Overview

overview

10

Static

static

3

textview466732.exe

windows7-x64

10

textview466732.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    textview466732.exe

  • Size

    1.1MB

  • MD5

    3a7e5d1f2647dd5b8db9b826116f4ec6

  • SHA1

    85cdf938d50c68137dd6b344dfa54efb7236f486

  • SHA256

    927d0ba12659ceffb9d3f45ad9eb34bc9f8a9b6931499cf08a2d94be0dbf8019

  • SHA512

    5774393a5960b7fb3f63de19ee07b3c5803dd6164a746382014313121f3ce263be9a5122e38e0a83503d38e7eafa3328c325b7c26276c9e7b7ddad5fb5217d10

  • SSDEEP

    24576:0AOcZ2i7OX8FbAQFred8TPwUcztVqEubl83o9ZkbgWf:ifAgdgPTWfqEUU2Zkt

Score
10/10
formbookt01wdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\textview466732.exe
      "C:\Users\Admin\AppData\Local\Temp\textview466732.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\9_17\loktij.vbe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe
          "C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe" tdovgconqm.doo
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:2060
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1300
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\9_17\ancwg.exe
      Filesize

      999KB

      MD5

      1dbba7abb9198c4247cbfb258fe5233d

      SHA1

      cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

      SHA256

      6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

      SHA512

      503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

      Download Submit

    • C:\Users\Admin\AppData\Roaming\9_17\loktij.vbe
      Filesize

      32KB

      MD5

      a0f2cc1a68c0ee17e6ad23edb5b43b3c

      SHA1

      ca051ea6a373aef9a0d1fc4f3c820ee49a6d543d

      SHA256

      828170311fb9150893fabfe2beaefe76fcfc51b6c47ef1c083f9b3abd8d9579f

      SHA512

      c0a199aa86426f476e53b7e29554d65470344ec00885fa3112eeb1587f1e08b194437686677a5b2bd7211ab14730ac991d531b04fce7ba3261006121ec0fc446

      Download Submit

    • C:\Users\Admin\AppData\Roaming\9_17\mxoh.vck
      Filesize

      370KB

      MD5

      83db844b878b3bc92af73d2456006a00

      SHA1

      7318597c222b84d360536093417394dffdef6488

      SHA256

      308f70793505d5111933cee976cf565bdc5465e9426d4757d17abe1459f0b344

      SHA512

      527bf572e87fc14736c70aa0cb89f6276578b19da6d1e23cac29b20684d3138883358d4147d8b9854b80953d382f2eefdfbeaf82e6c79374eab08b39aeeeb4d5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\9_17\uubvcvvjcj.mp3
      Filesize

      46KB

      MD5

      76f1eef14097bbbe2b4e376d5c6b1b76

      SHA1

      304946f2dffde8bbbd4929b347665e20dc5ce04e

      SHA256

      8fb5ca6e4bbddeee4d83315797b0bbcf3f31670285a36a94505e073d01a78839

      SHA512

      2d34ee83bcf8e05294c96d117dbf6f3fc7aa45d48a6c638f42d32d118200a59d37d283d75e6d4e15159f85cb6dc0c25cd555a852894814f0fa95b86a330424ae

      Download Submit

    • memory/1212-80-0x00000000073E0000-0x00000000074E5000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1300-73-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1300-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1300-70-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1300-68-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1300-75-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2768-76-0x0000000000FC0000-0x0000000000FE6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2768-77-0x0000000000070000-0x000000000009F000-memory.dmp

      Filesize

      188KB

      Download