Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Stripe.exe
Resource
win7-20220414-en
General
-
Target
Stripe.exe
-
Size
387KB
-
MD5
52f40e38350510d0101f33526d6fb0a6
-
SHA1
e5b3d8f68a5bcca610661b2e3c2276c9e260f948
-
SHA256
fec5ae0ee4950c22aa3278fbea92faf21abc081160d32ab3047d03c6409f8829
-
SHA512
55113f082c1211f0e3d514052ba9d1c3eadffa2d4f9712833cd03d2d9c856054669f26232928f305b15c638074e5d55d3e5e632c44126b79d21abe1f467f1f16
Malware Config
Extracted
formbook
4.0
ze01
yoyoyoyoyoyo.com
nonproxyserver10.life
modernstrikeonlinehack.online
gracieandjemima.com
thisdomainis.top
hhyxtz.com
hairmaxthailand.com
k1882.com
krommaks.com
emhalert.com
infiniafinancial.com
yaamr.com
acuatikorellana.com
frank-walberg.com
firstlightshop.com
dialettapp.com
redlinepipefab.com
mosskelley.net
18778912634.com
porpaixao.com
gottrendsonline.com
letmewatctthis.com
yunlijin.com
mobileizlife.com
domesti-cait.com
babakj.com
lodgedtraining.com
2526a.com
benyuhas.com
jobplacementconsultants.com
360onebuy.com
edmontonhomeshelper.com
howardcommons.com
battlelolita.com
517cb.com
mecamaq-deutschland.com
oljesam.com
icbcamg.com
nelsonmathacademy.com
arunpower.com
whsyzbzz.com
dvglegal.com
apptrafficupgrade.date
mark-rent.biz
stripeod1.com
webuyai.com
sprconcreting.com
cse-formation.info
fcgdy.loan
xiaohuokang.com
noengacommunity.com
capbrista.com
priceslim.com
mobilitagratis.com
tenelson65.com
rjj50yq.com
xn--vhqd20ykxb1zouod.com
adelaidewebservices.com
bluecollarhomeschool.com
mba-degrees.market
gu8ratrufa.click
lakazahuile.com
haiphatlandnhatrang.com
muchengmuye.com
regulars6.com
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1880-56-0x00000000003F0000-0x00000000003F8000-memory.dmp coreentity -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-62-0x000000000041E310-mapping.dmp formbook behavioral1/memory/1804-61-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1804-67-0x0000000000400000-0x000000000042D000-memory.dmp formbook -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/1880-57-0x0000000000B40000-0x0000000000B7A000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Stripe.exeStripe.exedescription pid process target process PID 1880 set thread context of 1804 1880 Stripe.exe Stripe.exe PID 1804 set thread context of 1376 1804 Stripe.exe Explorer.EXE PID 1804 set thread context of 1376 1804 Stripe.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Stripe.exepid process 1804 Stripe.exe 1804 Stripe.exe 1804 Stripe.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Stripe.exepid process 1804 Stripe.exe 1804 Stripe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Stripe.exedescription pid process Token: SeDebugPrivilege 1804 Stripe.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Stripe.exeExplorer.EXEdescription pid process target process PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1880 wrote to memory of 1804 1880 Stripe.exe Stripe.exe PID 1376 wrote to memory of 1960 1376 Explorer.EXE wininit.exe PID 1376 wrote to memory of 1960 1376 Explorer.EXE wininit.exe PID 1376 wrote to memory of 1960 1376 Explorer.EXE wininit.exe PID 1376 wrote to memory of 1960 1376 Explorer.EXE wininit.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Stripe.exe"C:\Users\Admin\AppData\Local\Temp\Stripe.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Stripe.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"4⤵
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1376-66-0x00000000062F0000-0x000000000648B000-memory.dmpFilesize
1.6MB
-
memory/1376-69-0x0000000007790000-0x0000000007929000-memory.dmpFilesize
1.6MB
-
memory/1804-65-0x00000000001E0000-0x00000000001F4000-memory.dmpFilesize
80KB
-
memory/1804-58-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1804-59-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1804-62-0x000000000041E310-mapping.dmp
-
memory/1804-61-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1804-64-0x0000000000BF0000-0x0000000000EF3000-memory.dmpFilesize
3.0MB
-
memory/1804-67-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1804-68-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/1880-57-0x0000000000B40000-0x0000000000B7A000-memory.dmpFilesize
232KB
-
memory/1880-54-0x0000000000B80000-0x0000000000BE8000-memory.dmpFilesize
416KB
-
memory/1880-56-0x00000000003F0000-0x00000000003F8000-memory.dmpFilesize
32KB
-
memory/1880-55-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB