Overview

overview

10

Static

static

Payment advice.exe

windows7_x64

10

Payment advice.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment advice.exe

  • Size

    1.6MB

  • MD5

    82816953c8ab81cab088fe61e1d64789

  • SHA1

    36191f22e133db1ee5bb747e47098d039366e0a4

  • SHA256

    955a1caeb560cf3f1db7d818eb00b8dd0a661c53b499460a55454d686f7481d1

  • SHA512

    a13a11ee08c715fab51897bd2410b83bf25d4fa8e7546c179c1b8bd00fd211eb423dcd2092a3d56224a8bdc0c50c610a95f0328341fbead1f6ca18ada2d3b8d8

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.yjhlgg.com/grve/

Decoy

jrvinganimalexterminator.com

smallsyalls.com

po1c3.com

mencg.com

aussieenjoyment.today

espace22.com

aanmelding-desk.info

gallopshoes.com

nftsexy.com

ricosdulcesmexicanos.com

riseswift.com

thechicthirty.com

matdcg.com

alternet.today

creativehuesdesigns.com

rjkcrafts.com

lowdosemortgage.com

adoptahamster.com

wellness-sense.com

jacardcapital.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\Payment advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Users\Admin\AppData\Local\Temp\Payment advice.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3152
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
        3⤵
          PID:1516

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1516-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3052-138-0x0000000005E30000-0x0000000005ED7000-memory.dmp
      Filesize

      668KB

      Download
    • memory/3052-131-0x0000000002AE0000-0x0000000002BA7000-memory.dmp
      Filesize

      796KB

      Download
    • memory/3052-128-0x0000000005F50000-0x00000000060BD000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3152-125-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3152-130-0x00000000012F0000-0x0000000001304000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3152-129-0x00000000012B0000-0x00000000012C4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3152-127-0x0000000001330000-0x0000000001650000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3152-126-0x000000000041EAF0-mapping.dmp
      Download
    • memory/3172-121-0x00000000054E0000-0x000000000557C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3172-118-0x0000000005620000-0x0000000005621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3172-123-0x0000000001490000-0x0000000001505000-memory.dmp
      Filesize

      468KB

      Download
    • memory/3172-122-0x0000000005010000-0x000000000503D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/3172-114-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3172-120-0x0000000005810000-0x0000000005811000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3172-119-0x0000000005560000-0x0000000005561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3172-124-0x0000000001510000-0x0000000001540000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3172-116-0x0000000005580000-0x0000000005581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3172-117-0x0000000005BD0000-0x0000000005BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3940-134-0x0000000002CC0000-0x0000000002CEE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3940-133-0x0000000000C10000-0x0000000000C27000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3940-136-0x0000000003000000-0x000000000314A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3940-137-0x0000000003400000-0x0000000003493000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3940-132-0x0000000000000000-mapping.dmp
      Download