Overview

overview

10

Static

static

3

sample1.exe

windows7-x64

10

sample1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample1.exe

  • Size

    569KB

  • MD5

    56046153a51fe6eaa8814f9d11ac34f6

  • SHA1

    bd55ff7ab969a8aa5485a6c5c6844e9224780dba

  • SHA256

    abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6

  • SHA512

    fd92ff39626538835b8e8eb63c1fbd6c0828d0fc22261077c83b13ce838f72aac58bda29547c3bc3d356e4c4e9af5c8ae5061648fbebd5040b30d31883183770

  • SSDEEP

    12288:89KZTldLdFz3HEJi5LAWePIBD0WZqkyn2qDdzffF8jo+P1:89mnLnEId+WuFFfNSP1

Score
10/10
formbookkbmdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kbm

Decoy

qyhattj.icu

kyrenegordo.com

tprgaming.com

sparklemodelscebu.com

bladeha.com

19625ne23ave.com

bigbossgreezy.com

topbusinesskerala.com

aikqq.com

imprussts.com

hd282.com

esrholding.com

senxiv.net

arcustomwork.com

buscoveterinaria.com

genhayakawa.com

1sttividalebrownies.com

agenciawebdigital.com

planguin.online

blackmantech.institute

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\sample1.exe
      "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Local\Temp\sample1.exe
        "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1160-22-0x0000000004F80000-0x00000000050AF000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1160-23-0x0000000006C00000-0x0000000006D89000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1160-18-0x0000000004F80000-0x00000000050AF000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1596-26-0x00000000005F0000-0x0000000000606000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1596-24-0x00000000005F0000-0x0000000000606000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2380-3-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2380-6-0x00000000049E0000-0x0000000004A4C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2380-7-0x0000000002050000-0x0000000002084000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2380-5-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2380-4-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-2-0x0000000000310000-0x0000000000320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2380-13-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2380-1-0x00000000008A0000-0x0000000000934000-memory.dmp

    Filesize

    592KB

    Download

  • memory/2720-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2720-17-0x0000000000360000-0x0000000000374000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2720-21-0x00000000003A0000-0x00000000003B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2720-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2720-14-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2720-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2720-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2720-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download