Overview

overview

10

Static

static

Payment Ad...30.exe

windows7-x64

10

Payment Ad...30.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    244s
  • max time network
    334s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2022 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe

  • Size

    1.0MB

  • MD5

    af4c90f16183a6ad67d309954e852c8a

  • SHA1

    4b8612090c079bf462c55e774c7199d4f182e937

  • SHA256

    e42dddf5106613702329f2fa39feac15baee21cd5b543d288dc82ed621eb7037

  • SHA512

    c335c1ab1b2708530424dc094a9b864155275e4d462bf726b38338b9c33f6942c355b9092fa786bf1a20f99c7ac52b4c03e399ff5ab157fff556480db15fc823

  • SSDEEP

    12288:0oQgKZ/nXt7virmWhlGLaQYIyzYEmgX/Lifi1SXAe73hdw7YVCiJM2dycvQ0piws:fPNNwAe7x78OQ0Hx4xUhlWp

Score
10/10
formbookxloaderm9aeloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Extracted

Family

xloader

Version

3.Æ…

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH credits Customer Ref1093817130.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\SysWOW64\wlanext.exe
          "C:\Windows\SysWOW64\wlanext.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-54-0x00000000012A0000-0x00000000013B2000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/432-55-0x0000000076931000-0x0000000076933000-memory.dmp
    Filesize

    8KB

    Download
  • memory/432-56-0x0000000000910000-0x0000000000926000-memory.dmp
    Filesize

    88KB

    Download
  • memory/432-57-0x0000000000920000-0x000000000092E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/432-58-0x0000000007E40000-0x0000000007ED4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/432-59-0x0000000000AF0000-0x0000000000B4C000-memory.dmp
    Filesize

    368KB

    Download
  • memory/1212-87-0x00000000073D0000-0x0000000007541000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1212-84-0x00000000073D0000-0x0000000007541000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1212-76-0x0000000004C20000-0x0000000004CF0000-memory.dmp
    Filesize

    832KB

    Download
  • memory/1212-72-0x0000000006890000-0x00000000069D8000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1400-71-0x00000000000E0000-0x00000000000F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1400-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1400-68-0x0000000000401000-0x000000000042F000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1400-69-0x0000000000810000-0x0000000000B13000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1400-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1400-70-0x0000000000422000-0x0000000000424000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1400-64-0x00000000004012B0-mapping.dmp
    Download
  • memory/1400-74-0x0000000000422000-0x0000000000424000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1400-75-0x0000000000290000-0x00000000002A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1400-67-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1400-77-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1400-78-0x0000000000401000-0x000000000042F000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1400-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1400-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1412-81-0x0000000000080000-0x00000000000AD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1412-82-0x00000000009A0000-0x0000000000CA3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1412-83-0x0000000000CB0000-0x0000000000D3F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1412-80-0x0000000000D80000-0x0000000000D96000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1412-86-0x0000000000080000-0x00000000000AD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1412-79-0x0000000000000000-mapping.dmp
    Download