Overview

overview

10

Static

static

3

ReceiptCopy001.exe

windows7-x64

10

ReceiptCopy001.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-01-2025 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ReceiptCopy001.exe

  • Size

    651KB

  • MD5

    9ecbdf4d5174c3da835a2a7829e06773

  • SHA1

    734529d1583291a87ff3cfc8895705e374f0091a

  • SHA256

    467d77d35a6fc815ecbd60b0b320d7ca06e0f8a340c2c3285de4c0430517f8e7

  • SHA512

    06ce5f9f79ed67731552a64fd4d730512cf10a1b006d3b4e258f357f85d8288e1c8862e4f2e8460ee58ef6ec138ae68b161372443c5091dfb4460f584fb49317

  • SSDEEP

    12288:djz40GsIZC+9koIrfqUe1FOB/Uy4d8+1Aeh1bWwU6RnPsdx90:m3GXoIBe1FOf4dOCnPs

Score
10/10
formbookb02adiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b02a

Decoy

nnovate.host

yrvo.shop

obify.party

55665.one

vlisazouasiul.store

arjohbs.shop

mjsccc5716.shop

nfluencer-marketing-86606.bond

atellite-internet-74549.bond

arehouse-inventory-82506.bond

kanzaturf.net

airbypatrickmcguire.net

90880a15.buzz

ancake888.info

hopcroma.store

usinessloanscanada524285.icu

mdjr.world

9kct.xyz

ombrd.finance

luratu.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\ReceiptCopy001.exe
      "C:\Users\Admin\AppData\Local\Temp\ReceiptCopy001.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ReceiptCopy001.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zykAUGFBtng.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zykAUGFBtng" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC31.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:2612
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:2556
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:2552
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:2572
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:2588
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:2620
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:2632
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:2468
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:3004
                      • C:\Windows\SysWOW64\autochk.exe
                        "C:\Windows\SysWOW64\autochk.exe"
                        2⤵
                          PID:3044
                        • C:\Windows\SysWOW64\autochk.exe
                          "C:\Windows\SysWOW64\autochk.exe"
                          2⤵
                            PID:2600
                          • C:\Windows\SysWOW64\autoconv.exe
                            "C:\Windows\SysWOW64\autoconv.exe"
                            2⤵
                              PID:2384
                            • C:\Windows\SysWOW64\autoconv.exe
                              "C:\Windows\SysWOW64\autoconv.exe"
                              2⤵
                                PID:1664
                              • C:\Windows\SysWOW64\autoconv.exe
                                "C:\Windows\SysWOW64\autoconv.exe"
                                2⤵
                                  PID:1844
                                • C:\Windows\SysWOW64\autoconv.exe
                                  "C:\Windows\SysWOW64\autoconv.exe"
                                  2⤵
                                    PID:356
                                  • C:\Windows\SysWOW64\autoconv.exe
                                    "C:\Windows\SysWOW64\autoconv.exe"
                                    2⤵
                                      PID:2376
                                    • C:\Windows\SysWOW64\autoconv.exe
                                      "C:\Windows\SysWOW64\autoconv.exe"
                                      2⤵
                                        PID:1244
                                      • C:\Windows\SysWOW64\autoconv.exe
                                        "C:\Windows\SysWOW64\autoconv.exe"
                                        2⤵
                                          PID:2752
                                        • C:\Windows\SysWOW64\autoconv.exe
                                          "C:\Windows\SysWOW64\autoconv.exe"
                                          2⤵
                                            PID:2624
                                          • C:\Windows\SysWOW64\autoconv.exe
                                            "C:\Windows\SysWOW64\autoconv.exe"
                                            2⤵
                                              PID:1888
                                            • C:\Windows\SysWOW64\autoconv.exe
                                              "C:\Windows\SysWOW64\autoconv.exe"
                                              2⤵
                                                PID:1832
                                              • C:\Windows\SysWOW64\autoconv.exe
                                                "C:\Windows\SysWOW64\autoconv.exe"
                                                2⤵
                                                  PID:400
                                                • C:\Windows\SysWOW64\autoconv.exe
                                                  "C:\Windows\SysWOW64\autoconv.exe"
                                                  2⤵
                                                    PID:320
                                                  • C:\Windows\SysWOW64\autoconv.exe
                                                    "C:\Windows\SysWOW64\autoconv.exe"
                                                    2⤵
                                                      PID:1364
                                                    • C:\Windows\SysWOW64\autoconv.exe
                                                      "C:\Windows\SysWOW64\autoconv.exe"
                                                      2⤵
                                                        PID:1868
                                                      • C:\Windows\SysWOW64\autoconv.exe
                                                        "C:\Windows\SysWOW64\autoconv.exe"
                                                        2⤵
                                                          PID:1672
                                                        • C:\Windows\SysWOW64\autoconv.exe
                                                          "C:\Windows\SysWOW64\autoconv.exe"
                                                          2⤵
                                                            PID:780
                                                          • C:\Windows\SysWOW64\autoconv.exe
                                                            "C:\Windows\SysWOW64\autoconv.exe"
                                                            2⤵
                                                              PID:2860
                                                            • C:\Windows\SysWOW64\ipconfig.exe
                                                              "C:\Windows\SysWOW64\ipconfig.exe"
                                                              2⤵
                                                              • Suspicious use of SetThreadContext
                                                              • System Location Discovery: System Language Discovery
                                                              • Gathers network information
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:1952
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1256

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\tmpC31.tmp
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            0b9d5576caa9d9611e89dd2dc97ba8b4

                                                            SHA1

                                                            594b008ba3582898adabe511934a11e5b343ce5c

                                                            SHA256

                                                            a77907c94af86d3e58ba90cd7099c87c20a9dc52ea3a0af9ddbfc55ea20e25e5

                                                            SHA512

                                                            b94a4ad5899a4519965aa00949f9aefb6e70da029e0b247bf7336f8507e6ae1c0878c3e4c90df78730aa1243fed92707985205c9d0355b9a875ee98dbf082fab

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            c2bf872ee707d9d8ddae854eafa4be6f

                                                            SHA1

                                                            fd4f4865def69e789163a30d27baf5b7914984e7

                                                            SHA256

                                                            0b29b1900c8d483d22b1683aeb9d33e2bc0bbf509e408a7239f22c80087bd607

                                                            SHA512

                                                            ad4422eefe287de806d2c1644f449de5f41f850d60fcc8cd375e0cab259a19d6b520f83fa56d5e1555c77f44fda67160eb63e5fd05e8963caa3073f5e37b8a86

                                                            Download Submit

                                                          • memory/1952-29-0x0000000000110000-0x000000000013F000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/1952-28-0x0000000000140000-0x000000000014A000-memory.dmp

                                                            Filesize

                                                            40KB

                                                            Download

                                                          • memory/2296-4-0x00000000744DE000-0x00000000744DF000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2296-5-0x00000000744D0000-0x0000000074BBE000-memory.dmp

                                                            Filesize

                                                            6.9MB

                                                            Download

                                                          • memory/2296-6-0x00000000003B0000-0x0000000000428000-memory.dmp

                                                            Filesize

                                                            480KB

                                                            Download

                                                          • memory/2296-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2296-3-0x0000000000670000-0x000000000068E000-memory.dmp

                                                            Filesize

                                                            120KB

                                                            Download

                                                          • memory/2296-26-0x00000000744D0000-0x0000000074BBE000-memory.dmp

                                                            Filesize

                                                            6.9MB

                                                            Download

                                                          • memory/2296-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

                                                            Filesize

                                                            6.9MB

                                                            Download

                                                          • memory/2296-1-0x0000000000A10000-0x0000000000ABA000-memory.dmp

                                                            Filesize

                                                            680KB

                                                            Download

                                                          • memory/2768-21-0x0000000000400000-0x000000000042F000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/2768-24-0x0000000000400000-0x000000000042F000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/2768-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2768-19-0x0000000000400000-0x000000000042F000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download

                                                          • memory/2768-27-0x0000000000400000-0x000000000042F000-memory.dmp

                                                            Filesize

                                                            188KB

                                                            Download