Overview

overview

10

Static

static

3

Payment Slip.pdf.exe

windows7-x64

10

Payment Slip.pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/07/2024, 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Slip.pdf.exe

  • Size

    286KB

  • MD5

    fd6e85afa80f7c36795bc58dc4d1fa86

  • SHA1

    419dd6e6e6a1a6753ca51e1612ea6bc61a011d48

  • SHA256

    985fb6bd28653c5012113b096e61bebb49fe5aeeb53c7a128d323803637cf6cd

  • SHA512

    9d9279ddb6e3988371a7ca714ade52e4983eb7df7c3e6bdf322e530c44c730b8b43f4bb943800c842ee4b54bcdbf3341be066a05bdd4fa72e4e2b69db05c3a01

  • SSDEEP

    6144:UhntRj86y2xrIYaHInYgeEVgaQSTxU2ZxmSHM/:KntR5tQtvE6tSxUYxDs

Score
10/10
formbooktnkcredential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tnk

Decoy

lafioletto.com

mgiuj.com

wolllafvixzies.win

wwwsbvip123.com

nadyaasnae.com

noticesinvoice2017.com

intercapati.com

tg8895.com

9245654874.com

lytsxc.info

rffuf3-liquidwebsites.com

verguet.com

peinturefleursetfemmes.com

xttmrama.com

cryptoinvestmentideas.com

kikumasacarparts.win

freeapk1.com

tasteofimagination.com

gxzyoa.com

cq-mingwei.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Formbook payload 2 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\Payment Slip.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Slip.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\Payment Slip.pdf.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment Slip.pdf.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3844
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3980
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:5076

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\DB1
      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

      Download Submit

    • C:\Users\Admin\AppData\Roaming\-1L2OPP-\-1Llogim.jpeg
      Filesize

      80KB

      MD5

      5821b181b2591bd93eb74d99e655f7b3

      SHA1

      cdf9465ab65fee3c071b1a2fb17bc9c9b8375927

      SHA256

      eac7a106569b4c255f20e4ab45e76260632709ae005f20dc1d95fb18960deccc

      SHA512

      d05e0677b2dd92e2cc52014f963a1b2eea9366e5df7c971e38d72a5dd02f24e857446999a27fe11057249fc2ebdc4c1253267bf3a92587c4b1ce18b5a4e7f6e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\-1L2OPP-\-1Llogrf.ini
      Filesize

      40B

      MD5

      2f245469795b865bdd1b956c23d7893d

      SHA1

      6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

      SHA256

      1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

      SHA512

      909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\-1L2OPP-\-1Llogrg.ini
      Filesize

      38B

      MD5

      4aadf49fed30e4c9b3fe4a3dd6445ebe

      SHA1

      1e332822167c6f351b99615eada2c30a538ff037

      SHA256

      75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

      SHA512

      eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

      Download Submit

    • C:\Users\Admin\AppData\Roaming\-1L2OPP-\-1Llogri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit

    • C:\Users\Admin\AppData\Roaming\-1L2OPP-\-1Llogrv.ini
      Filesize

      872B

      MD5

      bbc41c78bae6c71e63cb544a6a284d94

      SHA1

      33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

      SHA256

      ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

      SHA512

      0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

      Download Submit

    • memory/1404-1-0x0000000075320000-0x00000000758D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1404-2-0x0000000075320000-0x00000000758D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1404-3-0x0000000075322000-0x0000000075323000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1404-4-0x0000000075320000-0x00000000758D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1404-7-0x0000000075320000-0x00000000758D1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1404-0-0x0000000075322000-0x0000000075323000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-10-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2268-11-0x0000000001550000-0x0000000001564000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2268-8-0x0000000001600000-0x000000000194A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2268-5-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3580-16-0x0000000008240000-0x000000000832C000-memory.dmp

      Filesize

      944KB

      Download

    • memory/3580-19-0x0000000008330000-0x00000000083F2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/3580-20-0x0000000008330000-0x00000000083F2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/3580-23-0x0000000008330000-0x00000000083F2000-memory.dmp

      Filesize

      776KB

      Download

    • memory/3580-12-0x0000000008240000-0x000000000832C000-memory.dmp

      Filesize

      944KB

      Download

    • memory/4924-13-0x00000000004E0000-0x00000000004F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4924-14-0x00000000004E0000-0x00000000004F6000-memory.dmp

      Filesize

      88KB

      Download