Overview

overview

10

Static

static

3

f79d4a4a51...25.exe

windows7-x64

10

f79d4a4a51...25.exe

windows10-2004-x64

7

wivczschg.exe

windows7-x64

3

wivczschg.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 00:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f79d4a4a519f6ddaf119529ca2392d7b7721901b9761264d0d2ff1410dda9e25.exe

  • Size

    238KB

  • MD5

    102b3ebb841c1dffa5b08afcc39222dc

  • SHA1

    758e0993c007af3949a60a0ffe1ec19c4e045ced

  • SHA256

    f79d4a4a519f6ddaf119529ca2392d7b7721901b9761264d0d2ff1410dda9e25

  • SHA512

    e1452b4ac7b453b6f899554b223596e7ce258986358e56b3f2dc69bafc2178b6c83894fe507dd9a5d4d0df687b584ae41ada6482b1e73d208e0cb59ca37ac446

  • SSDEEP

    6144:TxDpLHyngojOTo5Y+pfy3jBabNIjhfFcauPkqSEaBx5KNWYi17lrsAo:jDSpyo5Y+pqVabW3ca+eKMtsAo

Score
10/10
formbookb62rdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b62r

Decoy

gaykolkata.com

idfinancing.com

hoangphucpharmacy.com

lotworksvariouss.biz

abanchiq.com

galaxylike.com

lyhfyp.com

phantomux.com

lobotours.net

dapcol.online

airplay90.com

hylserviciosintegrales.com

lvmvdp.xyz

economybooiings.com

epiteks.com

soprendenteshop.com

mangaclsh.com

mywebprofile.xyz

fabianwilliamart.com

ayabadge.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\f79d4a4a519f6ddaf119529ca2392d7b7721901b9761264d0d2ff1410dda9e25.exe
      "C:\Users\Admin\AppData\Local\Temp\f79d4a4a519f6ddaf119529ca2392d7b7721901b9761264d0d2ff1410dda9e25.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\wivczschg.exe
        C:\Users\Admin\AppData\Local\Temp\wivczschg.exe C:\Users\Admin\AppData\Local\Temp\bqbubiphod
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Users\Admin\AppData\Local\Temp\wivczschg.exe
          C:\Users\Admin\AppData\Local\Temp\wivczschg.exe C:\Users\Admin\AppData\Local\Temp\bqbubiphod
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\wivczschg.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\64mfra74j7jvxc
    Filesize

    213KB

    MD5

    b12547b07cd7190d39483d6edc98a6a2

    SHA1

    88597120504ec40dfd469792846cc170113db9e1

    SHA256

    328bc274527798a2b7dfcfac1a4d23a650d8c144b11fd460bd57b3828aeab4cb

    SHA512

    6ca6a1a15b7cc1f8e32a3d2ca23cc2d4df991e96feaa8ee10ecd5ba3c021842607cb85750585a146b9eca4dd54c4cebffd003bd552a982cd3c68622d7d6286f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bqbubiphod
    Filesize

    4KB

    MD5

    891d27523f3e020b2a4a438c2ae80ccb

    SHA1

    df17db0cb95b25d5f3106d9704f7138bcb6dea58

    SHA256

    8344dc093d4b4d194df178d6b88fe5266bb95fbb5626f0c191edcf8dad662279

    SHA512

    73732185648d17558eb9e8c48742cf1d829aa99be74253014c2b00c855e3e1551d3e959c9fa29e3cabfc30d4c8cc5e0ec7471d2ef976a05f624b8754779bb399

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wivczschg.exe
    Filesize

    6KB

    MD5

    aff04f5ef16ed23b7c7b3a15e5ea644a

    SHA1

    ca4639d4d6c7294c03816943c0a29f4bccf943c3

    SHA256

    cf56b1b6dde6ae7800d3d1af04c154a5c5c635422cb2417cfc8f29ee665c1359

    SHA512

    1954c3e6d5ef261effd9de98d862ed429a1bbe7fc8d9c9b18c43c3da4132991a31006ade1a2c06c5c2449782223cb26d52173c9ac18d849ec26f7d458210773a

    Download Submit

  • memory/1208-26-0x0000000006D60000-0x0000000006E9B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1208-16-0x0000000006490000-0x00000000065F7000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1208-20-0x0000000006D60000-0x0000000006E9B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1208-31-0x00000000062F0000-0x00000000063E2000-memory.dmp

    Filesize

    968KB

    Download

  • memory/2256-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2256-15-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2256-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2708-9-0x0000000000270000-0x0000000000272000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2736-25-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2736-24-0x0000000000670000-0x000000000068C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2736-23-0x0000000000670000-0x000000000068C000-memory.dmp

    Filesize

    112KB

    Download