Overview

overview

10

Static

static

5

ORDER ENQI...64.exe

windows7-x64

10

ORDER ENQI...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 03:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER ENQIRY #093727664.exe

  • Size

    1.3MB

  • MD5

    6c307da605db691944e35458f2a5b772

  • SHA1

    b89158e370a8658cf3a6ed2bb78925e004034905

  • SHA256

    f65ec81dc8f5d0a0a1f53752cdc2bb933e2897a91091f28b8d1702ffe207481c

  • SHA512

    2c3dc98e9850a509d30b556c5bbc0941735ef26cfcb45cf23392a1c9e23012dd46d9916792c5c559d5cb2a3b27b1d96bfdf7d89f9f1b01db7bfc2630b17dfe17

  • SSDEEP

    24576:bqDEvCTbMWu7rQYlBQcBiT6rprG8aj1BV+opERjUD4TV3Y4M1:bTvC/MTQYxsWR7ajTkoUUwJY

Score
10/10
formbookg49tdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g49t

Decoy

oast.now

11av1805.xyz

ourse.sale

nfoaldyfbvmdgfat.buzz

ntli.biz

apidrotation.net

ourmet94goodies.shop

eeksee.fun

aamahsa-emer6.rest

he-eyeofgod.online

ctofoot.net

ellnessdigitalmedia.store

0999yh.one

inghoki88.pro

sg.productions

basicwardrobe.club

itansofwisdom.fun

leaning-services-46734.bond

dinhk.online

arcelaamiga.shop

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\ORDER ENQIRY #093727664.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER ENQIRY #093727664.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\ORDER ENQIRY #093727664.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2112

Network

  • flag-us
    DNS
    www.ellnessdigitalmedia.store
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.ellnessdigitalmedia.store
    IN A
    Response
  • flag-us
    DNS
    www.0999yh.one
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.0999yh.one
    IN A
    Response
  • flag-us
    DNS
    www.raveheart2.online
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.raveheart2.online
    IN A
    Response
  • flag-us
    DNS
    www.arehouse-inventory-93551.bond
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.arehouse-inventory-93551.bond
    IN A
    Response
  • flag-us
    DNS
    www.hermocontrol.xyz
    Explorer.EXE
    Remote address:
    8.8.8.8:53
    Request
    www.hermocontrol.xyz
    IN A
    Response
No results found
  • 8.8.8.8:53
    www.ellnessdigitalmedia.store
    dns
    Explorer.EXE
    75 B
     140 B
     1
    1

    DNS Request

    www.ellnessdigitalmedia.store

  • 8.8.8.8:53
    www.0999yh.one
    dns
    Explorer.EXE
    60 B
     121 B
     1
    1

    DNS Request

    www.0999yh.one

  • 8.8.8.8:53
    www.raveheart2.online
    dns
    Explorer.EXE
    67 B
     132 B
     1
    1

    DNS Request

    www.raveheart2.online

  • 8.8.8.8:53
    www.arehouse-inventory-93551.bond
    dns
    Explorer.EXE
    79 B
     144 B
     1
    1

    DNS Request

    www.arehouse-inventory-93551.bond

  • 8.8.8.8:53
    www.hermocontrol.xyz
    dns
    Explorer.EXE
    66 B
     131 B
     1
    1

    DNS Request

    www.hermocontrol.xyz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1216-9-0x0000000004FD0000-0x0000000005102000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1216-22-0x0000000006740000-0x000000000688D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1216-20-0x0000000006740000-0x000000000688D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1216-19-0x0000000006740000-0x000000000688D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1216-14-0x0000000004FD0000-0x0000000005102000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2360-7-0x0000000000270000-0x0000000000284000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2360-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2360-4-0x00000000009D0000-0x0000000000CD3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2360-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2396-10-0x0000000000B20000-0x0000000000B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2396-12-0x0000000000B20000-0x0000000000B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2396-13-0x0000000000110000-0x000000000013F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2556-2-0x0000000000B30000-0x0000000000F30000-memory.dmp

    Filesize

    4.0MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.