Overview

overview

10

Static

static

3

DT0912.exe

windows7-x64

10

DT0912.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 11:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DT0912.exe

  • Size

    1.2MB

  • MD5

    35605d52ce7729150f07f79a6d14a415

  • SHA1

    f123414e65aef81242fa4cee2779de1a2a62d377

  • SHA256

    7f5165dc64cbd376f256758989a91cf0600173d59f4384ad112a40dce8db530d

  • SHA512

    20e14a0cb568d28d7d94ebbfa5a053fee8f547bc03b3c7888263d50f2438eed86d71959e8b0eb4d9b79c279fddc68cadc5da0e6be850f58fbbc497f3253b9ee2

  • SSDEEP

    24576:iAOcZXp0TRXJFPJ0MK8WRyl/ZUkjPV99npuezy71oporahG:oFXPJ0MKzYhUkj9fZe6GJ

Score
10/10
formbookt01wdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Local\Temp\DT0912.exe
      "C:\Users\Admin\AppData\Local\Temp\DT0912.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif
        "C:\Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif" kjwo.mgn
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\colorcpl.exe
            "C:\Windows\SysWOW64\colorcpl.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2016
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2480
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2_101\nxvvj.ldr
    Filesize

    370KB

    MD5

    4042b086cf8df0770f753726e4b6c4b9

    SHA1

    14caa496049a1ba222eb941e12356cffff5d8b9e

    SHA256

    007258bb8950deeff87478499a383f83a206a54ac1e2368b80f9ffbab63ad4c6

    SHA512

    975cef0d39a894efd5c81f4931768ac5d37cab862992a8479d4ea239f854d48441ca9499bdf986eb6011ce3319ebacce8a418948e0f484d3581cff88ad39c88d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2_101\usjhb.ini
    Filesize

    41KB

    MD5

    d448358249bf35da4ef7231b3be856e5

    SHA1

    833677b1b2a39ec3b24e72345e268297afa480ea

    SHA256

    ca8fdd6895dec6ffa46e980d83bcb4c51f31a04c73836b6afe33bb854c391c19

    SHA512

    c79e3ec6179a21226e9d4dcfef3446fe2e375f69522dfe21b52f6c369e82b7c15187ea84bb3db0fa3bca58be540cbeb81c7ad1ea2e5b4def03a401e8cc08ff1b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2_101\xloxhh.pif
    Filesize

    1.7MB

    MD5

    dd3466f64841cf21fc31f63f03dbfd29

    SHA1

    3878c8e52203d792c6f672595f7c78ab27ce3f04

    SHA256

    4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

    SHA512

    adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

    Download Submit

  • memory/1100-97-0x0000000003B70000-0x0000000003C70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1100-111-0x0000000007C30000-0x0000000007D4F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1100-105-0x00000000078F0000-0x0000000007A9F000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1100-103-0x0000000004F70000-0x000000000503B000-memory.dmp

    Filesize

    812KB

    Download

  • memory/1752-101-0x00000000000C0000-0x00000000000EF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1752-100-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2016-106-0x0000000000B70000-0x0000000000B88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2480-88-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2480-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2480-91-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2480-86-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2752-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-95-0x0000000000400000-0x0000000000A53000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2752-102-0x0000000000400000-0x0000000000A53000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/2752-92-0x0000000000400000-0x0000000000A53000-memory.dmp

    Filesize

    6.3MB

    Download