Overview

overview

10

Static

static

3

Facturas Pagadas.exe

windows7-x64

10

Facturas Pagadas.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Facturas Pagadas.exe

  • Size

    536KB

  • MD5

    ad3b7a36fc62bf369b5c563d2b5db945

  • SHA1

    3e43c14f9e010f1bcdcce6618f9ca5503de08579

  • SHA256

    af0af3ebf3ac231ad77dbe4cbfa0fb2d48312d4ca0b5431081046ab09aa3b552

  • SHA512

    2de28e6d8dff912a57e958ddeea51876cbd10e448221807837b6ba6a592acc70434d3be7f1695e3651ea6c2483d0cb3220be96f5e93b1be3f5234b1e5060e811

  • SSDEEP

    12288:9IdemtiK5oBfZQElcqE+RqFoVnQ1PSYNsEOmuBE6rp:V+FoBfDcqE+4FInqPSzmf6rp

Score
10/10
formbookg4m1discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g4m1

Decoy

detect-guide.fyi

ethmetaverse.info

21centmasks.com

statemint.network

decowonderland.com

phairrealty.com

drhillda.com

wir-koennen-gesund.info

m-cloudplatform.com

baduapp.site

trydextrus.com

unlimiteddecorations.com

zagfundraisong.com

gaincapita.com

przemekkulik.online

joshwiliam.online

k8worldcup94.com

soobanhaider.com

dein-hochzeitsladen.com

chirpvision.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3524
      • C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas.exe
        "C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas.exe
          "C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1072-12-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1072-21-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1072-22-0x0000000003750000-0x0000000003764000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1072-17-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1072-18-0x0000000001900000-0x0000000001914000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1072-15-0x0000000001960000-0x0000000001CAA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3524-25-0x0000000008F10000-0x000000000905A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3524-24-0x0000000008D90000-0x0000000008F07000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3524-23-0x0000000008F10000-0x000000000905A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3524-19-0x0000000008D90000-0x0000000008F07000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3736-5-0x0000000005290000-0x000000000529A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3736-11-0x0000000005820000-0x0000000005856000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3736-10-0x0000000006260000-0x00000000062C8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3736-14-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-9-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-8-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3736-7-0x0000000005500000-0x0000000005522000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-6-0x00000000055A0000-0x000000000563C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3736-0-0x000000007474E000-0x000000007474F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3736-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-3-0x00000000052C0000-0x0000000005352000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3736-2-0x0000000005870000-0x0000000005E14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3736-1-0x0000000000840000-0x00000000008CC000-memory.dmp

      Filesize

      560KB

      Download