Overview

overview

10

Static

static

3

New purcha...er.exe

windows7-x64

10

New purcha...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 10:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New purchase order.exe

  • Size

    650KB

  • MD5

    1b507df9a13477b647da450a1b79b2e7

  • SHA1

    b0de85855b3462fe0b37c79831b391eeb044e437

  • SHA256

    a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91

  • SHA512

    37dcc8dd92a84009f81ebf394001de49bcf75818227bdbe135578f8f1dc57f4119c4cb6efd91ec70fe12202854ca472ec7435d3c0f713bf770f09967d61fe6a7

  • SSDEEP

    12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\New purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase order.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New purchase order.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DjsaCPLWOz.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3192
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:2792
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4628
      • C:\Windows\SysWOW64\systray.exe
        "C:\Windows\SysWOW64\systray.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4432
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3916

    Network

    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.153.16.2.in-addr.arpa
      IN PTR
      Response
      8.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-8deploystaticakamaitechnologiescom
    • flag-us
      DNS
      www.itchen-design-42093.bond
      Remote address:
      8.8.8.8:53
      Request
      www.itchen-design-42093.bond
      IN A
      Response
    • flag-us
      DNS
      www.3456.tech
      Remote address:
      8.8.8.8:53
      Request
      www.3456.tech
      IN A
      Response
      www.3456.tech
      IN CNAME
      3456.tech
      3456.tech
      IN A
      162.241.217.87
    • flag-us
      GET
      http://www.3456.tech/a01d/?k8l0dz=Lz/Bg+pRP76CJ0i7vCgFSYSc+ymb3pUquCB2HEbMZj9FoPTGt7AIOBhjVaTyBjlVi4hx&XL3=0nuxZDY84Hmt_6JP
      Explorer.EXE
      Remote address:
      162.241.217.87:80
      Request
      GET /a01d/?k8l0dz=Lz/Bg+pRP76CJ0i7vCgFSYSc+ymb3pUquCB2HEbMZj9FoPTGt7AIOBhjVaTyBjlVi4hx&XL3=0nuxZDY84Hmt_6JP HTTP/1.1
      Host: www.3456.tech
      Connection: close
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Tue, 14 Jan 2025 10:43:33 GMT
      Server: Apache
      Location: https://www.3456.tech/a01d/?k8l0dz=Lz/Bg+pRP76CJ0i7vCgFSYSc+ymb3pUquCB2HEbMZj9FoPTGt7AIOBhjVaTyBjlVi4hx&XL3=0nuxZDY84Hmt_6JP
      Content-Length: 336
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
    • flag-us
      DNS
      87.217.241.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      87.217.241.162.in-addr.arpa
      IN PTR
      Response
      87.217.241.162.in-addr.arpa
      IN PTR
      box5470bluehostcom
    • flag-us
      DNS
      www.uickcabinet.net
      Remote address:
      8.8.8.8:53
      Request
      www.uickcabinet.net
      IN A
      Response
    • flag-us
      DNS
      www.irlypods.shop
      Remote address:
      8.8.8.8:53
      Request
      www.irlypods.shop
      IN A
      Response
    • flag-us
      DNS
      www.irlypods.shop
      Remote address:
      8.8.8.8:53
      Request
      www.irlypods.shop
      IN A
      Response
    • flag-us
      DNS
      www.ustonehuman.info
      Remote address:
      8.8.8.8:53
      Request
      www.ustonehuman.info
      IN A
      Response
    • 162.241.217.87:80
      http://www.3456.tech/a01d/?k8l0dz=Lz/Bg+pRP76CJ0i7vCgFSYSc+ymb3pUquCB2HEbMZj9FoPTGt7AIOBhjVaTyBjlVi4hx&XL3=0nuxZDY84Hmt_6JP
      http
      Explorer.EXE
      397 B
       856 B
       5
      5

      HTTP Request

      GET http://www.3456.tech/a01d/?k8l0dz=Lz/Bg+pRP76CJ0i7vCgFSYSc+ymb3pUquCB2HEbMZj9FoPTGt7AIOBhjVaTyBjlVi4hx&XL3=0nuxZDY84Hmt_6JP

      HTTP Response

      301
    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      8.153.16.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      8.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      www.itchen-design-42093.bond
      dns
      74 B
       139 B
       1
      1

      DNS Request

      www.itchen-design-42093.bond

    • 8.8.8.8:53
      www.3456.tech
      dns
      59 B
       89 B
       1
      1

      DNS Request

      www.3456.tech

      DNS Response

      162.241.217.87

    • 8.8.8.8:53
      87.217.241.162.in-addr.arpa
      dns
      73 B
       107 B
       1
      1

      DNS Request

      87.217.241.162.in-addr.arpa

    • 8.8.8.8:53
      www.uickcabinet.net
      dns
      65 B
       138 B
       1
      1

      DNS Request

      www.uickcabinet.net

    • 8.8.8.8:53
      www.irlypods.shop
      dns
      126 B
       240 B
       2
      2

      DNS Request

      www.irlypods.shop

      DNS Request

      www.irlypods.shop

    • 8.8.8.8:53
      www.ustonehuman.info
      dns
      66 B
       145 B
       1
      1

      DNS Request

      www.ustonehuman.info

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      66188fd8ddfe547ba19324139ebec07b

      SHA1

      ce1888942423267241725aa0858c127ca1f421de

      SHA256

      b19fe898ce7a8c18f6baea923f825c5dd92373d5cf7cfa8eb4aa6ac5a97ef7b3

      SHA512

      7a8d2048dfd1aa0079ecfd8f200ffc0edf5ca98c2a84658c56711a4791aaaedaa35f5203eda17008594604cc4c19b7f0c1c3b8eccf1f4b424509822257709deb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ea0bvnlm.a4v.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpAD66.tmp
      Filesize

      1KB

      MD5

      62189b2fbfcd95f624e0adb7a2d2fbd8

      SHA1

      ee65477abe95211aacd2bfe2e7b51b57ac5bf2f2

      SHA256

      288ac98515124c23f92f54971bf517800006a4ae9c6216a324834075f4f33b20

      SHA512

      9cd61d2ef2a85b2969fe49ed6294ba685cfb0af9d19cd19c32e6a3033951ad281af6b1263a30ab5b9d6516d850eb5af1db4afb46e3916a4575bb1d23c23704d5

      Download Submit

    • memory/2776-83-0x0000000007680000-0x000000000769A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2776-84-0x0000000007660000-0x0000000007668000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2776-24-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2776-82-0x0000000007580000-0x0000000007594000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2776-65-0x00000000700F0000-0x000000007013C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2776-49-0x00000000060E0000-0x000000000612C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2776-47-0x0000000005F10000-0x0000000005F2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2776-22-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2776-45-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2776-87-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3416-97-0x0000000008620000-0x00000000087B0000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3932-16-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3932-81-0x0000000007E30000-0x0000000007E3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3932-18-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3932-17-0x0000000005B40000-0x0000000006168000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3932-91-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3932-19-0x0000000005920000-0x0000000005942000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3932-26-0x0000000006300000-0x0000000006654000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3932-25-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3932-15-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3932-80-0x0000000007E00000-0x0000000007E11000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3932-79-0x0000000007E80000-0x0000000007F16000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3932-78-0x0000000007C70000-0x0000000007C7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3932-21-0x0000000006290000-0x00000000062F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3932-20-0x0000000006170000-0x00000000061D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3932-53-0x00000000700F0000-0x000000007013C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3932-52-0x0000000007850000-0x0000000007882000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3932-63-0x0000000007890000-0x00000000078AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3932-64-0x00000000078B0000-0x0000000007953000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3932-76-0x0000000007C00000-0x0000000007C1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3932-75-0x0000000008250000-0x00000000088CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4432-77-0x0000000000800000-0x0000000000806000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4432-92-0x0000000001230000-0x000000000125F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4628-46-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4760-7-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4760-10-0x000000000A680000-0x000000000A71C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4760-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4760-8-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-6-0x0000000005900000-0x000000000591A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4760-5-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-4-0x00000000056B0000-0x00000000056BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-3-0x0000000005520000-0x00000000055B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4760-9-0x0000000006B40000-0x0000000006BBA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4760-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4760-51-0x0000000074B80000-0x0000000075330000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-1-0x0000000000BF0000-0x0000000000C98000-memory.dmp

      Filesize

      672KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.