Overview

overview

10

Static

static

Salary.exe

windows7_x64

10

Salary.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    181s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Salary.exe

  • Size

    352KB

  • MD5

    6d5f3175c300da6ea8a6875a4682edd9

  • SHA1

    ebf2ab3c7fa3cd6f3dcb16e8d1f8faedb16bd7e6

  • SHA256

    4f5081f499127a975be464ff8bb659d88a455cf17da0579c20732097507b6226

  • SHA512

    5dcddce714ce32048466d51d59fcfa84e2949ae01f3b8f0add3f871e03b80f964649963f51ea62bff190bb16fdb0e31bf3802f3fa33d4fc5b1c604da9399720d

Score
10/10
formbookg8upersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\Salary.exe
      "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Users\Admin\AppData\Local\Temp\Salary.exe
        "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
        3⤵
        • Deletes itself
        PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logim.jpeg
    Filesize

    60KB

    MD5

    700556da1b3f3501e3d0158564e2f1f9

    SHA1

    ffe102a41b1dd3f33aa45747f6131a390d20549a

    SHA256

    6668d470e9a89637b6d7196b0e0298522ac5878db57509c10eed1c15e3bc22c7

    SHA512

    7446eba784460cb198e5fa4ba697fc987f8839213d42e02ee328029e2f232e1aba82d852384a19df8567d5f113b067308f8a16da1e6bef649c850c4f43122f1b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logrv.ini
    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    Download Submit
  • memory/904-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-55-0x00000000003D0000-0x00000000003DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1120-56-0x00000000008C0000-0x00000000008FA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1120-54-0x0000000001320000-0x000000000137E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1176-60-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1176-63-0x0000000000970000-0x0000000000C73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1176-57-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1176-64-0x00000000003D0000-0x00000000003E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1176-58-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1176-61-0x000000000041E370-mapping.dmp
    Download
  • memory/1292-65-0x00000000061B0000-0x00000000062E1000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1292-73-0x00000000041E0000-0x0000000004277000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1724-67-0x0000000076721000-0x0000000076723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1724-72-0x0000000000A00000-0x0000000000A93000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1724-70-0x0000000002160000-0x0000000002463000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1724-69-0x00000000000E0000-0x000000000010D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1724-68-0x0000000000C50000-0x0000000000D54000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1724-66-0x0000000000000000-mapping.dmp
    Download