Malware Analysis Report

2025-01-18 12:33

Sample ID 240902-pawkva1ane
Target Bill for the Month of August.exe
SHA256 ad796730fe76da567b892419b2cdba44eeaef29bf62b637c3c3af4cce42886ce
Tags
formbook pt46 discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad796730fe76da567b892419b2cdba44eeaef29bf62b637c3c3af4cce42886ce

Threat Level: Known bad

The file Bill for the Month of August.exe was found to be: Known bad.

Malicious Activity Summary

formbook pt46 discovery rat spyware stealer trojan

Formbook

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 12:08

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 12:08

Reported

2024-09-02 12:10

Platform

win7-20240704-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2388 set thread context of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 2200 set thread context of 1200 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1244 set thread context of 1200 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chkdsk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\chkdsk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\chkdsk.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 2388 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 1200 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1200 wrote to memory of 1244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\chkdsk.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe
PID 1244 wrote to memory of 2484 N/A C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe

"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"

C:\Windows\SysWOW64\chkdsk.exe

"C:\Windows\SysWOW64\chkdsk.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wheresthechocolateat.com udp
US 13.248.243.5:80 www.wheresthechocolateat.com tcp
US 8.8.8.8:53 www.c21candacedevillier.com udp
US 198.185.159.144:80 www.c21candacedevillier.com tcp
US 8.8.8.8:53 www.healthsaveplus.com udp
US 199.116.255.220:80 www.healthsaveplus.com tcp
US 8.8.8.8:53 www.wvufcw948o.top udp
HK 103.235.47.188:80 www.wvufcw948o.top tcp
US 8.8.8.8:53 www.uddyen.shop udp
US 8.8.8.8:53 www.strategiclogisticsagency.com udp

Files

memory/2388-10-0x00000000001E0000-0x00000000001E4000-memory.dmp

memory/2200-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2200-12-0x00000000009E0000-0x0000000000CE3000-memory.dmp

memory/2200-15-0x0000000000180000-0x0000000000194000-memory.dmp

memory/2200-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1200-16-0x0000000005120000-0x0000000005211000-memory.dmp

memory/1244-17-0x0000000000050000-0x0000000000057000-memory.dmp

memory/1244-18-0x0000000000050000-0x0000000000057000-memory.dmp

memory/1244-19-0x0000000000090000-0x00000000000BF000-memory.dmp

memory/1200-20-0x0000000005120000-0x0000000005211000-memory.dmp

memory/1200-25-0x0000000006B70000-0x0000000006C83000-memory.dmp

memory/1200-26-0x0000000006B70000-0x0000000006C83000-memory.dmp

memory/1200-28-0x0000000006B70000-0x0000000006C83000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-02 12:08

Reported

2024-09-02 12:10

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3400 set thread context of 3500 N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe C:\Windows\SysWOW64\svchost.exe
PID 3500 set thread context of 3424 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 3500 set thread context of 3424 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 4420 set thread context of 3424 N/A C:\Windows\SysWOW64\systray.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\systray.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A
N/A N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\systray.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe

"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"

C:\Windows\SysWOW64\systray.exe

"C:\Windows\SysWOW64\systray.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.dental-implants-89083.bond udp
DE 185.53.179.94:80 www.dental-implants-89083.bond tcp
US 8.8.8.8:53 94.179.53.185.in-addr.arpa udp
US 8.8.8.8:53 www.healthsaveplus.com udp
US 199.116.255.220:80 www.healthsaveplus.com tcp
US 8.8.8.8:53 220.255.116.199.in-addr.arpa udp
US 8.8.8.8:53 www.dvdripguides.com udp
US 104.21.76.183:80 www.dvdripguides.com tcp
US 8.8.8.8:53 183.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.eraplay88rtpgacor.lat udp
US 8.8.8.8:53 www.wheresthechocolateat.com udp
US 13.248.243.5:80 www.wheresthechocolateat.com tcp
US 8.8.8.8:53 5.243.248.13.in-addr.arpa udp
US 8.8.8.8:53 www.gv3l1.vip udp
HK 93.179.124.74:80 www.gv3l1.vip tcp
US 8.8.8.8:53 74.124.179.93.in-addr.arpa udp

Files

memory/3400-10-0x0000000001000000-0x0000000001004000-memory.dmp

memory/3500-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3500-12-0x0000000001500000-0x000000000184A000-memory.dmp

memory/3500-15-0x0000000001930000-0x0000000001944000-memory.dmp

memory/3500-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3424-16-0x0000000007D10000-0x0000000007DC6000-memory.dmp

memory/3424-20-0x00000000082F0000-0x00000000083EF000-memory.dmp

memory/3500-19-0x0000000003240000-0x0000000003254000-memory.dmp

memory/3500-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3424-21-0x0000000007D10000-0x0000000007DC6000-memory.dmp

memory/4420-23-0x0000000000210000-0x0000000000216000-memory.dmp

memory/4420-22-0x0000000000210000-0x0000000000216000-memory.dmp

memory/4420-24-0x0000000001070000-0x000000000109F000-memory.dmp

memory/3424-25-0x00000000082F0000-0x00000000083EF000-memory.dmp

memory/3424-28-0x00000000083F0000-0x0000000008553000-memory.dmp

memory/3424-30-0x00000000083F0000-0x0000000008553000-memory.dmp

memory/3424-31-0x00000000083F0000-0x0000000008553000-memory.dmp