Overview

overview

10

Static

static

3

proforma-3289.exe

windows7-x64

10

proforma-3289.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    proforma-3289.exe

  • Size

    1.1MB

  • MD5

    ac2c24eeb56a0fc9e89d995c4b0d5c0f

  • SHA1

    cb42fd2596ed3ef2f681de0919fb61293e785974

  • SHA256

    985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd

  • SHA512

    ff3a83e78a3677ca67ae22667c341add857f117c40509dbaa7eac2a1d85649b1eaf6317a440fbab7e86e1eff4e53d27a3564081ff320f6bafc24cdc58dcaa9a4

  • SSDEEP

    24576:0AOcZ2i7g/0jTS8U1L3j5HUSIOg0+MkYG9:i7S9m/5HPnk

Score
10/10
formbookmr06discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mr06

Decoy

dreamrose.shop

bamdadlive.com

avastfr.com

aishabolduc.design

nobulldownhill.com

navis.store

paintingsantaclarita.com

wdidfhqo9751ds.link

epilateurlaser.info

expertdoctor.xyz

jtfaqyxo.work

zrexvita.live

coloradomarketingfirm.com

prestigehospitality.solutions

bmayple.com

sea-food.online

mejor-proteccion-es.click

tophatlimitless.buzz

inailshickorycreek.com

tintash-sg.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\proforma-3289.exe
      "C:\Users\Admin\AppData\Local\Temp\proforma-3289.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe
          "C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe" sopjge.daw
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:3992
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1928
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7_63\dojcuiu.pdf
      Filesize

      40KB

      MD5

      9be1e7667aecfc2ea424c9e8ef7e48bc

      SHA1

      49351d60b77693beb7f0190fc8cf031a9d6d09e7

      SHA256

      89299ac18342245f35621f7e2bda7af823644d0ae52763aa29b646632db97fb8

      SHA512

      74b39c3824ab9d3cd330e4d12e83efe70588a52d4a2862a0e820c017336dd9cba4c0f24f14ff2d6044b901656165ea55dd243bc22f127a4c5b1c474920163ae0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe
      Filesize

      1.1MB

      MD5

      b5b4f7b97106aff4bd860cff0e13dcdc

      SHA1

      42ca977e0d14bde5d5831b7fe10f516186df3fc5

      SHA256

      1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

      SHA512

      3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7_63\ubrce.gge
      Filesize

      370KB

      MD5

      66d443abc0d6d9da3a419a3a6a7f9085

      SHA1

      caf338699d99be174c33017bd751d3419fe668e6

      SHA256

      bb2f875ea6d8631cd2bdfb0fb2e9935310f6898c72698677bb55fb303dc52890

      SHA512

      272cb206198794fd6ba4bf966230450031ba00eb492ce96e63aeb8ef42c16ff04648577eb806edf96d9b0d0117db75b944a16d05f14fd44608713dd22d8de876

      Download Submit

    • C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe
      Filesize

      27KB

      MD5

      3ac6a7f004a811c0346cca6937c20ad6

      SHA1

      fedd4cf52b30748c33e47e03cacef5797354b6e7

      SHA256

      41f54a5dcddafd9038dffb546a05f9c5c45b956b55f49c7ff12f78478fab749d

      SHA512

      c1be79f38f0d1993009c225de611fe4680f5875ce21b3e9d2d66ce38fb08068c964795324273161981c29d942639de7f6d4954c00917484b55cc79e18868ed3a

      Download Submit

    • memory/1144-55-0x00000000008D0000-0x00000000008F7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1144-56-0x0000000000580000-0x00000000005AF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1928-53-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3520-60-0x0000000002D80000-0x0000000002E28000-memory.dmp

      Filesize

      672KB

      Download