Overview

overview

10

Static

static

Aquatherm ...xs.exe

windows7_x64

10

Aquatherm ...xs.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aquatherm Rechnungen 384890 _Xlxs.exe

  • Size

    606KB

  • MD5

    82015111b3cffed68fee74b525f3265b

  • SHA1

    e43ae387a8bd5ce994a0529b0e1f0bc6c4ae8af3

  • SHA256

    49f8b73df45213da0f86e871fbd8d231cdfcc30e7ef8041d38ef062884e47b2e

  • SHA512

    54d227662a69606f19f23ddea553445f0f0e197928a12f31cbc24864233a63f4ddcab15293567ca051933b3e05180437077ab4b0c3e4895f2b8c39e702db3372

Score
10/10
formbookk2wpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

k2w

Decoy

brittanybeck.com

idapple.mobi

sharoncement.win

smerchenko.com

citizenssenergygroup.com

landhawktactical.com

yilingshenghuo.com

lifa97.com

8160pe.com

sf-purify.com

bloomingamaizing.com

thymeshares.com

rainwatercollectionhq.com

jaseba.net

whoistom.net

gn70.com

payperclickad.info

jessicagorbet.com

portlockproperty.com

mindset-beratung.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe
        "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:368
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Aquatherm Rechnungen 384890 _Xlxs.exe"
        3⤵
          PID:4288
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:1640

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        Filesize

        40KB

        MD5

        b608d407fc15adea97c26936bc6f03f6

        SHA1

        953e7420801c76393902c0d6bb56148947e41571

        SHA256

        b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

        SHA512

        cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logim.jpeg
        Filesize

        77KB

        MD5

        55044fe3ca2d689baa1ca45bb6a8b8b9

        SHA1

        ce90528761f5c2e6ecdcbd8d882b7ba6325389ef

        SHA256

        d3b5b51e6773a5745ec2c99bbb7ebb5116195803414a310b14b2715dad15e29a

        SHA512

        e255a250c0898a5e75747deffd685ae443a8fecfde4acb60126ed6f28137c637f8d5bed61cd323db929f92f9bd1094b31daa388182ea6388adf10b72ae5542d1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logrg.ini
        Filesize

        38B

        MD5

        4aadf49fed30e4c9b3fe4a3dd6445ebe

        SHA1

        1e332822167c6f351b99615eada2c30a538ff037

        SHA256

        75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

        SHA512

        eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

        Download Submit
      • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit
      • C:\Users\Admin\AppData\Roaming\-Q43QPT6\-Q4logrv.ini
        Filesize

        872B

        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit
      • memory/368-132-0x0000000000A60000-0x0000000000DAA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/368-133-0x00000000005D0000-0x00000000005E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/368-130-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2028-131-0x0000000000400000-0x000000000049E000-memory.dmp
        Filesize

        632KB

        Download
      • memory/2940-134-0x00000000085F0000-0x00000000086B5000-memory.dmp
        Filesize

        788KB

        Download
      • memory/2940-141-0x0000000008C20000-0x0000000008D53000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4288-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4544-140-0x0000000001780000-0x0000000001813000-memory.dmp
        Filesize

        588KB

        Download
      • memory/4544-139-0x0000000001430000-0x000000000177A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4544-138-0x0000000000BC0000-0x0000000000BEA000-memory.dmp
        Filesize

        168KB

        Download
      • memory/4544-137-0x0000000000AB0000-0x0000000000AC7000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4544-135-0x0000000000000000-mapping.dmp
        Download