Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
scan._bank_transfer_alhali_bank_12_09_2021.exe
Resource
win7-en-20211208
General
-
Target
scan._bank_transfer_alhali_bank_12_09_2021.exe
-
Size
595KB
-
MD5
2bf76c0c064f27112084d2b519c5c5f0
-
SHA1
1776615c937ec34b85d6333ab02d0571afffb6f6
-
SHA256
31573322ef0e4c9d77a36ba43b66edc88da6d66a7be519d118b7c01d0986baca
-
SHA512
b9ed3eb56cc3838c67d56c5eff065a876c0599d60a400a0eb0c722ad9ce0658379383635ed0393cce8007688e174e425196d8aa8fef80e88049588da09583cc2
Malware Config
Extracted
formbook
4.1
im8r
rivoluzione2020.online
palacesaintgermain.com
creatri.com
krazzyhost.com
xxxstreaming.online
perfectoptionsfx.com
creativebay.art
hazelineshop.com
stfpk.com
flaxx.life
symphonyone.info
amlakzamanpor.com
indianhomehealthcare.net
blacktanandwhite.com
kannabofy.com
anthonycrivello.com
eduvill.net
bonnybuy.com
burneteris.info
mysarasotahomevalue.com
vpgevuqo.icu
opaltechnology.net
kiralikkocaelivinc.com
worldcupreplays.com
bokzer.com
cincinnatihardwoodflooring.com
miatreet.com
xiaodoutao.com
jessicacoppetstudio.com
athenssunbeds.com
pupusastruck.com
hg8808dh.com
bcx66.com
simplifiedpeace.com
genuineses.com
iraqmatrimony.com
paylessshops.com
victorimag.com
circawebdesign.com
dallassalesrecruiters.net
zenithaoc.com
dawnlo.com
squaremile.design
cruisestrade.asia
akezlink.com
distinctkultureapparel.com
dreamsvilleventures.com
strifecta.com
thissoftwareworks.com
first2play.com
mansamobile.com
muellermultimedia.com
allinpd.com
jubefa.com
eleccionsfcb.cat
www62037.com
jjkvic.com
thediabeticdomain.com
thebetterbutcher.com
toureses.com
pani-mer.com
barbingalls.com
hls56.com
moresweets4me.com
xeroxliquidmetal.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-62-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scan._bank_transfer_alhali_bank_12_09_2021.exedescription pid process target process PID 756 set thread context of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
scan._bank_transfer_alhali_bank_12_09_2021.exescan._bank_transfer_alhali_bank_12_09_2021.exepid process 756 scan._bank_transfer_alhali_bank_12_09_2021.exe 756 scan._bank_transfer_alhali_bank_12_09_2021.exe 1084 scan._bank_transfer_alhali_bank_12_09_2021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scan._bank_transfer_alhali_bank_12_09_2021.exedescription pid process Token: SeDebugPrivilege 756 scan._bank_transfer_alhali_bank_12_09_2021.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
scan._bank_transfer_alhali_bank_12_09_2021.exedescription pid process target process PID 756 wrote to memory of 992 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 992 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 992 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 992 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe PID 756 wrote to memory of 1084 756 scan._bank_transfer_alhali_bank_12_09_2021.exe scan._bank_transfer_alhali_bank_12_09_2021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"C:\Users\Admin\AppData\Local\Temp\scan._bank_transfer_alhali_bank_12_09_2021.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-54-0x0000000001380000-0x000000000141C000-memory.dmpFilesize
624KB
-
memory/756-55-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/756-56-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/756-57-0x0000000000290000-0x000000000029E000-memory.dmpFilesize
56KB
-
memory/756-58-0x00000000050C0000-0x000000000512C000-memory.dmpFilesize
432KB
-
memory/756-59-0x00000000006A0000-0x00000000006D4000-memory.dmpFilesize
208KB
-
memory/1084-60-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1084-61-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1084-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB