Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-12-2024 20:40
General
-
Target
ccc792e234a29204157d4833f4ca76b93328cdb9cb6f4830d1bd283934d49e45.exe
-
Size
447KB
-
MD5
601b2d6daefd3d2eca786e4d261a753c
-
SHA1
3833e13c1f023af9cc7755b9e696a66c75bf03bb
-
SHA256
ccc792e234a29204157d4833f4ca76b93328cdb9cb6f4830d1bd283934d49e45
-
SHA512
4b4f93670380e9bbdc2d1d962db5fbc41531c2bff474a4a44b09ae665ba000b39a3ae6a0c6a4acda05c5d9f2f508342ad2293ba6c65de1178c77c231e7b1121a
-
SSDEEP
12288:qX3f3jN2fyF88TTI5qa4fcujtyxE8fuDw2qcSo3:afxni8Y5GfbUxKw2co
Malware Config
Extracted
formbook
qzxe
+ofy/jc//gxWTSyDsHNe/HH9Fw==
JJPj3RBaNUVMfGjFDYHn4VdZS07u9w==
MDmWp98UG5ik7K4=
Lyqf4GqrrNshqB8Rd2k=
GSZF9fyueK9D
go++PQqY5pik7K4=
TUKqEY7b6Pw157uI
Dm2xsOPllslVpt49Vg1pbw==
PTqi5lNcK5ik7K4=
7MgiQoDCx90vLLPOxru2
Sy+TnscLsgODvA==
d95Jmv8+SFddJyKWA4T92cc=
MJHl2jFE+ySkGFO3CIT92cc=
21nQ5Csz6DBxEMSd
MPVPVojhzO5ErK1evXY=
XUSG1EWdjJ0YiY0nmpLf2M8=
wzmZpONyKVr2QKY=
Jm3IFI7RxANTgTim+w==
XUJnuClAAUnCpSMXW1SaExea
ambAG315NEd5RsOeJaudSsZCQBMrrtr/Lg==
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ccc792e234a29204157d4833f4ca76b93328cdb9cb6f4830d1bd283934d49e45.exe"C:\Users\Admin\AppData\Local\Temp\ccc792e234a29204157d4833f4ca76b93328cdb9cb6f4830d1bd283934d49e45.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
64KB
-
Filesize
188KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
1.2MB
-
Filesize
872KB
-
Filesize
872KB
-
Filesize
1.7MB
-
Filesize
1.2MB
-
Filesize
1.7MB
-
Filesize
1.2MB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
180KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
448KB
-
Filesize
464KB