Overview

overview

10

Static

static

3

30af910477...51.exe

windows7-x64

10

30af910477...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2025 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351.exe

  • Size

    908KB

  • MD5

    624e535330a688d0e78e8a4e4ca70d97

  • SHA1

    07161ed138f1ee9b5463391d6398b8f85a9dd2b6

  • SHA256

    30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351

  • SHA512

    ce5e3b37da471efac83f2c9b0f1554756385af0cc68589eec427924fd7b61d561863c309aca01f04019c887196e9da3c2e4396a08082b667edae0b1a84536fb3

  • SSDEEP

    12288:h8SCnWMYou4yCyCx++xHDZqhxGrK6PJ9UqOMBXaWpelivORs9iV5V:h8SCnWMvyCyC8+xkxGnDUqOM1Gi22k3

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351.exe
        "C:\Users\Admin\AppData\Local\Temp\30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30af910477a154c4b07fa1cbb928f78bc7d714329f725b2a1f2cf7f3139ce351.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qOYDqUGqoG.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2884
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qOYDqUGqoG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp422E.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2792
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
            PID:2368
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            3⤵
              PID:1508
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Windows\SysWOW64\explorer.exe
                "C:\Windows\SysWOW64\explorer.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Windows\SysWOW64\cmd.exe
                  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:1968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp422E.tmp
          Filesize

          1KB

          MD5

          5332396a56234c0f4d58907693be1b1a

          SHA1

          27ff3f25dadfde8d8644555d01dc98ae0b17fbf4

          SHA256

          7a08951048220267e24d0e5901377027fda33d229488b139973b073d30c1cdbe

          SHA512

          ff82e0a6b5ee66169683c4e9da02c3ed6df84ddeb6dc00f68291b49f19f9524ca8d4a08f5cae05b2c77c38be587add3e13df548afc747e87f64950df02fc29cc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          caba32bbe0c718ec8cd7d9de3f5f525d

          SHA1

          9efa6a619e6b76885bb33fcbec85c62e246534a5

          SHA256

          d9d2087d967ec627ecdebd19e0eddffe2bcaa188a7f6f95d67779f027f1bcb11

          SHA512

          ab180ec91a3524e4953b32e6472c3295fac899309ee418f3ea87946e0f746b15e546e7a581bacdc7c4e8d770ce21675398a91482e3b40ae792a13192b19d058b

          Download Submit

        • memory/1196-31-0x0000000006E50000-0x0000000006FB8000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1420-4-0x000000007497E000-0x000000007497F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1420-26-0x0000000074970000-0x000000007505E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1420-5-0x0000000074970000-0x000000007505E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1420-6-0x0000000000360000-0x00000000003DA000-memory.dmp

          Filesize

          488KB

          Download

        • memory/1420-3-0x0000000000900000-0x000000000091E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1420-2-0x0000000074970000-0x000000007505E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1420-1-0x0000000000930000-0x0000000000A18000-memory.dmp

          Filesize

          928KB

          Download

        • memory/1420-0-0x000000007497E000-0x000000007497F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-29-0x00000000008C0000-0x0000000000B41000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/1736-30-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2016-24-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2016-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2016-21-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2016-27-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2016-19-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download