Overview

overview

10

Static

static

3

PROFORMA INVOICE.exe

windows7-x64

10

PROFORMA INVOICE.exe

windows10-2004-x64

7

$PLUGINSDI...he.dll

windows7-x64

10

$PLUGINSDI...he.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROFORMA INVOICE.exe

  • Size

    638KB

  • MD5

    a3b8d59430deef4d59ec0d47a60af449

  • SHA1

    4cb4bef74a68cb9a55c8eed369a7beea317e3840

  • SHA256

    1339a93d8ca9b03d1b55ce0d283da6d320bf04fc515a8259597c635901c821d0

  • SHA512

    402f97692a312b8a70ea22e585f13c1c81336a1a7845202f2368622c1a1422b25f779778227f3ab4ddcd250cd496821486918a8e73f6d527c4262d827fc11474

  • SSDEEP

    6144:uGi+jGL0og4dDiXYOg8XQ5iiRHTjO0gBzxRmpwCxkZ6W6q/Ba:A1JiXXngQEHTxgBzxmwckZ67q/Y

Score
10/10
formbooka6hjdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a6hj

Decoy

unlocking.solutions

porscheofac.com

alinadaubermont.com

firstcallindia.xyz

sanot.top

lamborghini.my.id

vbncbcbcncnbcnbcnbcncnb.net

firstclassescapes.com

bestblondehairstylist.com

cncdt.biz

finkeng.xyz

unitedbcttles.com

redbaby.store

redbaby.store

5donline.com

theonewayclothing.com

jgcenterpriseholdings.com

hairshackvb.com

thepunchypineapple.com

fm-conseils.fr

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe
      "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe
        "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsjDF1A.tmp\dvxpshe.dll
    Filesize

    66KB

    MD5

    45f315f24046abc7cbe07a0f08a500b4

    SHA1

    5fcbdb3743ac2497181bd800622b98033e0232bd

    SHA256

    231d2605fc4ba8b8abed10831692542931ad6e7f647225376723cf385695f1bf

    SHA512

    a2df0a846c508318eb0eee02921c7f345aaaed5fcc25bee179eb092586c145b8348fb232a22a349fe2bcfa9166778c5812062ce89782d7f8fb2de56497f10a31

    Download Submit

  • memory/1208-12-0x00000000051E0000-0x00000000052E7000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1208-15-0x00000000051E0000-0x00000000052E7000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1208-16-0x0000000006790000-0x0000000006864000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1208-22-0x0000000006790000-0x0000000006864000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2180-7-0x0000000010010000-0x0000000010012000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2964-19-0x0000000000820000-0x000000000083C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2964-20-0x0000000000820000-0x000000000083C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2964-21-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3016-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3016-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3016-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download