Overview

overview

10

Static

static

Salary.exe

windows7_x64

10

Salary.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    172s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Salary.exe

  • Size

    354KB

  • MD5

    3abc3bd58ec7ecd38e1f25823a3a1833

  • SHA1

    887ac2315f548e3699d0ad340b4b677a679ec434

  • SHA256

    9c5d88a1518cd310e763757d9acd267ed5741d6c79036e1053381729a0d700ca

  • SHA512

    393e69f3741a477a77aefb9e2082829e05a2b68f173e29f2cae909661739f307754161b16b1a8820cd5d614e51adddf95f111696edd33c066c7fc77ad931b067

Score
10/10
formbookg8upersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\Salary.exe
      "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Users\Admin\AppData\Local\Temp\Salary.exe
        "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Salary.exe"
        3⤵
        • Deletes itself
        PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logim.jpeg
    Filesize

    62KB

    MD5

    35be22f04a083f244ecf878e7778ad32

    SHA1

    207cd2030880aeb8ea79e3a120779ba85452b239

    SHA256

    0b6c7a024831d9645272efad7aeca9596059eb21346e23d4459c10b01b0edfa1

    SHA512

    ddae6de657f43ee6d3b00af0044102401cf7671bed4b1d7d9f6dae2886e496ad6f673a7eee91eeb7ddf32de0f69ad6559ea82d0cdf2272c7d7d97cfc7a9274a6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3M7QRD2U\3M7logrv.ini
    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    Download Submit
  • memory/764-71-0x0000000000000000-mapping.dmp
    Download
  • memory/932-74-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/932-69-0x00000000000D0000-0x00000000000FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/932-72-0x0000000000470000-0x0000000000503000-memory.dmp
    Filesize

    588KB

    Download
  • memory/932-70-0x00000000007D0000-0x0000000000AD3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/932-67-0x0000000000000000-mapping.dmp
    Download
  • memory/932-68-0x0000000000C30000-0x0000000000C36000-memory.dmp
    Filesize

    24KB

    Download
  • memory/988-56-0x0000000004510000-0x000000000454A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/988-55-0x0000000000350000-0x000000000035A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/988-54-0x0000000000200000-0x000000000025E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1232-66-0x0000000005FD0000-0x000000000613A000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1232-73-0x00000000064F0000-0x0000000006681000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1356-65-0x0000000000260000-0x0000000000274000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1356-64-0x0000000000810000-0x0000000000B13000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1356-63-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1356-61-0x000000000041E370-mapping.dmp
    Download
  • memory/1356-60-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1356-58-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1356-57-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

    Download