Overview

overview

10

Static

static

3

Payment details.exe

windows7-x64

10

Payment details.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/01/2025, 12:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment details.exe

  • Size

    720KB

  • MD5

    7b0fe6381be15f90bf9cd16adc67e332

  • SHA1

    11ea9024f45bbd7a37791e9f23ee96de23655cd3

  • SHA256

    0198cc6636a1c05da00eb7457f498c6e1743fe0a9e3d50fc106621f862bf04dd

  • SHA512

    5fba23ff4057550e94974b0a995c07d1093ba91ba53abbee940c6af1e8e2d31858d85e7baf2d830e44859aaaa900d4c91246d2c3d5f553b3c41dbf5545428221

  • SSDEEP

    12288:+8lWXV7OuHmoCdeRMBvhTb/EEK1KUMsFP+WZWM7vop:WObyMBRz21K/waM7vg

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\Payment details.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment details.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment details.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PWbCqHTnOp.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PWbCqHTnOp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE3.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2804
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBE3.tmp
    Filesize

    1KB

    MD5

    12f849b0ef1bca39894b37f41163a247

    SHA1

    da51e535db4ea9ace4d4241f0e6d77730aedb003

    SHA256

    4a92f1fbd68ff1e42f35bb7cdcaecdb2ea3cb7532e5be1effc7afc41b70cb7e5

    SHA512

    03aa5500ceeabee953a17c5772d52dbd80f8842fd5a7543ecdac938592d3c6a65389333ca4a631e8cf85a0193d9474b889b9ae28f873bbcb0131280b2c502a2b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43M6VT13TL1DMMV0FA5J.temp
    Filesize

    7KB

    MD5

    30126a2b5502ac447d6cd164673e4309

    SHA1

    ca39f24957eca9423b816122a01b5601ec476dca

    SHA256

    75c6e37376723b205ea34236f555df88948fd0b610fce04823b6ae033fd97196

    SHA512

    ec3e0b33705bda77eec1bf01ef26ad97606dc25c65b0f12f89bc57896008a1aed08ee162b872578d0a84b7dff3e8c3caed9d05da11ae3d08bc464f391fed121a

    Download Submit

  • memory/2512-4-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-25-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-5-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2512-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-1-0x0000000000B30000-0x0000000000BEA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2512-3-0x0000000000390000-0x00000000003B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2832-28-0x0000000000070000-0x000000000009F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2832-27-0x0000000000860000-0x0000000000882000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2892-19-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2892-21-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2892-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-24-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.