Overview

overview

10

Static

static

Aquatherm ...xs.exe

windows7_x64

10

Aquatherm ...xs.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aquatherm Rechnungen 384890 _Xlxs.exe

  • Size

    606KB

  • MD5

    82015111b3cffed68fee74b525f3265b

  • SHA1

    e43ae387a8bd5ce994a0529b0e1f0bc6c4ae8af3

  • SHA256

    49f8b73df45213da0f86e871fbd8d231cdfcc30e7ef8041d38ef062884e47b2e

  • SHA512

    54d227662a69606f19f23ddea553445f0f0e197928a12f31cbc24864233a63f4ddcab15293567ca051933b3e05180437077ab4b0c3e4895f2b8c39e702db3372

Score
10/10
formbookk2wpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

k2w

Decoy

brittanybeck.com

idapple.mobi

sharoncement.win

smerchenko.com

citizenssenergygroup.com

landhawktactical.com

yilingshenghuo.com

lifa97.com

8160pe.com

sf-purify.com

bloomingamaizing.com

thymeshares.com

rainwatercollectionhq.com

jaseba.net

whoistom.net

gn70.com

payperclickad.info

jessicagorbet.com

portlockproperty.com

mindset-beratung.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 1 IoCs
    rat
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe
        "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1316
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
          3⤵
          • Deletes itself
          PID:1716

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logim.jpeg
      Filesize

      65KB

      MD5

      21d9cd60bda0887cfcddb6628267ef30

      SHA1

      2ae1437d3d67f8959d1727d5b7710284d10db338

      SHA256

      37796a846adc02de0806a1cdf21fa733a917a7a40035ef134dff12f44a034823

      SHA512

      8b6e58665f782a0e207f68cbcca4efd32c1151f4ba6922561ad85824b282560d4d77ab97739f098fc216e44e1e96d15c0a3f95268265df8e97b6fe9cf709cbed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logrv.ini
      Filesize

      40B

      MD5

      ba3b6bc807d4f76794c4b81b09bb9ba5

      SHA1

      24cb89501f0212ff3095ecc0aba97dd563718fb1

      SHA256

      6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

      SHA512

      ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

      Download Submit
    • memory/1200-59-0x0000000006060000-0x00000000061EF000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1200-67-0x0000000004210000-0x00000000042F6000-memory.dmp
      Filesize

      920KB

      Download
    • memory/1280-63-0x0000000002290000-0x0000000002593000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1280-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1280-62-0x0000000000CF0000-0x0000000000CFE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1280-64-0x00000000000F0000-0x000000000011A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1280-66-0x0000000000A70000-0x0000000000B03000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1312-58-0x0000000000340000-0x0000000000354000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1312-57-0x00000000008C0000-0x0000000000BC3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1312-55-0x000000000041B6C0-mapping.dmp
      Download
    • memory/1716-65-0x0000000000000000-mapping.dmp
      Download
    • memory/2024-54-0x0000000075B71000-0x0000000075B73000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2024-56-0x0000000000400000-0x000000000049E000-memory.dmp
      Filesize

      632KB

      Download