Overview

overview

10

Static

static

3

90lh34776t.exe

windows7-x64

10

90lh34776t.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90lh34776t.exe

  • Size

    221KB

  • MD5

    7729900697d95c9cb6d5bd73888cf13b

  • SHA1

    43bb970f69404ff4c01427b99cfb669a4575d0cd

  • SHA256

    b8f987a5099e1a1a220893763f00bcff9d84ed2dd49cb4a0ab8f5c595281e5ac

  • SHA512

    d7cc1b6c5527da43c8cb4bbc04c356b2cb85849a847c342da6c85d610614096805f6946365f92252276b96a0bc9767c7979dfd358a6e20e752bd08d69850190f

  • SSDEEP

    6144:wBlL/LrAY7sjzeUc1/8Lan+V6KqjWw04DzlBX:Cp/g/2bna6Kn4nlh

Score
10/10
formbooklt0hdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lt0h

Decoy

originalindigofurniture.co.uk

fl6588.com

acecademy.com

yaerofinerindalnalising.com

mendilovic.online

rishenght.com

famlees.com

myhomeofficemarket.com

bouquetarabia.com

chrisbani.com

freebandslegally.com

hernandezinsurancegroup.net

slicedandfresh.com

apnathikanas.com

chadhatesyou.com

ansilsas.com

in3development.com

nitiren.net

peespn.com

valengz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\90lh34776t.exe
      "C:\Users\Admin\AppData\Local\Temp\90lh34776t.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Users\Admin\AppData\Local\Temp\90lh34776t.exe
        "C:\Users\Admin\AppData\Local\Temp\90lh34776t.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\90lh34776t.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj800A.tmp\System.dll
    Filesize

    10KB

    MD5

    56a321bd011112ec5d8a32b2f6fd3231

    SHA1

    df20e3a35a1636de64df5290ae5e4e7572447f78

    SHA256

    bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

    SHA512

    5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

    Download Submit

  • memory/1184-14-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1184-15-0x0000000004B70000-0x0000000004CB8000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1184-18-0x00000000051E0000-0x0000000005305000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1184-19-0x0000000004B70000-0x0000000004CB8000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1184-24-0x00000000051E0000-0x0000000005305000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2196-22-0x00000000009F0000-0x0000000000A08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2196-23-0x00000000009F0000-0x0000000000A08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2892-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2892-13-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2892-17-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download