Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe
Resource
win7-20240903-en
General
-
Target
8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe
-
Size
392KB
-
MD5
abf477b0f1f223cc754772ea47bdaa44
-
SHA1
c58595a2b39e58436ed35f887e7b230f436967af
-
SHA256
8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b
-
SHA512
2af086a54a6d3384ad1e6633bc525c8a6c74b07e2133d83ce0cb67eb80ccd73a2a65127e1f182ea935ef570b8bcc9420370153071d95f711a966b362748ffaef
-
SSDEEP
6144:Z9O8QFXPDBvcPvbOtnLa1JnTajynM1QqZVVJ+rssBEueQk:vPQncPaEWF1xZTYrWh
Malware Config
Extracted
formbook
4.1
ey5a
lygptkl.com
winsentrade.com
bluprintliving.com
yumohealth.com
cherryadulttoys.com
gianttigar.com
maxhutmacher.net
autostokyocorp.com
calvaryload.com
stixxiepix.com
j98152.com
starsky666.xyz
loadkicks.com
designauraspace.com
wwwfmcna.com
mikakonaitopsychologist.com
kristalsuaritma.com
kh180.com
kulturel.net
araveenapark.com
sniffandwhiffcandles.com
sihambaz.xyz
lcmdcatalogs.com
panncakeswwoap.com
kmxwzl.com
clientes-personas.online
juragantrader.com
tridimensionallab.com
adtechobservability.com
jaqaya.com
w9qdg3f.xyz
shaiyahp.online
algarvebnb.com
travelingpretty.com
terone2pack.com
salonlinw.com
i-craft-admin.com
thejoyismcoach.com
eas-rightofway.com
apacegov.net
endearingmonuments.com
healthyd-ductcleaning.com
av141.xyz
buscatuempresa.com
mobilechor.com
empanadasycakesfranchus.com
demtate.xyz
orlandonotarymobile.com
atdkdesign.com
dijitalportal.net
allisonkimart.online
la-souche.com
mrstonecrest.com
yanghetang.net
takinghe.online
gzdfzx.com
zx0558.top
vimarohomes.com
swm87.com
rewritepapers.com
macrotroics.net
dimitris.life
cornholeleague.life
access-inurance.com
puwuved.xyz
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/344-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/344-15-0x00000000008A0000-0x0000000000BA3000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1016 set thread context of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 344 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31 PID 1016 wrote to memory of 344 1016 8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe"C:\Users\Admin\AppData\Local\Temp\8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe"C:\Users\Admin\AppData\Local\Temp\8c218c09f446a0db7b5de9bad9aadf285e81b04673a2db6769ccad09e1e6945b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:344
-