Overview

overview

10

Static

static

3

jestyyfre44321.exe

windows7-x64

10

jestyyfre44321.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jestyyfre44321.exe

  • Size

    1.1MB

  • MD5

    c2d4e5290155193ed854fc6d27ec83a4

  • SHA1

    de83fd85e5496b9ccc8f56bd162d27381835c1af

  • SHA256

    e4c4e4111a17d0130da8cfb7694900d1d7f16bfb74ab45eff550e6319d88a602

  • SHA512

    e873f5dc3e318be701bbcdc55f2a61060e72a54c58c17fc2b339b9faf5b9b52f764241d7c6f1c5758884fa76cb1257c605ea2cc1c9d085e99fd51fd457e65e73

  • SSDEEP

    24576:UAOcZXcxP6P4C6oV5Ogn+pN6k77rvyOMF5:CH9C6qX+pN6kDbE5

Score
10/10
formbookje14discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe
      "C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Users\Admin\9_53\isab.pif
        "C:\Users\Admin\9_53\isab.pif" telx.ogt
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:2644
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2672
      • C:\Windows\SysWOW64\wininit.exe
        "C:\Windows\SysWOW64\wininit.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2364

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\9_53\aoss.xls
      Filesize

      40KB

      MD5

      c54a5a90e3803c572ed12150b510f97d

      SHA1

      8e2f02b84fd5f6e873cf51d343fb96a531a45e45

      SHA256

      87cd75d6b1a5607b39e5940d9021ca9281c3d47217e597e0601f6f6d02b06bf8

      SHA512

      d8f5395fde12d62e94e7969b7d298f03733c56adf3139de5a6167a59c497152c384631d6da12380136b00d10119a7fdec4a53208f5152c578a71b589b8f9e776

      Download Submit

    • C:\Users\Admin\9_53\gcvbihuje.mro
      Filesize

      370KB

      MD5

      d40060faa63c30e509e8f6c5be0dcdc4

      SHA1

      4ec1022751784dc6b2a8819e6d4b860d6b38d82f

      SHA256

      15994b50140988529c4b8c18aebabcb60fedc34b45dfdac906569bda318f3414

      SHA512

      1761c72937b4476c666ffb93b96bb94427068dae217fe03c021082e5a988a09e3dacfd306b6440ca90de3ce48afa2aeb85829a1e76f3ff2fc2e636180f0eb1da

      Download Submit

    • \Users\Admin\9_53\isab.pif
      Filesize

      820KB

      MD5

      0c996fa7285452f1302d8c781bd72972

      SHA1

      93b2a1bce155afec134804b3a2ef6b40ac0a4178

      SHA256

      470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

      SHA512

      e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

      Download Submit

    • memory/1128-100-0x0000000005090000-0x0000000005175000-memory.dmp

      Filesize

      916KB

      Download

    • memory/2420-95-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2420-96-0x0000000000080000-0x00000000000AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2672-90-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2672-93-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2672-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2672-88-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download