Overview

overview

10

Static

static

3

3.exe

windows7-x64

10

3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.exe

  • Size

    716KB

  • MD5

    6cfd9e4c91e40289c1336092f523fbb9

  • SHA1

    bf2f3761187cd41996565fae116392e241e2c3d4

  • SHA256

    bc85bf351d0f875cab0a1e3bd802665cdd6ed1afe837ab9bdf3d37aeac1e5fe9

  • SHA512

    eb58e3ba01e8350c74e0ba90f2a564dbc196191f3dba91519ef29eaec6530bdfa561526f8dc584d402d93fa6d50558b456264d12b420378c1026159ae7b054e9

  • SSDEEP

    12288:cj3tuU9X6XyGWHBYg/8iTCX1aZBFXXQO186Nvy6kOnPMD6RCsoP4+JW22dS8gfod:e3tLJ65WhX8iTwaZfw9xAUDC8c

Score
10/10
formbook4kxdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4kx

Decoy

tenghuab2b.com

docperkins.com

xn--8qvz5k.com

wahgig.com

lesfantomesdelopera.com

ableaccessdesign.com

fraubergtour.com

conjoo.com

colemix.com

ijmpennsylvania.com

viagraboysdownload.com

primaryancientgreeks.com

mavericktourist.com

cezhav.com

zapjevajlive.info

yvpol.com

moonoka.com

pengodam.com

prubobhatton.net

exanyu.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Users\Admin\AppData\Local\Temp\3.exe
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1524
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\3.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4704
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4180
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DB1
      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

      Download Submit

    • memory/1524-23-0x0000000000C70000-0x0000000000C97000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1524-22-0x0000000000C70000-0x0000000000C97000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3452-21-0x00000000028A0000-0x00000000029C4000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3452-31-0x0000000007DB0000-0x0000000007EF8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3452-29-0x0000000007DB0000-0x0000000007EF8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3452-28-0x0000000007DB0000-0x0000000007EF8000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3452-24-0x00000000028A0000-0x00000000029C4000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4272-12-0x00000000062D0000-0x0000000006324000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4272-6-0x0000000005D80000-0x0000000005E12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4272-10-0x000000007443E000-0x000000007443F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4272-11-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4272-0-0x000000007443E000-0x000000007443F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4272-13-0x0000000006990000-0x00000000069C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4272-1-0x0000000000E10000-0x0000000000ECA000-memory.dmp

      Filesize

      744KB

      Download

    • memory/4272-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4272-2-0x0000000005810000-0x000000000586E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4272-3-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4272-4-0x0000000074430000-0x0000000074BE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4272-8-0x0000000005E20000-0x0000000005E76000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4272-7-0x0000000005A10000-0x0000000005A1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4272-9-0x0000000005CD0000-0x0000000005CD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4272-5-0x0000000006330000-0x00000000068D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4456-20-0x0000000001260000-0x0000000001274000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4456-19-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4456-17-0x0000000000EC0000-0x000000000120A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4456-14-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download