Overview

overview

10

Static

static

1

SecuriteIn...65.exe

windows7-x64

10

SecuriteIn...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe

  • Size

    247KB

  • MD5

    e6d350443298710c357a4a51a09d4a81

  • SHA1

    6e563bfe1917e2b88a340495e6f3f6850384dc06

  • SHA256

    9b6c0f168cdbcc0aedb4884e856777cf5c31f55d9c3e09cb2e2ead9e53a3ce63

  • SHA512

    15f8463a3bb9625a1d7f877c82a93c0866bcfb69e71693ffc9f3b6580709c0ceb62f6b6ce3d3bd1d1a008440bd8f43c4c4d8f8c7cd91f449a3a795ab8198cf47

  • SSDEEP

    6144:LBnbP1MAaVfa7ZEYkEiqYf9Ly7toeA8HIx8n70sRGkGPv:FSPJet7YftyGeA6K+a

Score
10/10
formbookk6n9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.9110.8665.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Local\Temp\khrdei.exe
        "C:\Users\Admin\AppData\Local\Temp\khrdei.exe" C:\Users\Admin\AppData\Local\Temp\cmdghwjm.u
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4312
        • C:\Users\Admin\AppData\Local\Temp\khrdei.exe
          "C:\Users\Admin\AppData\Local\Temp\khrdei.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:444
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2312

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cmdghwjm.u
      Filesize

      5KB

      MD5

      822f22bb953a33b000712be626a3b5ec

      SHA1

      70c58bec036d24a64dcb6dcdf3de73f3a5aa8f76

      SHA256

      48599caf70c5941c51f4bf6c91805876aa90c3d69a506d14327d8c703564879e

      SHA512

      6615708dd4386c60022456863ea84c41553d4371bde8614dc816f0cfcd811f8339613a7f9725cc9087b09655ee3e2f7dc61c3b22b43f101c6c36e21c4ed7a71d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\huixielttv.it
      Filesize

      185KB

      MD5

      ccebfb1f8e6fde5e7e39bf806d2f8fa0

      SHA1

      c3a91315c4f9234a800e5ce86e35f2b103e79562

      SHA256

      0ac4d2fefc6a98cf449218da92a6f15a5106f7cdf34dfb78297d93015d4cb157

      SHA512

      84a01f6b74aa684f95ad4afd7f68e67607eb8fca3d663ab1e454fb762fbe371f5ef2c554ef8bcffcff9acc4ab1bbc0f11b8237ecf59ef2d8bc928c459aaac50b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\khrdei.exe
      Filesize

      23KB

      MD5

      1eed533450616d90dda951bb76a23a69

      SHA1

      34d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76

      SHA256

      a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc

      SHA512

      f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\khrdei.exe
      Filesize

      23KB

      MD5

      1eed533450616d90dda951bb76a23a69

      SHA1

      34d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76

      SHA256

      a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc

      SHA512

      f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\khrdei.exe
      Filesize

      23KB

      MD5

      1eed533450616d90dda951bb76a23a69

      SHA1

      34d603cc4b6e55a78bda46b9f7cd2b08a1ff4b76

      SHA256

      a9dcfbfe40606b2dcf512b72c0d16a359fe7095eff94b36de84a6f93e8332ebc

      SHA512

      f704098a5f912c7ed977cd94aba03108e5a2f1e63480109bc259dad9e8efb64d0a5016df65d5de3b762aca061b94550067804368a00aba34ea20f1c53c1b9924

      Download Submit
    • memory/444-143-0x0000000000430000-0x0000000000440000-memory.dmp
      Filesize

      64KB

      Download
    • memory/444-142-0x0000000000422000-0x0000000000424000-memory.dmp
      Filesize

      8KB

      Download
    • memory/444-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/444-140-0x0000000000401000-0x000000000042F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/444-141-0x0000000000C70000-0x0000000000FBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/444-137-0x0000000000000000-mapping.dmp
      Download
    • memory/2640-144-0x00000000085A0000-0x00000000086C0000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2640-151-0x00000000086C0000-0x00000000087C7000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2640-152-0x00000000086C0000-0x00000000087C7000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4312-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4476-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4476-146-0x0000000000E20000-0x0000000000E3F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/4476-147-0x0000000001280000-0x00000000012AD000-memory.dmp
      Filesize

      180KB

      Download
    • memory/4476-148-0x0000000003180000-0x00000000034CA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4476-149-0x0000000002FA0000-0x000000000302F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4476-150-0x0000000001280000-0x00000000012AD000-memory.dmp
      Filesize

      180KB

      Download