdec12c4b7f3fd7a1912867b03527e8b93548cacf14c0a9b3bec61989a573.exe
      "C:\Users\Admin\AppData\Local\Temp\19abdec12c4b7f3fd7a1912867b03527e8b93548cacf14c0a9b3bec61989a573.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\cbpklgiv.exe
        C:\Users\Admin\AppData\Local\Temp\cbpklgiv.exe C:\Users\Admin\AppData\Local\Temp\zoaeznutt
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Users\Admin\AppData\Local\Temp\cbpklgiv.exe
          C:\Users\Admin\AppData\Local\Temp\cbpklgiv.exe C:\Users\Admin\AppData\Local\Temp\zoaeznutt
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\cbpklgiv.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cjt9htnwqgp85kbz2i
    Filesize

    213KB

    MD5

    a85cdb1b16010d291aa6ccf2e25182f5

    SHA1

    6e4edfdf13ec37b9f2b5f84294ecef387c695238

    SHA256

    a02caa90974dc2a92503fcfa6ac9fdee8b4550d8f90461db58b2b089bbf3ac69

    SHA512

    ca3db124ddd53c74ba34f5dd739a924e8bfdffb70082fa2be200679f8a2eeb47597af875dfbb2c285e8ae55beb4dd430a1ab6e39f0dea2dd0c998d501a44a147

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zoaeznutt
    Filesize

    5KB

    MD5

    64f393c5a8842c82a985e249338fbcc7

    SHA1

    b70d5d4ddbbabdd3060a8ee18869cb756790e88b

    SHA256

    77d797a3c964b84a870674a8c1b81b79d581afb6569aca7bbfab4c488e664597

    SHA512

    6c45c4a80e7101f1ddef4e250d05a7ba35cb558f324aea2e02641d70dcbd6432f313ad0217fb9c0bd300b28ad1c3759e4dd3c5d2335f5ee9832d62c4f54e04ff

    Download Submit

  • \Users\Admin\AppData\Local\Temp\cbpklgiv.exe
    Filesize

    121KB

    MD5

    d04a14c986145807ea9fe37a7126d675

    SHA1

    28dee42f5cec69d0117156d96231887a4aa7d8a7

    SHA256

    6c019f60af2c9281a9c17b27a336749283767ac9229c9d3bbcd8ccedc290b417

    SHA512

    df9f899629bc4c32704f19cea834c62da6ac6bb1043ac801069d3418f4a14ca28175ace78da4bb5ea4034509891b336db9d519d8370b388148461453a20ca526

    Download Submit

  • memory/1188-23-0x0000000006640000-0x00000000067A7000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1188-32-0x0000000004FB0000-0x0000000005074000-memory.dmp

    Filesize

    784KB

    Download

  • memory/1188-28-0x0000000004FB0000-0x0000000005074000-memory.dmp

    Filesize

    784KB

    Download

  • memory/1188-27-0x0000000006640000-0x00000000067A7000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2184-12-0x0000000000070000-0x0000000000072000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2928-17-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2928-18-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2928-26-0x00000000001E0000-0x00000000001F5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2928-20-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2928-25-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2928-21-0x0000000000180000-0x0000000000195000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3032-29-0x0000000001570000-0x000000000158B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3032-30-0x0000000001570000-0x000000000158B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3032-31-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download