Malware Analysis Report

2025-04-14 08:33

Sample ID 240924-nd6dsaserm
Target 24092024_1117_23092024_order.zip
SHA256 3a0175a8c4f8020cb5cb6351a3de5e9b62d200550c8de848b5787269b4aaf0ca
Tags
upx formbook c89p discovery rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a0175a8c4f8020cb5cb6351a3de5e9b62d200550c8de848b5787269b4aaf0ca

Threat Level: Known bad

The file 24092024_1117_23092024_order.zip was found to be: Known bad.

Malicious Activity Summary

upx formbook c89p discovery rat spyware stealer trojan

Formbook

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 11:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 11:17

Reported

2024-09-24 11:22

Platform

win7-20240903-en

Max time kernel

300s

Max time network

296s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\svchost.exe
PID 1988 set thread context of 1212 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2856 set thread context of 1212 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.partment-rental05.online udp
US 8.8.8.8:53 www.oviepicker.net udp
US 8.8.8.8:53 www.arklife.shop udp
US 8.8.8.8:53 www.refabricated-homes-53685.bond udp
US 8.8.8.8:53 www.lood-test-jp-1.bond udp
US 8.8.8.8:53 www.dcustomdesgins.net udp
US 8.8.8.8:53 www.hzl9.bond udp
US 8.8.8.8:53 www.aser-cap-hair-growth.today udp
US 8.8.8.8:53 www.aston-saaaa.buzz udp
US 8.8.8.8:53 www.uickautoquote.net udp
US 8.8.8.8:53 www.okenexchange.art udp
US 8.8.8.8:53 www.igmoto.info udp
DE 89.31.143.90:80 www.igmoto.info tcp

Files

memory/1992-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1992-3-0x00000000039E0000-0x0000000003DE0000-memory.dmp

memory/1988-4-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1992-6-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1988-7-0x0000000000930000-0x0000000000C33000-memory.dmp

memory/1988-9-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1988-10-0x0000000000360000-0x0000000000374000-memory.dmp

memory/1212-11-0x0000000006E50000-0x0000000006FD3000-memory.dmp

memory/2856-12-0x0000000000BE0000-0x0000000000E61000-memory.dmp

memory/2856-13-0x0000000000BE0000-0x0000000000E61000-memory.dmp

memory/2856-14-0x0000000000110000-0x000000000013F000-memory.dmp

memory/1212-15-0x0000000006E50000-0x0000000006FD3000-memory.dmp

memory/1212-20-0x00000000042F0000-0x0000000004389000-memory.dmp

memory/1212-21-0x00000000042F0000-0x0000000004389000-memory.dmp

memory/1212-23-0x00000000042F0000-0x0000000004389000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 11:17

Reported

2024-09-24 11:22

Platform

win10v2004-20240802-en

Max time kernel

297s

Max time network

264s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3348 set thread context of 5036 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\svchost.exe
PID 5036 set thread context of 3516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 536 set thread context of 3516 N/A C:\Windows\SysWOW64\cmmon32.exe C:\Windows\Explorer.EXE

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmmon32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A
N/A N/A C:\Windows\SysWOW64\cmmon32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmmon32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\cmmon32.exe

"C:\Windows\SysWOW64\cmmon32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 www.aycare-service-99683.bond udp
US 8.8.8.8:53 www.usiness-printer-37559.bond udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.ransportationmmsytpro.top udp
US 8.8.8.8:53 151.133.100.95.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.69-11-luxury-watches.shop udp
US 8.8.8.8:53 www.rail.cruises udp
DE 217.160.0.10:80 www.rail.cruises tcp
US 8.8.8.8:53 10.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 www.asapembuatanpatung.online udp
US 8.8.8.8:53 www.partment-rental05.online udp
US 8.8.8.8:53 www.x-design-courses-29670.bond udp
US 8.8.8.8:53 www.un-sea.fun udp
US 8.8.8.8:53 www.r64mh1.vip udp
US 8.8.8.8:53 www.igmoto.info udp
DE 89.31.143.90:80 www.igmoto.info tcp
US 8.8.8.8:53 90.143.31.89.in-addr.arpa udp
US 8.8.8.8:53 www.aston-saaaa.buzz udp

Files

memory/3348-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/3348-3-0x00000000040C0000-0x00000000042C0000-memory.dmp

memory/5036-4-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3348-6-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/5036-7-0x0000000001600000-0x000000000194A000-memory.dmp

memory/5036-9-0x0000000000400000-0x000000000042F000-memory.dmp

memory/5036-10-0x0000000000DA0000-0x0000000000DB4000-memory.dmp

memory/3516-11-0x0000000002B90000-0x0000000002C5E000-memory.dmp

memory/536-13-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/536-12-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

memory/536-14-0x0000000000A00000-0x0000000000A2F000-memory.dmp

memory/3516-15-0x0000000002B90000-0x0000000002C5E000-memory.dmp

memory/3516-19-0x00000000026D0000-0x000000000279B000-memory.dmp

memory/3516-20-0x00000000026D0000-0x000000000279B000-memory.dmp

memory/3516-22-0x00000000026D0000-0x000000000279B000-memory.dmp