Overview

overview

10

Static

static

INVOICE.exe

windows7-x64

10

INVOICE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-10-2022 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE.exe

  • Size

    900KB

  • MD5

    94fbca3f42d439bed773a04e82b29827

  • SHA1

    e804a967276c25df1b48e8b5f35109a2559cc55d

  • SHA256

    3903f75f7f0106aa34486f7c546b98a1eba03b1a0d901ccd09fb90294de857a4

  • SHA512

    21d8802c3bca47ba6d8fcbc20a1bd6a6502d32a5dad4fc1fa6e4b79266734046efa9e4ed807b99129ecf3427b9a4b2ec644e29a2f18d249081074aa99a7a2fd1

  • SSDEEP

    12288:jXNIMvqVefEu5JunXd0qe06DgKWlkmaWpJOBqm3xraOVbp1G+B/NP:7NICSapUKVmaM/AbLn

Score
10/10
formbookp94aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
        3⤵
          PID:4724

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1036-132-0x0000000000C10000-0x0000000000CF8000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1036-133-0x0000000005AE0000-0x0000000006084000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1036-134-0x00000000055D0000-0x0000000005662000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1036-135-0x0000000005570000-0x000000000557A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1036-136-0x000000000B8C0000-0x000000000B95C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1036-137-0x000000000B960000-0x000000000B9C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1596-145-0x0000000002FB0000-0x0000000002FC4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1596-148-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1596-141-0x0000000001240000-0x000000000158A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1596-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1596-142-0x00000000016F0000-0x0000000001704000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1596-144-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1596-138-0x0000000000000000-mapping.dmp
      Download
    • memory/2132-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2132-150-0x0000000000BB0000-0x0000000000BCE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2132-152-0x0000000000F30000-0x000000000127A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2132-151-0x00000000001A0000-0x00000000001CF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2132-153-0x0000000000CD0000-0x0000000000D63000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2132-155-0x00000000001A0000-0x00000000001CF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2592-146-0x00000000026A0000-0x0000000002752000-memory.dmp
      Filesize

      712KB

      Download
    • memory/2592-143-0x0000000007EB0000-0x0000000007FE1000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2592-154-0x000000000AB30000-0x000000000ACBC000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2592-156-0x000000000AB30000-0x000000000ACBC000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4724-149-0x0000000000000000-mapping.dmp
      Download