Overview

overview

10

Static

static

3

invoice.exe

windows7-x64

10

invoice.exe

windows10-2004-x64

7

bjzfttovhy.exe

windows7-x64

10

bjzfttovhy.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bjzfttovhy.exe

  • Size

    59KB

  • MD5

    8aaf366f0347501bad46a2593664c9fa

  • SHA1

    8f80b099bc2eeee883fe6f3afb0b295cc9c10ec6

  • SHA256

    266853551f6890103f71206b085307f1174b185f55b6b87aa3a3d3f189a1463f

  • SHA512

    d0f4744479cff0f8f25fa312d502629041599aa97801a4ba1085e1cd4b12329d47f91fcfaa638c04274377534114934c2b94e07188355464498b08ed7f94a6a0

  • SSDEEP

    1536:SvtLu0ZssXg2J2m3K5n2ETMCZQsuyXn5QnQCO:SCsPEvMCi32nCnQCO

Score
10/10
formbookmn21discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mn21

Decoy

h3k38c.icu

qbfstopp.com

butalip.xyz

hanghang.club

relativemotionsuspension.com

bjddjyfdc.com

patrichard.com

filyacat.com

mothertukker.co.uk

riescodesign.com

afierypulse.com

supplypartners.biz

ekkogroupmoment.com

ivnocup.com

lycyjzx.com

elbuensamaritanoinc.com

forzel.com

mykedairuncit.com

usuariosconsultasnet.store

idaparry.cfd

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe
      "C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe
        "C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1192-5-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1192-6-0x0000000005010000-0x0000000005146000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1192-12-0x0000000005010000-0x0000000005146000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2192-0-0x0000000000140000-0x0000000000142000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2720-2-0x0000000000820000-0x0000000000B23000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2720-4-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2720-3-0x000000000041F000-0x0000000000420000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2808-10-0x00000000006B0000-0x00000000006B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2808-8-0x00000000006B0000-0x00000000006B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2808-11-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

    Download