Overview

overview

10

Static

static

Purchase O...41.exe

windows7-x64

10

Purchase O...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    17/10/2022, 15:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order number n° 20220741.exe

  • Size

    995KB

  • MD5

    78555e148afa5a103c938dcd5da2293c

  • SHA1

    e1a03ff97dd2ae0d2244c5694ec409de141b4d23

  • SHA256

    ad7b11d538d1b3e39d30c7cd9523c744cd1dc061002aa38d0779b67c923b5945

  • SHA512

    b50b7f929fceb85f30194595c86a371db00e3a5ecc92849fe06f177fbf5c5fbe01d5f0af9c79016de253c72da1ca80db0320fffc7a6aad5f640e7f68bfb133b1

  • SSDEEP

    12288:9kY09G/Ju+/rXNzQTETwB9kzy7U0EAgcQVkN8Cs/jdv6cx:9kZG/Ju+T2ETK9+KU0UcACGv

Score
10/10
formbooks11nratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s11n

Decoy

ugokk.com

webglobalmart.com

giapponetour.com

ericdhaun.com

sewozy33.com

bgw.info

montakcha.online

rayrung.com

thebranddesi.com

liamba.fun

whatismyipaddress.online

ggg9z-a1bzgkze.kred

greatowlbooks.site

sz1992.com

coolonebr.online

xhs782.vip

fizzell.site

dwpato.xyz

pelicankids.store

gopensum.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 6 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
            5⤵
            • Deletes itself
            PID:1548

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1124-63-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1124-70-0x0000000000430000-0x0000000000445000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1124-69-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1124-67-0x0000000000130000-0x0000000000145000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1124-60-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1124-73-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1124-66-0x0000000000CE0000-0x0000000000FE3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1124-61-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1248-55-0x0000000075351000-0x0000000075353000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1248-59-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1248-58-0x00000000009B0000-0x0000000000A3E000-memory.dmp

          Filesize

          568KB

          Download

        • memory/1248-54-0x0000000000BE0000-0x0000000000CE0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1248-57-0x0000000000760000-0x000000000076C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1248-56-0x00000000004B0000-0x00000000004CA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1444-68-0x0000000004840000-0x0000000004934000-memory.dmp

          Filesize

          976KB

          Download

        • memory/1444-71-0x0000000004970000-0x0000000004AD8000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1444-79-0x0000000004300000-0x00000000043C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1444-81-0x0000000004300000-0x00000000043C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1660-74-0x0000000001000000-0x000000000101B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/1660-75-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1660-77-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1660-78-0x0000000000EB0000-0x0000000000F44000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1660-80-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download