Overview

overview

10

Static

static

5

MV Starship.exe

windows7-x64

10

MV Starship.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MV Starship.exe

  • Size

    1.1MB

  • MD5

    7735fefaf6b16dd97499d0d2016dff1b

  • SHA1

    598d7c0eea1ca5fee2f7d8c052a01225bcd72761

  • SHA256

    3cc81b7a9a59609e3267d06fad726352660b7c2e5c896c193939aff4744d499d

  • SHA512

    4df13f92972522e14497ad16051b876983caf97810bb00128030b0121289eb11cf4774b5f458ae04a0ba3b7ceb4a2b6de913dddfef357fd8a164eff3093c4ad9

  • SSDEEP

    24576:IAHnh+eWsN3skA4RV1Hom2KXMmHaxnRjGf9UYfLOKlD6J1y5:Ph+ZkldoPK8YaxnRjGSYfLdRN

Score
10/10
formbookty31ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ty31

Decoy

jejakunik.com

inb319.com

jifsjn.buzz

gkyukon.site

43443.cfd

cogil69id.com

oeaog.com

lpgatm.com

mymarketsales.com

tomclk.icu

404417.online

nysconstruction.com

ourwisequote.com

ahsanadvisory.com

ottawaherps.com

forevermust.com

apartments-for-rent-47679.bond

kdasjijaksdd.icu

buthaynah.com

manggungjayakanopi.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\MV Starship.exe
      "C:\Users\Admin\AppData\Local\Temp\MV Starship.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\MV Starship.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:464
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:4308
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\svchost.exe"
          3⤵
            PID:3824
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4312

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/464-15-0x00000000009C0000-0x00000000009D4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/464-11-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/464-12-0x0000000001500000-0x000000000184A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/464-14-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/548-17-0x0000000000C20000-0x0000000000C26000-memory.dmp
          Filesize

          24KB

          Download
        • memory/548-19-0x0000000000C20000-0x0000000000C26000-memory.dmp
          Filesize

          24KB

          Download
        • memory/548-20-0x0000000000CB0000-0x0000000000CDF000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3240-16-0x00000000087F0000-0x000000000892F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3240-22-0x00000000087F0000-0x000000000892F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/3240-25-0x0000000008A20000-0x0000000008B66000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3240-26-0x0000000008A20000-0x0000000008B66000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3240-29-0x0000000008A20000-0x0000000008B66000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/5020-10-0x0000000000BE0000-0x0000000000BE4000-memory.dmp
          Filesize

          16KB

          Download