Overview

overview

10

Static

static

3

t9w7eLEE781llAk.exe

windows7-x64

10

t9w7eLEE781llAk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    t9w7eLEE781llAk.exe

  • Size

    1.3MB

  • MD5

    3903301e617641ad7609ca7e09b4bb80

  • SHA1

    2544df38e978f6aaf53ca5ccbb4078befa745351

  • SHA256

    83f231a4e196b10089d16db819c71bfc5cc543fb55ea5ea63aee2d1285ff3dc3

  • SHA512

    fcb598ae444827eb6bdac4567ffcb1b18af792f6d4d19e9b788543994ab5b53529c5df21d45681ec45cd76f49477fa1f789a0db0ad73f00ba6e75272af912851

  • SSDEEP

    24576:B7YXNa2kita4HBIb6kFgaGvVNfZM58gN8GdvwPJORyyIwU6XOHtEga:hQa2kit4GksxMOPuvwIKX2Oyga

Score
10/10
formbookrujediscoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ruje

Decoy

pelezinhojj.com

tf2landscape.com

dianyuanb2b.com

franklinvisioncenter.net

sdamanagement.net

k7kitchendessert.com

receipeday1.xyz

urbandbracelets.com

lyticstnpasumo5.xyz

pingwangjinrong.com

crocodials.com

beeldacademie.com

loverlykids.com

yougouelectronics.com

ayushbeautypharma.com

fortinetpartnersynergy.com

olimplinfo.xyz

nzn2.com

3brlck.com

htp-352vvm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe
      "C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe
        "C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe"
        3⤵
          PID:2016
        • C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe
          "C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2060
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\t9w7eLEE781llAk.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mwjd25pg.hoe.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/216-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-1-0x0000000000730000-0x000000000087C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/216-2-0x0000000005720000-0x0000000005CC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/216-3-0x0000000005270000-0x0000000005302000-memory.dmp

      Filesize

      584KB

      Download

    • memory/216-4-0x0000000005330000-0x000000000533A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/216-5-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/216-6-0x00000000056D0000-0x00000000056E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/216-7-0x0000000007BA0000-0x0000000007BEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/216-8-0x00000000745FE000-0x00000000745FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-9-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/216-10-0x0000000007F10000-0x0000000007FAC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/216-11-0x00000000084A0000-0x00000000085C6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/216-12-0x0000000008220000-0x0000000008286000-memory.dmp

      Filesize

      408KB

      Download

    • memory/216-32-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2060-25-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2060-33-0x0000000001950000-0x0000000001C9A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2060-38-0x00000000014D0000-0x00000000014E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2060-37-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2252-34-0x0000000006300000-0x000000000631E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-56-0x0000000007620000-0x000000000763A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2252-16-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-18-0x00000000054F0000-0x0000000005556000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2252-17-0x0000000005450000-0x0000000005472000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2252-24-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-28-0x0000000005CE0000-0x0000000006034000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2252-14-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-35-0x0000000006320000-0x000000000636C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2252-13-0x00000000029F0000-0x0000000002A26000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2252-40-0x000000007FD10000-0x000000007FD20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2252-41-0x00000000072E0000-0x0000000007312000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2252-42-0x0000000074E80000-0x0000000074ECC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2252-52-0x0000000004F80000-0x0000000004F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2252-53-0x00000000068B0000-0x00000000068CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2252-54-0x0000000007520000-0x00000000075C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2252-55-0x0000000007C70000-0x00000000082EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2252-15-0x00000000055C0000-0x0000000005BE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2252-57-0x0000000007690000-0x000000000769A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2252-58-0x00000000078A0000-0x0000000007936000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2252-59-0x0000000007820000-0x0000000007831000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2252-60-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-71-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-68-0x0000000007960000-0x0000000007968000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2252-63-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-64-0x00000000745F0000-0x0000000074DA0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2252-65-0x0000000007870000-0x000000000787E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2252-66-0x0000000007940000-0x0000000007954000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2252-67-0x0000000007980000-0x000000000799A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3196-61-0x00000000007B0000-0x00000000007B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3196-62-0x00000000007B0000-0x00000000007B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3196-73-0x0000000001200000-0x000000000122F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3320-39-0x0000000007CB0000-0x0000000007DAA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/3320-72-0x0000000007CB0000-0x0000000007DAA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/3320-76-0x0000000008310000-0x00000000083BB000-memory.dmp

      Filesize

      684KB

      Download