Overview

overview

10

Static

static

3

Confirm Pr...ce.exe

windows7-x64

10

Confirm Pr...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirm Proforma Invoice.exe

  • Size

    439KB

  • MD5

    c8c984aa8535536070c90dda6d6a46a8

  • SHA1

    431ed99f88f68b9933fbf8b642c44150565852b8

  • SHA256

    a344590804a69e6f50c2386206d5d050db788fcd42716d1c14f77ba501e63d4e

  • SHA512

    14d10fab4f19796e53e2075bc9b27df8f217af28d97ea250f2ae5f83421bb568bd3a58888e89ad036a4b5a4a2d3d388ffbd4f914c6f9c28e7c165f487a47c5c9

  • SSDEEP

    12288:OCv2zv1grDRQiSSJWP7BCBkNAUqIwrk6WjL2iN:OV212BCmNAUarqn1

Score
10/10
formbookrwodiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rwo

Decoy

highjinxed.com

adwawattan.com

alimitlesslifeinc.com

advancedtelecom.net

metrocommunitycollege.com

modboutik.com

myfavoritethemepark.com

slimwasit.com

curlygirlrizos.com

nyshuffle.com

allovermeofficial.com

bugsy67.com

simcardtonewow.com

onlinepaints.xyz

epoxykingsofamerica.com

cbdstrata.com

liceremovalbellevue.com

bj5w.xyz

lalalae.com

glory-made.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\Users\Admin\AppData\Local\Temp\Confirm Proforma Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirm Proforma Invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1188-21-0x0000000006930000-0x0000000006A84000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1188-27-0x0000000006930000-0x0000000006A84000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1260-20-0x0000000000460000-0x0000000000474000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1260-10-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1260-19-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1260-17-0x0000000000CE0000-0x0000000000FE3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1260-15-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1260-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1260-12-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1736-7-0x0000000000470000-0x0000000000476000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1736-8-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1736-3-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1736-6-0x0000000000890000-0x00000000008E6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1736-16-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1736-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1736-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1736-4-0x00000000748AE000-0x00000000748AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1736-2-0x0000000000210000-0x0000000000228000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1736-1-0x00000000013E0000-0x0000000001454000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2776-22-0x0000000000730000-0x000000000073A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2776-23-0x0000000000730000-0x000000000073A000-memory.dmp

      Filesize

      40KB

      Download