Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-12-2024 20:28
General
-
Target
AWB 456789098765.exe
-
Size
1.1MB
-
MD5
b785d60412390b52a6c634366a27eb9a
-
SHA1
639dfd8be745805a2e5dfa94df0f52050a5683e5
-
SHA256
08ff2dd59cb681df7b2ac6310a54bfcf990d11b9c7ca3fed51bd043a59e43d52
-
SHA512
9ca769093d504497cc62cb1ad19025c3355c4ad0436a75a9509c19f3d7c983284a0d0c76cf4244de8df8eb313753aeba55fda2293bfde91a112fb17ab7f7a218
-
SSDEEP
12288:mj0c41hw4e/ehLrzR08f9aU0gWYkGGn2E1CSiwlMfQqK3NvxmZxg1hw4e/:KL4LJKQ0U0gYn2u9iwrTN0j4
Malware Config
Extracted
formbook
4.1
na24
confabulator.info
pointsante.com
knoxpak.site
mhonl.site
peter-elliot.co.uk
transmetrics.site
dali001.com
graphicimagestattoo.com
nicesparthiae.biz
dteonfgdelsm.xyz
truegoatapparel.net
firtokyshop.xyz
v7op.icu
exunix.com
77seven-s.com
explorevenda.com
a-prime-sellyourhousefast.fyi
jezierzany.com
983488728.com
heliosbot.xyz
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AWB 456789098765.exe"C:\Users\Admin\AppData\Local\Temp\AWB 456789098765.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AWB 456789098765.exe"C:\Users\Admin\AppData\Local\Temp\AWB 456789098765.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AWB 456789098765.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
568KB
-
Filesize
48KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
1.1MB