Overview

overview

10

Static

static

3

1f0dfaeee8...ec.exe

windows7-x64

10

1f0dfaeee8...ec.exe

windows10-2004-x64

7

wdxsx.exe

windows7-x64

3

wdxsx.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f0dfaeee8860dd10d592b0632dc1ef8c2fa1bc9681e0f9e29ed632f2260abec.exe

  • Size

    315KB

  • MD5

    5b9271a33d0ac9c8b59bb27cef2b3834

  • SHA1

    98f16671e6b09b68721a73bba9c5a15e7c4ee664

  • SHA256

    1f0dfaeee8860dd10d592b0632dc1ef8c2fa1bc9681e0f9e29ed632f2260abec

  • SHA512

    b4d7e76b92b641ec2ae6702e5c955ea60ff8b7a5b77e1456fea5118398343c3501dd1f6b1b1e82d60ee5834c583cf22d74ff0b2455e2939e6e88f99562bfb2b6

  • SSDEEP

    3072:J1NjcVVnLpPuGDFsb5Rchf8BS6YbMZlfBtwTrSJxbVrWLK9omNYFkPthSPhI/cag:zNeZwbcu2mYmJxbnokteYwHqyTV

Score
10/10
formbooke0l9discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e0l9

Decoy

packingfairturkiye.com

khenonline.com

mydactil.online

coriliechty.com

canadazk.com

freeloanseva.com

successvideo.today

infinitelifetransformations.com

unicryptdoge.com

ecolifeco.com

luxefashionaire.com

lqctqtal.xyz

liveexim.com

happyhempbakery.com

paypalverifie.com

wingonvacations.com

flawdogs.com

shalomsingapore.com

ruscc.xyz

yaxi868.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\1f0dfaeee8860dd10d592b0632dc1ef8c2fa1bc9681e0f9e29ed632f2260abec.exe
      "C:\Users\Admin\AppData\Local\Temp\1f0dfaeee8860dd10d592b0632dc1ef8c2fa1bc9681e0f9e29ed632f2260abec.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Users\Admin\AppData\Local\Temp\wdxsx.exe
        C:\Users\Admin\AppData\Local\Temp\wdxsx.exe C:\Users\Admin\AppData\Local\Temp\tfygxpzyta
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\AppData\Local\Temp\wdxsx.exe
          C:\Users\Admin\AppData\Local\Temp\wdxsx.exe C:\Users\Admin\AppData\Local\Temp\tfygxpzyta
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 216
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2568
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\wdxsx.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\f9tliv6q85zuwch1k52
    Filesize

    213KB

    MD5

    004bc7879e3c807507d2b7d13a621d78

    SHA1

    099640fec1e090923315f11ebfcc287409a247c0

    SHA256

    8ab5adbc3f6292d67119ff52c25b57d1314fe52961f9236796d06694f509bc9c

    SHA512

    e5f117d136f9c117538ef0890969fdd55927ed49b00287213985eeea04a8ca0f47e5a6180ae076b68ead58f6249689fd6fc51d5be39460786fd9efa776a4f442

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tfygxpzyta
    Filesize

    5KB

    MD5

    38eada4dc49581c3cae9eee827227c1f

    SHA1

    e964cece3ca9708f3df691c860c5cb2d72e75ab1

    SHA256

    9677c7d4f551e18f7772fa166ebed8d76c7a7928f747c63e8374a80a45342bd2

    SHA512

    4c99eb1d9e2f9a573d71c77cd53f7d10880157b84a182081f1378986b42f9079c84ad8529d53f89dfa3a7ecf5ab3c7cd8ec32ebe3d22b4e5a245175a47d0f94e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wdxsx.exe
    Filesize

    4KB

    MD5

    c23f252a4352c30c3473e3fbbdff84f0

    SHA1

    d7240c2f65d1509e51c8461d835a1b14e167ad4f

    SHA256

    6bc4f989450cc6a3d1e220371fc64029bfac461429b035b8db90ae56af7dae8f

    SHA512

    87ef7be0450bd6b40d1d63fdcb66448b8aee04ec9627dc2aacde848ea83e042763d8ce8b1e94547a00b316ce29447c5a036ca92e3baf5315088cdc473edecbd1

    Download Submit

  • memory/1200-27-0x0000000004EF0000-0x000000000502A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1200-21-0x0000000004EF0000-0x000000000502A000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1200-32-0x0000000007990000-0x0000000007B1E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2348-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2348-16-0x0000000000910000-0x0000000000C13000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2348-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2348-17-0x0000000000290000-0x00000000002A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2600-9-0x0000000000150000-0x0000000000152000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3024-26-0x0000000000090000-0x00000000000BF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3024-25-0x0000000000AF0000-0x0000000000B08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3024-23-0x0000000000AF0000-0x0000000000B08000-memory.dmp

    Filesize

    96KB

    Download