Overview

overview

10

Static

static

3

textttr4809.exe

windows7-x64

10

textttr4809.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    textttr4809.exe

  • Size

    1.2MB

  • MD5

    6a85b6fadb20c016b98e8ba0fcdfcc44

  • SHA1

    c5c423ccfd6539ba04f56221bbb79c83baa93be4

  • SHA256

    b4855381993299ec39524043aa7f8898a4fe64524ab943bc1db297f62c181824

  • SHA512

    3e5827593da1dd78df4776ddc35f519791ea45ffa6d6d371b6b531ca4b0a030b2d8c296e093488beda886ad652e281c32f7aa830d57523730287c53621327e5a

  • SSDEEP

    24576:0AOcZ2i7uyaiDbX1Z0JsyNVaCpaQj5HUSIOg0+MkYGEy:igDbX1asyiCcw5HPnS

Score
10/10
formbookt01wdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Users\Admin\AppData\Local\Temp\textttr4809.exe
      "C:\Users\Admin\AppData\Local\Temp\textttr4809.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_45\fmgnrws.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe
          "C:\Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe" rpvqetvcc.rsk
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3532
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:2436
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:364
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6_45\eqxppmhfrn.exe
      Filesize

      1.1MB

      MD5

      b5b4f7b97106aff4bd860cff0e13dcdc

      SHA1

      42ca977e0d14bde5d5831b7fe10f516186df3fc5

      SHA256

      1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

      SHA512

      3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6_45\jbufkwuago.miw
      Filesize

      370KB

      MD5

      7883104f51596624976b564ab1a3a5c7

      SHA1

      1ebf56538a1d8fe0ed13f1e074ba465faba1ef5f

      SHA256

      d7a503112b68914903fd208884e795e98098bb4685f60dec200657e74e5b08a9

      SHA512

      7aacb5c5f9825f7c3b0bd8ccb8934efb4ecbc6743c479a739b41ba353f54c903a4e881a9ecec3097cc4c76c26c24664ce4fd1f216d6185515086aa9aed103f63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\6_45\skccbj.exe
      Filesize

      41KB

      MD5

      4fac2ebfd126cf6f3366cff8d58bf824

      SHA1

      bcb12134483fbc145a289264a0d8da377009c83b

      SHA256

      58a41f014c688847cd1c00cf3bc7300192c68836959276a19e6d619f27bc8ed7

      SHA512

      4a0b26c48d326b220030ffffec69f16caa4bad33a7c597f4e7b1e6c3c55b77fb3d74fc2c3a867f8267de67c09d7ac7070be7eb8e2fe42285d7a0481f1743ff0e

      Download Submit

    • C:\Users\Admin\AppData\Local\temp\6_45\fmgnrws.vbe
      Filesize

      32KB

      MD5

      1cad0d875a47ce40af10e4bcd8610ac3

      SHA1

      1c7c64399eecb7947b66105f2b0c70e8f962460f

      SHA256

      131267eba948a969bb7464035b59f226eca0c17193ec2d491717647dcc1db118

      SHA512

      a4fb08788fc5c7b450e8ff861f24d4a7d60f730a1188b809b07e8e7e17f3c478b70f4f10f92ad7dde467fe31a0b640a7cc4ecbcd24d10925bc8f2fa3ece2abe4

      Download Submit

    • memory/364-59-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/364-61-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/656-62-0x0000000000620000-0x0000000000647000-memory.dmp

      Filesize

      156KB

      Download

    • memory/656-63-0x00000000003D0000-0x00000000003FF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3540-67-0x0000000007610000-0x00000000076BD000-memory.dmp

      Filesize

      692KB

      Download