Overview

overview

10

Static

static

1

z79Payment...ce.exe

windows7-x64

10

z79Payment...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2023, 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z79Payment_Invoice.exe

  • Size

    279KB

  • MD5

    ab6b2dcefead1e07ced28e7ba26116f2

  • SHA1

    dd97e6eff8cd76a423dd7dc19345924ccc532d23

  • SHA256

    99879f576330744c038ac59de64f244284adb5329a1047f8e3313082ebd0a2c6

  • SHA512

    267747bdc01d5207a18b5b1d0722af2342cf0550e8b54aa79f5cfdecefe7755eefd4e0d23df3037336228374eb10e6957438b100b77310b39bc1369cb660853c

  • SSDEEP

    6144:mYa6ySxvmDOC0ThsaSCvAGVwtQVOStS//bqZ3vFaoWc:mYfp1IebV6Q4SakTWc

Score
10/10
formbooknu06ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nu06

Decoy

cutmentor.net

alexwright.xyz

gymbastic.com

creperie-lalios.com

equipmentblock.com

zwangerschapvanweektotweek.net

asimulationcompany.com

g9technoinnovation.com

bestbirdies.xyz

addhair.online

get-breakfastburns.com

aex-studentki.guru

jhpx888.com

gemologic.dev

thegreencarshop.co.uk

alessandromargonari.com

cosmosynz.click

letstalkreparation.com

bka-i.com

hervelegerdressshop.co.uk

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\z79Payment_Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\z79Payment_Invoice.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Users\Admin\AppData\Local\Temp\hchnl.exe
        "C:\Users\Admin\AppData\Local\Temp\hchnl.exe" C:\Users\Admin\AppData\Local\Temp\tjvca.en
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Users\Admin\AppData\Local\Temp\hchnl.exe
          "C:\Users\Admin\AppData\Local\Temp\hchnl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2444
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\hchnl.exe"
        3⤵
          PID:1748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cgtqaycz.clk
      Filesize

      205KB

      MD5

      758d252482cb5e9d0fabdd1a823693ce

      SHA1

      4d400d5aeb7cf0d51783eb5ca28148cb59dec62e

      SHA256

      a73214dc5d911d5c63b02452e901960be43b211fac89b118fb384a6231e8f592

      SHA512

      9a555a01683e61e4c0ecac509a0ea4f01e0a7b270411687db0ef482d45f78f291ecdfb16da1a1e0ebac0734062015e992e4617e7c186748473ed1c672f3b6d3f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hchnl.exe
      Filesize

      58KB

      MD5

      b452944769013ab23fefa20383f5d5e9

      SHA1

      13b1850c2538925c2b63dcb332411f054a2144a3

      SHA256

      c9749bbe3d3516f7d4c62212fdd943ec620c212301e224425b1e783d97e988a3

      SHA512

      74ca7637c18ca5230d345d4a5ed4f24e2da85354c3d938447af095c625ceb51962ea55d3e261f320603918f3c1b648c257a5920b8a8a9ea793d759503e0a2929

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hchnl.exe
      Filesize

      58KB

      MD5

      b452944769013ab23fefa20383f5d5e9

      SHA1

      13b1850c2538925c2b63dcb332411f054a2144a3

      SHA256

      c9749bbe3d3516f7d4c62212fdd943ec620c212301e224425b1e783d97e988a3

      SHA512

      74ca7637c18ca5230d345d4a5ed4f24e2da85354c3d938447af095c625ceb51962ea55d3e261f320603918f3c1b648c257a5920b8a8a9ea793d759503e0a2929

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hchnl.exe
      Filesize

      58KB

      MD5

      b452944769013ab23fefa20383f5d5e9

      SHA1

      13b1850c2538925c2b63dcb332411f054a2144a3

      SHA256

      c9749bbe3d3516f7d4c62212fdd943ec620c212301e224425b1e783d97e988a3

      SHA512

      74ca7637c18ca5230d345d4a5ed4f24e2da85354c3d938447af095c625ceb51962ea55d3e261f320603918f3c1b648c257a5920b8a8a9ea793d759503e0a2929

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tjvca.en
      Filesize

      5KB

      MD5

      346a4e38ddc6825496883e1b8a10f86e

      SHA1

      034628b066c6d47b4b2b8ee5bc06243f27429f28

      SHA256

      4e0a805ef4afbac34de98431a3e978f1bed993736f63e946eb546093c37a4b3e

      SHA512

      d9bd7d23551adda608f7d925426956be77af9ef4fadb34c1ca87ccd50352330c8a55d86606038820d13f4f44e05db731ce714aa9dc193b985461cf9b52e96323

      Download Submit

    • memory/212-151-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/212-156-0x0000000002F80000-0x0000000003013000-memory.dmp

      Filesize

      588KB

      Download

    • memory/212-154-0x0000000001200000-0x000000000122F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/212-153-0x0000000003140000-0x000000000348A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/212-149-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/212-152-0x0000000001200000-0x000000000122F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2444-142-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2444-150-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2444-147-0x00000000012E0000-0x00000000012F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2444-146-0x0000000001350000-0x000000000169A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2616-148-0x0000000008A80000-0x0000000008C0B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2616-157-0x0000000002EB0000-0x0000000002F87000-memory.dmp

      Filesize

      860KB

      Download

    • memory/2616-158-0x0000000002EB0000-0x0000000002F87000-memory.dmp

      Filesize

      860KB

      Download

    • memory/2616-160-0x0000000002EB0000-0x0000000002F87000-memory.dmp

      Filesize

      860KB

      Download