Overview

overview

10

Static

static

3

textttr4809.exe

windows7-x64

10

textttr4809.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    textttr4809.exe

  • Size

    1.2MB

  • MD5

    6a85b6fadb20c016b98e8ba0fcdfcc44

  • SHA1

    c5c423ccfd6539ba04f56221bbb79c83baa93be4

  • SHA256

    b4855381993299ec39524043aa7f8898a4fe64524ab943bc1db297f62c181824

  • SHA512

    3e5827593da1dd78df4776ddc35f519791ea45ffa6d6d371b6b531ca4b0a030b2d8c296e093488beda886ad652e281c32f7aa830d57523730287c53621327e5a

  • SSDEEP

    24576:0AOcZ2i7uyaiDbX1Z0JsyNVaCpaQj5HUSIOg0+MkYGEy:igDbX1asyiCcw5HPnS

Score
10/10
formbookt01wdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\textttr4809.exe
      "C:\Users\Admin\AppData\Local\Temp\textttr4809.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_45\fmgnrws.vbe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe
          "C:\Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe" rpvqetvcc.rsk
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1564
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:2600
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1960
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:1648
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:1224
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:2644
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:2440
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:2176
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:2768
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:2460
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:2028
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:1872
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:2936
                            • C:\Windows\SysWOW64\autofmt.exe
                              "C:\Windows\SysWOW64\autofmt.exe"
                              2⤵
                                PID:1536
                              • C:\Windows\SysWOW64\autofmt.exe
                                "C:\Windows\SysWOW64\autofmt.exe"
                                2⤵
                                  PID:1352
                                • C:\Windows\SysWOW64\autofmt.exe
                                  "C:\Windows\SysWOW64\autofmt.exe"
                                  2⤵
                                    PID:1964
                                  • C:\Windows\SysWOW64\autofmt.exe
                                    "C:\Windows\SysWOW64\autofmt.exe"
                                    2⤵
                                      PID:2888
                                    • C:\Windows\SysWOW64\autofmt.exe
                                      "C:\Windows\SysWOW64\autofmt.exe"
                                      2⤵
                                        PID:2948
                                      • C:\Windows\SysWOW64\autofmt.exe
                                        "C:\Windows\SysWOW64\autofmt.exe"
                                        2⤵
                                          PID:352
                                        • C:\Windows\SysWOW64\autofmt.exe
                                          "C:\Windows\SysWOW64\autofmt.exe"
                                          2⤵
                                            PID:2980
                                          • C:\Windows\SysWOW64\autofmt.exe
                                            "C:\Windows\SysWOW64\autofmt.exe"
                                            2⤵
                                              PID:2976
                                            • C:\Windows\SysWOW64\autofmt.exe
                                              "C:\Windows\SysWOW64\autofmt.exe"
                                              2⤵
                                                PID:1912
                                              • C:\Windows\SysWOW64\autofmt.exe
                                                "C:\Windows\SysWOW64\autofmt.exe"
                                                2⤵
                                                  PID:2668
                                                • C:\Windows\SysWOW64\autofmt.exe
                                                  "C:\Windows\SysWOW64\autofmt.exe"
                                                  2⤵
                                                    PID:2896
                                                  • C:\Windows\SysWOW64\autofmt.exe
                                                    "C:\Windows\SysWOW64\autofmt.exe"
                                                    2⤵
                                                      PID:2952
                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                      "C:\Windows\SysWOW64\msiexec.exe"
                                                      2⤵
                                                      • Suspicious use of SetThreadContext
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: MapViewOfSection
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2776
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1440

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\6_45\jbufkwuago.miw
                                                    Filesize

                                                    370KB

                                                    MD5

                                                    7883104f51596624976b564ab1a3a5c7

                                                    SHA1

                                                    1ebf56538a1d8fe0ed13f1e074ba465faba1ef5f

                                                    SHA256

                                                    d7a503112b68914903fd208884e795e98098bb4685f60dec200657e74e5b08a9

                                                    SHA512

                                                    7aacb5c5f9825f7c3b0bd8ccb8934efb4ecbc6743c479a739b41ba353f54c903a4e881a9ecec3097cc4c76c26c24664ce4fd1f216d6185515086aa9aed103f63

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\6_45\skccbj.exe
                                                    Filesize

                                                    41KB

                                                    MD5

                                                    4fac2ebfd126cf6f3366cff8d58bf824

                                                    SHA1

                                                    bcb12134483fbc145a289264a0d8da377009c83b

                                                    SHA256

                                                    58a41f014c688847cd1c00cf3bc7300192c68836959276a19e6d619f27bc8ed7

                                                    SHA512

                                                    4a0b26c48d326b220030ffffec69f16caa4bad33a7c597f4e7b1e6c3c55b77fb3d74fc2c3a867f8267de67c09d7ac7070be7eb8e2fe42285d7a0481f1743ff0e

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\temp\6_45\fmgnrws.vbe
                                                    Filesize

                                                    32KB

                                                    MD5

                                                    1cad0d875a47ce40af10e4bcd8610ac3

                                                    SHA1

                                                    1c7c64399eecb7947b66105f2b0c70e8f962460f

                                                    SHA256

                                                    131267eba948a969bb7464035b59f226eca0c17193ec2d491717647dcc1db118

                                                    SHA512

                                                    a4fb08788fc5c7b450e8ff861f24d4a7d60f730a1188b809b07e8e7e17f3c478b70f4f10f92ad7dde467fe31a0b640a7cc4ecbcd24d10925bc8f2fa3ece2abe4

                                                    Download Submit

                                                  • \Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe
                                                    Filesize

                                                    1.1MB

                                                    MD5

                                                    b5b4f7b97106aff4bd860cff0e13dcdc

                                                    SHA1

                                                    42ca977e0d14bde5d5831b7fe10f516186df3fc5

                                                    SHA256

                                                    1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

                                                    SHA512

                                                    3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

                                                    Download Submit

                                                  • memory/1124-76-0x0000000007020000-0x0000000007193000-memory.dmp

                                                    Filesize

                                                    1.4MB

                                                    Download

                                                  • memory/1564-65-0x0000000000400000-0x00000000009F3000-memory.dmp

                                                    Filesize

                                                    5.9MB

                                                    Download

                                                  • memory/1564-62-0x0000000000400000-0x00000000009F3000-memory.dmp

                                                    Filesize

                                                    5.9MB

                                                    Download

                                                  • memory/2600-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2776-68-0x0000000000F60000-0x0000000000F74000-memory.dmp

                                                    Filesize

                                                    80KB

                                                    Download

                                                  • memory/2776-70-0x0000000000F60000-0x0000000000F74000-memory.dmp

                                                    Filesize

                                                    80KB

                                                    Download

                                                  • memory/2776-71-0x0000000000090000-0x00000000000BF000-memory.dmp

                                                    Filesize

                                                    188KB

                                                    Download