General
Target

UPDTED PAYMENT DETAILS 948998849-909N.exe

Filesize

661KB

Completed

21-05-2022 18:55

Task

behavioral2

Score
10/10
MD5

6d8a6794412d626d13bccfbcebda900f

SHA1

466ae37bb340ce9ffca60cf8758cde8af08bd077

SHA256

dd2e99f4c8b2909221d9cddcae2aa9c5ce4e343cd4ed8e5fa7113e639412ef7f

SHA256

de7d7f7290dd4f65ae5954d29b41e6f1bbf78e17142d1287645d8a9cd3ddb3b520a8c782b1846a1f010636512431c289f4917a99dc1bc80b2059130aacd1c25a

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bnc

Decoy

saltoasischarleston.com

gor.digital

oneserviceplace.com

ivcfte.info

grasshopperveteran.com

tblacklist.com

noahandvincent.com

bbbmorris.com

coralvillerealestate.info

rjprime.info

smilehdapp.com

texas.kitchen

lifeofbeautifulchaos.com

myfittedfurniture.com

mobiledealsnetwork.com

ateliermusicapiano.com

568027.com

johnmeanwell.com

uneggsing.com

chengshuai88.com

bb9c0clr1.online

ru5hmotorsport.com

massiveplain.com

onyxzoe.com

1k4onehot.men

quantumfingerprint.com

davidkellysounds.com

e-healinghub.com

youaremydestinyth.com

835man.com

iixiah.com

clusterdatacenter.net

comoeducarumfilho.com

heloatfotografia.com

glaucon.net

driverlesspickups.com

conquisteshop.com

estatesdevelopers.com

2ndbeats.com

rustycedarfarm.net

burnsindustrial.net

tictactocchomedey.com

sinanzhiyou.com

blueflamecollection.net

seitai-yuuki.com

dclawnsva.com

vilamouraimmobilier.com

creativa-image.com

funnelsunderground.com

bilaraby.net

Signatures 13

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4868-138-0x0000000000400000-0x000000000042D000-memory.dmpformbook
    behavioral2/memory/4868-143-0x0000000000400000-0x000000000042D000-memory.dmpformbook
    behavioral2/memory/3792-149-0x0000000000B60000-0x0000000000B8D000-memory.dmpformbook
  • Adds policy Run key to start application
    WWAHost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunWWAHost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RZJ87BMXCNY = "C:\\Program Files (x86)\\Kfzlphbmx\\ibatmbhfpm.exe"WWAHost.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious use of SetThreadContext
    UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exeWWAHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4976 set thread context of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4868 set thread context of 26084868RegSvcs.exeExplorer.EXE
    PID 4868 set thread context of 26084868RegSvcs.exeExplorer.EXE
    PID 3792 set thread context of 26083792WWAHost.exeExplorer.EXE
  • Drops file in Program Files directory
    WWAHost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Kfzlphbmx\ibatmbhfpm.exeWWAHost.exe
  • Modifies Internet Explorer settings
    WWAHost.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2WWAHost.exe
  • Suspicious behavior: EnumeratesProcesses
    UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exeWWAHost.exe

    Reported IOCs

    pidprocess
    4976UPDTED PAYMENT DETAILS 948998849-909N.exe
    4976UPDTED PAYMENT DETAILS 948998849-909N.exe
    4976UPDTED PAYMENT DETAILS 948998849-909N.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    2608Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    RegSvcs.exeWWAHost.exe

    Reported IOCs

    pidprocess
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    4868RegSvcs.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
    3792WWAHost.exe
  • Suspicious use of AdjustPrivilegeToken
    UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exeWWAHost.exeExplorer.EXE

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4976UPDTED PAYMENT DETAILS 948998849-909N.exe
    Token: SeDebugPrivilege4868RegSvcs.exe
    Token: SeDebugPrivilege3792WWAHost.exe
    Token: SeShutdownPrivilege2608Explorer.EXE
    Token: SeCreatePagefilePrivilege2608Explorer.EXE
    Token: SeShutdownPrivilege2608Explorer.EXE
    Token: SeCreatePagefilePrivilege2608Explorer.EXE
  • Suspicious use of WriteProcessMemory
    UPDTED PAYMENT DETAILS 948998849-909N.exeExplorer.EXEWWAHost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4976 wrote to memory of 19204976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 19204976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 19204976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 4976 wrote to memory of 48684976UPDTED PAYMENT DETAILS 948998849-909N.exeRegSvcs.exe
    PID 2608 wrote to memory of 37922608Explorer.EXEWWAHost.exe
    PID 2608 wrote to memory of 37922608Explorer.EXEWWAHost.exe
    PID 2608 wrote to memory of 37922608Explorer.EXEWWAHost.exe
    PID 3792 wrote to memory of 37283792WWAHost.execmd.exe
    PID 3792 wrote to memory of 37283792WWAHost.execmd.exe
    PID 3792 wrote to memory of 37283792WWAHost.execmd.exe
    PID 3792 wrote to memory of 38763792WWAHost.execmd.exe
    PID 3792 wrote to memory of 38763792WWAHost.execmd.exe
    PID 3792 wrote to memory of 38763792WWAHost.execmd.exe
    PID 3792 wrote to memory of 11323792WWAHost.exeFirefox.exe
    PID 3792 wrote to memory of 11323792WWAHost.exeFirefox.exe
    PID 3792 wrote to memory of 11323792WWAHost.exeFirefox.exe
Processes 8
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Users\Admin\AppData\Local\Temp\UPDTED PAYMENT DETAILS 948998849-909N.exe
      "C:\Users\Admin\AppData\Local\Temp\UPDTED PAYMENT DETAILS 948998849-909N.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        PID:1920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:4868
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        PID:3728
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:3876
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1132
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • C:\Users\Admin\AppData\Local\Temp\DB1

                    MD5

                    b608d407fc15adea97c26936bc6f03f6

                    SHA1

                    953e7420801c76393902c0d6bb56148947e41571

                    SHA256

                    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                    SHA512

                    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                  • memory/1920-136-0x0000000000000000-mapping.dmp

                  • memory/2608-145-0x0000000008690000-0x00000000087F2000-memory.dmp

                  • memory/2608-152-0x0000000008AD0000-0x0000000008BE4000-memory.dmp

                  • memory/2608-142-0x00000000084A0000-0x000000000860A000-memory.dmp

                  • memory/3728-147-0x0000000000000000-mapping.dmp

                  • memory/3792-150-0x0000000001A50000-0x0000000001D9A000-memory.dmp

                  • memory/3792-148-0x00000000001A0000-0x000000000027C000-memory.dmp

                  • memory/3792-146-0x0000000000000000-mapping.dmp

                  • memory/3792-151-0x0000000001880000-0x0000000001913000-memory.dmp

                  • memory/3792-149-0x0000000000B60000-0x0000000000B8D000-memory.dmp

                  • memory/3876-153-0x0000000000000000-mapping.dmp

                  • memory/4868-141-0x0000000001520000-0x0000000001534000-memory.dmp

                  • memory/4868-140-0x0000000001560000-0x00000000018AA000-memory.dmp

                  • memory/4868-144-0x00000000018D0000-0x00000000018E4000-memory.dmp

                  • memory/4868-137-0x0000000000000000-mapping.dmp

                  • memory/4868-138-0x0000000000400000-0x000000000042D000-memory.dmp

                  • memory/4868-143-0x0000000000400000-0x000000000042D000-memory.dmp

                  • memory/4976-135-0x0000000005230000-0x0000000005286000-memory.dmp

                  • memory/4976-134-0x00000000050F0000-0x00000000050FA000-memory.dmp

                  • memory/4976-133-0x0000000005190000-0x0000000005222000-memory.dmp

                  • memory/4976-132-0x00000000056A0000-0x0000000005C44000-memory.dmp

                  • memory/4976-131-0x0000000004FD0000-0x000000000506C000-memory.dmp

                  • memory/4976-130-0x00000000005F0000-0x000000000069A000-memory.dmp