Overview

overview

10

Static

static

5

346E804F38...45.exe

windows7-x64

10

346E804F38...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    346E804F385A59DEED6EEEFAC709FFD18468BBEFD31A62B3ADAD7232BA5E6245.exe

  • Size

    1.0MB

  • MD5

    d21e850ec672153fc40406d9307be42b

  • SHA1

    fd56cf57e537b7e24c416bb60cb278320c42a57a

  • SHA256

    346e804f385a59deed6eeefac709ffd18468bbefd31a62b3adad7232ba5e6245

  • SHA512

    614d3280893562c9dde062ccd453d3c2306ec7b9538ce06f8d6eb54285c3987385ac1fd4d039c234ca29b6a08fac9d6bde4e15be200e156f754ab8b388dafdf9

  • SSDEEP

    24576:Q4lavt0LkLL9IMixoEgeaHdf91hplyQxbKq9MmCS:Hkwkn9IMHeaHdlnyQxOaPCS

Score
10/10
formbookkr28discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kr28

Decoy

8pehzswy1.com

charliebluewellness.net

telehealthtravel.com

d6ir07.vip

consciouscapital.observer

and-good.world

metapod.fm

ereccprime.us

nihb.tokyo

tsbot.us

lkbc.store

lev-casino-qjm.buzz

freshfit.co.za

novinlopik.store

surrealfurrealart.com

endless-garage.com

newlaunchinthane.co.in

diamondtalesstore.com

yooyarkyoodai.com

hippomarketplace.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\346E804F385A59DEED6EEEFAC709FFD18468BBEFD31A62B3ADAD7232BA5E6245.exe
      "C:\Users\Admin\AppData\Local\Temp\346E804F385A59DEED6EEEFAC709FFD18468BBEFD31A62B3ADAD7232BA5E6245.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\346E804F385A59DEED6EEEFAC709FFD18468BBEFD31A62B3ADAD7232BA5E6245.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 812
        3⤵
        • Program crash
        PID:4068
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3324
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2440 -ip 2440
    1⤵
      PID:2448

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1488-14-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1488-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1488-12-0x0000000001200000-0x000000000154A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1488-15-0x0000000001630000-0x0000000001644000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2300-17-0x0000000000100000-0x0000000000127000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2300-18-0x0000000000100000-0x0000000000127000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2300-19-0x0000000000940000-0x000000000096F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2440-10-0x0000000004230000-0x0000000004234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3452-16-0x0000000003370000-0x000000000344E000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3452-20-0x0000000003370000-0x000000000344E000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3452-24-0x0000000008BE0000-0x0000000008D13000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3452-25-0x0000000008BE0000-0x0000000008D13000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3452-27-0x0000000008BE0000-0x0000000008D13000-memory.dmp

      Filesize

      1.2MB

      Download