Overview

overview

10

Static

static

3

NEW FOB ORDER.scr

windows7-x64

10

NEW FOB ORDER.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW FOB ORDER.scr

  • Size

    564KB

  • MD5

    1b368429bb54aa475c67fc2e45380c3f

  • SHA1

    ef6e114cd73b2ad5af2da580ff37ec65a789969a

  • SHA256

    e6d85a6287cb583fc5dec0b47a3288d9d0bed8e103991797b14a0e16ab41a9b4

  • SHA512

    acb661727bf128ba818740cfbfb7fc5705d96ccabd7e736c828d15471d4161f1c9bc729684d0e358728502fc2e227e3ac69bed85e583e549cd10f48f41d00d57

  • SSDEEP

    12288:x8qAaehX93VjqTuaxT7HVVOdsxaO6RScOHj:uHaehX93VjOuaj4d0aO6POHj

Score
10/10
formbooks16rdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s16r

Decoy

kellieroysellsnc.com

valleylowvoltage.com

mltuo900.xyz

visitingpuntacana.com

weiwushi.com

austintechjob.com

rxstarcbd.com

shopstudioesi.com

filetto-server.xyz

relianceltdbnk.com

unethical.world

yedd.store

esthershhs.com

magaddis.com

scenicdrivetours.com

123gest.com

2020mortagelifeinsurance.com

faceinle.com

integritymarking.com

alfatoto.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr
      "C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr" /S
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr
        "C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr"
        3⤵
          PID:1864
        • C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr
          "C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr"
          3⤵
            PID:2744
          • C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr
            "C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:648
        • C:\Windows\SysWOW64\help.exe
          "C:\Windows\SysWOW64\help.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:836
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\NEW FOB ORDER.scr"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1356

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/648-12-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/648-18-0x0000000001620000-0x0000000001634000-memory.dmp

        Filesize

        80KB

        Download

      • memory/648-17-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/648-15-0x0000000001180000-0x00000000014CA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/836-21-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/836-20-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

        Filesize

        28KB

        Download

      • memory/836-22-0x0000000000D30000-0x0000000000D5F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1096-10-0x0000000006DD0000-0x0000000006E6C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1096-1-0x0000000000990000-0x0000000000A24000-memory.dmp

        Filesize

        592KB

        Download

      • memory/1096-9-0x0000000075200000-0x00000000759B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1096-5-0x00000000054D0000-0x00000000054DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1096-11-0x0000000006F50000-0x0000000006FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1096-4-0x0000000075200000-0x00000000759B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1096-14-0x0000000075200000-0x00000000759B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1096-3-0x0000000005410000-0x00000000054A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1096-2-0x00000000058D0000-0x0000000005E74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1096-8-0x000000007520E000-0x000000007520F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1096-6-0x0000000005510000-0x000000000551C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1096-0-0x000000007520E000-0x000000007520F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1096-7-0x0000000006A60000-0x0000000006AAC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3436-19-0x0000000009010000-0x0000000009147000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3436-23-0x0000000009010000-0x0000000009147000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3436-27-0x00000000032A0000-0x0000000003374000-memory.dmp

        Filesize

        848KB

        Download

      • memory/3436-28-0x00000000032A0000-0x0000000003374000-memory.dmp

        Filesize

        848KB

        Download

      • memory/3436-30-0x00000000032A0000-0x0000000003374000-memory.dmp

        Filesize

        848KB

        Download