Overview

overview

10

Static

static

3

Purchase O...ls.exe

windows7-x64

10

Purchase O...ls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order List.xls.exe

  • Size

    448KB

  • MD5

    7e35e387ee431ef08dfeec00552a6006

  • SHA1

    3d67672311c989e58c18df87b92e671cc5100360

  • SHA256

    e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896

  • SHA512

    de755174a1cd65c46b8969ea14044c06282ef8748ffc92b08d9130571b241a786618b91196b30354b85f5d2815a56c5fe246e9bc753be35e9d7122db8a1c8299

  • SSDEEP

    6144:7Q3klTByZJvq7I3kv61Gn8UOFP0hEtUfv8AQDLv8mex0D9av1osh:s3YTEZJvqbOC8m688A4Err

Score
10/10
formbook45erratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽 東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:2624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1232-18-0x0000000003A30000-0x0000000003B30000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1856-1-0x00000000009C0000-0x0000000000A36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1856-2-0x0000000000480000-0x00000000004C6000-memory.dmp
      Filesize

      280KB

      Download
    • memory/1856-3-0x0000000074620000-0x0000000074D0E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1856-0-0x000000007462E000-0x000000007462F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1856-19-0x0000000074620000-0x0000000074D0E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1856-10-0x00000000002D0000-0x00000000002DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2660-22-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2660-20-0x00000000006F0000-0x00000000006F6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2904-6-0x000000006FF91000-0x000000006FF92000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2904-11-0x000000006FF90000-0x000000007053B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2904-9-0x000000006FF90000-0x000000007053B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2904-8-0x000000006FF90000-0x000000007053B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2904-7-0x000000006FF90000-0x000000007053B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3000-16-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3000-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3000-13-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3000-12-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3000-21-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download