Overview

overview

10

Static

static

1

SecuriteIn...65.exe

windows7-x64

10

SecuriteIn...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2022 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe

  • Size

    214KB

  • MD5

    6b3d29a22eeea61a865cd1deaef52404

  • SHA1

    2dece08d70ac3a0d45c48d452a0c30a1e53b72e9

  • SHA256

    b4894e0512db4aba5a1fd05d2415b5ad5f73474d456c9c9ddba8753e5ba37597

  • SHA512

    bb16350dc81183e1f95c5d5a320bbfbc7a601f59430aa0436584b8f01e2d014229f60f0eddcf9186edbc01af71b2a4a79b01320e09867b0749a718f6ba0752d6

  • SSDEEP

    6144:qweEpIIIg4H0ppuob6GzeFAQeKjGiaRhIsmN5cxPqO3r:btIdH0Z6GSOQeKqiAhIGCg

Score
10/10
formbookje14ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
        "C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
          "C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
        3⤵
          PID:5112

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
      Filesize

      7KB

      MD5

      9d861b82ea38bfc26ec676c80bb32987

      SHA1

      9c8460764141b51b2bd84ab8f935c455574daf08

      SHA256

      68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

      SHA512

      eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
      Filesize

      7KB

      MD5

      9d861b82ea38bfc26ec676c80bb32987

      SHA1

      9c8460764141b51b2bd84ab8f935c455574daf08

      SHA256

      68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

      SHA512

      eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
      Filesize

      7KB

      MD5

      9d861b82ea38bfc26ec676c80bb32987

      SHA1

      9c8460764141b51b2bd84ab8f935c455574daf08

      SHA256

      68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

      SHA512

      eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\zjkxypvsinp.fa
      Filesize

      185KB

      MD5

      b79e7182bcc2361b01094fea856666d9

      SHA1

      954aad476f20d570a00fd45fc69141d4153cc9c1

      SHA256

      196aadf971787f7d8f40d12d82b65e62a7845fb6c9c9eb54076179a54d83cb6d

      SHA512

      30c0446f3113bcd69d1d74e6a9e9ee8b121b08ce2403e4076a74bf8bdf34d7fa67ea37e2291482a025193f4d515984b7124b109e82a8f0895be65b86b30277a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\zltqwutxiat.ow
      Filesize

      5KB

      MD5

      8c5aa4d7bfde90f90bcadd4bd8cd0436

      SHA1

      bd996fa856445aba197c2b2e098cdb765034b8ec

      SHA256

      e3f2f6799c943952de4a4b38a29febccc171d6caabae3d84183bf009b3b428bb

      SHA512

      98194b83d8164b70bf1458135b8a495a1c99a89be069e1b2d6a4dbc843b31dd2dc0254b50800bbe6dc974bc2c9867ca2018ff060bb40bd7f3dd475fd9fc047df

      Download Submit
    • memory/700-142-0x00000000088E0000-0x00000000089FA000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/700-150-0x0000000008A00000-0x0000000008B72000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/700-152-0x0000000008A00000-0x0000000008B72000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/700-148-0x00000000088E0000-0x00000000089FA000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1744-151-0x0000000000150000-0x000000000017F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1744-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1744-149-0x00000000009A0000-0x0000000000A33000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1744-145-0x0000000000740000-0x000000000075F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1744-146-0x0000000000150000-0x000000000017F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1744-147-0x0000000002630000-0x000000000297A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4280-132-0x0000000000000000-mapping.dmp
      Download
    • memory/5028-137-0x0000000000000000-mapping.dmp
      Download
    • memory/5028-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5028-141-0x00000000005E0000-0x00000000005F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/5028-140-0x0000000000A70000-0x0000000000DBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5112-144-0x0000000000000000-mapping.dmp
      Download