Overview

overview

10

Static

static

3

eAdvice.exe

windows7-x64

10

eAdvice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 16:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eAdvice.exe

  • Size

    803KB

  • MD5

    374dfcd12791782c9f84b3dd72c47029

  • SHA1

    5462c5daac3985aea3e1dff59f055183a62d9065

  • SHA256

    89743e19eb7f977dab3591eda342ac51cead1a15829028a151359e845c10a255

  • SHA512

    813de7f1e6fb3bfbcdb40d09bef3161882356f9a786e53206ed17d6e12cd2b5f2615ec619d1de850b994b857285971f03dfc59282b81e5a53eed7fed8db25186

  • SSDEEP

    24576:7azjP6+z+2fNzDFnGNsveawUNXit980Ipulg:+XNFnFnGNsvvli980I

Score
10/10
formbookhx303discoveryevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hx303

Decoy

pureommassage.com

tazo.ltd

zixunzd.top

booksmaven.com

307countertops.com

hbfyjc.com

latinamericabridge.info

cannadocbd.com

doriesvariety.store

tineedst.com

zajdshj.com

xnxaxx.com

drjacobpedraza.com

sensationvisuelle.com

termteach.com

ysialerts.com

kblandscapeinc.net

sheetmatters.com

ledfriday.com

urbare.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\eAdvice.exe
        "C:\Users\Admin\AppData\Local\Temp\eAdvice.exe"
        2⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Users\Admin\AppData\Local\Temp\eAdvice.exe
          "{path}"
          3⤵
            PID:2816
          • C:\Users\Admin\AppData\Local\Temp\eAdvice.exe
            "{path}"
            3⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\colorcpl.exe
              "C:\Windows\SysWOW64\colorcpl.exe"
              4⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                5⤵
                  PID:820

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1212-32-0x0000000005060000-0x00000000051E5000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1212-24-0x0000000004EA0000-0x0000000004FB8000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-25-0x0000000005060000-0x00000000051E5000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1212-20-0x0000000004EA0000-0x0000000004FB8000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1968-26-0x0000000000470000-0x0000000000488000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1968-27-0x0000000000470000-0x0000000000488000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1968-28-0x0000000000080000-0x00000000000AE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2404-3-0x00000000003B0000-0x00000000003C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2404-6-0x0000000007F50000-0x0000000007FC8000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2404-5-0x0000000005C70000-0x0000000005D02000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2404-4-0x0000000074CE0000-0x00000000753CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2404-15-0x0000000074CE0000-0x00000000753CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2404-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2404-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2404-1-0x0000000001290000-0x0000000001360000-memory.dmp

          Filesize

          832KB

          Download

        • memory/2884-16-0x0000000000840000-0x0000000000B43000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2884-18-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2884-19-0x0000000000180000-0x0000000000194000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2884-23-0x00000000002D0000-0x00000000002E4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2884-22-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2884-14-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2884-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2884-9-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2884-7-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download