Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

EFT Paymen...er.exe

windows7-x64

10

EFT Paymen...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2022, 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EFT Payment 27September.exe

  • Size

    426KB

  • MD5

    99128801351b81b164690fb32ddfe74f

  • SHA1

    f8f2a0beaf18ce9311ada5ae7fd8dde3914771de

  • SHA256

    fac949564f4665701edaee8c5228133b6c84842fef319a82e8909ddeaa215de6

  • SHA512

    22a6f3d58634d462fd4281dbe2b975df010056bf2b385be110256430289d198640422f0a149607ad72d331bd34cf769fb09d80d22b05da4817d6d1c6db2f91bb

  • SSDEEP

    6144:EKTmSHR5ZwZv+Wxt5+3GE4msba3k4kwsEYA8Ki:XT/x5Zw1+WlA2Vb4kJbEYu

Score
10/10
formbooktg49ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tg49

Decoy

497338.com

shoptickr.win

support.academy

cloud123.top

manhattanmaintenance.site

sustainabilityblock.com

mertbnkae.city

letshookup.site

aqiqahkarawang.site

play-demoslot-coktogel.app

taikatarot.info

insanxarakterleri.com

bobdoessport.co

inexecution-oarsman.net

aspirationit.com

88bet2255.com

northbowlodge.com

downjc.com

diecastcoin.site

pubiliweb.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\EFT Payment 27September.exe
      "C:\Users\Admin\AppData\Local\Temp\EFT Payment 27September.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4756
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:1256

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3012-132-0x0000000000310000-0x0000000000378000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3060-139-0x0000000008340000-0x0000000008447000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3060-148-0x0000000008900000-0x0000000008A6A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3060-146-0x0000000008900000-0x0000000008A6A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4756-137-0x00000000014F0000-0x000000000183A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4756-138-0x0000000001480000-0x0000000001494000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4756-136-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4756-134-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5044-142-0x0000000000820000-0x000000000083E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5044-143-0x0000000000D30000-0x0000000000D5F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/5044-144-0x0000000001560000-0x00000000018AA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5044-145-0x0000000001450000-0x00000000014E3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/5044-147-0x0000000000D30000-0x0000000000D5F000-memory.dmp

      Filesize

      188KB

      Download