Overview

overview

10

Static

static

3

Pedido de ...te.exe

windows7-x64

10

Pedido de ...te.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 03:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pedido de compra urgente.exe

  • Size

    1.2MB

  • MD5

    ae2709b53bbe59af6094b3721d2e43e4

  • SHA1

    85dd2c7acf90d25e656598d30008bc77f3d4a60b

  • SHA256

    01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

  • SHA512

    9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

  • SSDEEP

    24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

Score
10/10
formbookgy14motwpersistencephishingratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
    phishingmotw
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\Pedido de compra urgente.exe
      "C:\Users\Admin\AppData\Local\Temp\Pedido de compra urgente.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        3⤵
          PID:2096
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
          3⤵
            PID:3020
          • C:\Windows\System32\calc.exe
            "C:\Windows\System32\calc.exe"
            3⤵
              PID:2580
            • C:\Program Files (x86)\Windows Mail\wab.exe
              "C:\Program Files (x86)\Windows Mail\wab.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2724
            • C:\Program Files (x86)\Windows Mail\wab.exe
              "C:\Program Files (x86)\Windows Mail\wab.exe"
              3⤵
                PID:2744
            • C:\Windows\SysWOW64\help.exe
              "C:\Windows\SysWOW64\help.exe"
              2⤵
              • Adds policy Run key to start application
              • Suspicious use of SetThreadContext
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2632
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                3⤵
                  PID:2520

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Z3NR280V\Z3Nlogim.jpeg
              Filesize

              59KB

              MD5

              7fc5e05e610a33fdb4ff8be959a8a56b

              SHA1

              c17e9ce62dc5ae38f76d1707c00ac3a31bed7fb9

              SHA256

              f983ef61527aa5e49dff3bcd1bc9479ad9d2f5e5473ebf8852666d3b904c3f6a

              SHA512

              19364e9906885e37567ec2cd15b055f52d79d768b0cc275f10a2db233784ae61bb8d2c49bfc4f342660448a01b3b7cfc351100ef41d222f4475addc27dbbf9ea

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Z3NR280V\Z3Nlogrf.ini
              Filesize

              40B

              MD5

              2f245469795b865bdd1b956c23d7893d

              SHA1

              6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

              SHA256

              1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

              SHA512

              909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Z3NR280V\Z3Nlogri.ini
              Filesize

              40B

              MD5

              d63a82e5d81e02e399090af26db0b9cb

              SHA1

              91d0014c8f54743bba141fd60c9d963f869d76c9

              SHA256

              eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

              SHA512

              38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Z3NR280V\Z3Nlogrv.ini
              Filesize

              40B

              MD5

              ba3b6bc807d4f76794c4b81b09bb9ba5

              SHA1

              24cb89501f0212ff3095ecc0aba97dd563718fb1

              SHA256

              6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

              SHA512

              ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

              Download Submit
            • memory/1192-48-0x0000000004BE0000-0x0000000004CF3000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1192-27-0x00000000051D0000-0x00000000052CB000-memory.dmp
              Filesize

              1004KB

              Download
            • memory/1192-39-0x0000000004BE0000-0x0000000004CF3000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/1192-24-0x0000000003CF0000-0x0000000003DF0000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/1192-36-0x00000000051D0000-0x00000000052CB000-memory.dmp
              Filesize

              1004KB

              Download
            • memory/1192-41-0x0000000004BE0000-0x0000000004CF3000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2056-21-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/2056-5-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/2056-2-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/2056-3-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/2056-1-0x00000000003B0000-0x00000000003BA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2056-4-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/2056-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2056-6-0x000000001AB50000-0x000000001ABD6000-memory.dmp
              Filesize

              536KB

              Download
            • memory/2096-7-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/2096-9-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/2632-30-0x0000000000080000-0x00000000000AF000-memory.dmp
              Filesize

              188KB

              Download
            • memory/2632-28-0x0000000000530000-0x0000000000536000-memory.dmp
              Filesize

              24KB

              Download
            • memory/2632-29-0x0000000000530000-0x0000000000536000-memory.dmp
              Filesize

              24KB

              Download
            • memory/2724-25-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download
            • memory/2724-26-0x0000000000190000-0x00000000001A5000-memory.dmp
              Filesize

              84KB

              Download
            • memory/2724-22-0x0000000000820000-0x0000000000B23000-memory.dmp
              Filesize

              3.0MB

              Download
            • memory/2724-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2724-20-0x0000000000400000-0x000000000042F000-memory.dmp
              Filesize

              188KB

              Download