Overview

overview

10

Static

static

1

fatura.hk.exe

windows7-x64

10

fatura.hk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fatura.hk.exe

  • Size

    213KB

  • MD5

    d9639b9bc8a92e559bcffdc05db4c97b

  • SHA1

    4418f08b864390a97d5bb166e9ac08820c2a3fa0

  • SHA256

    47d1e16275d98873c63ed2cfe032b171513ff063ccc19399815846d950ed09d6

  • SHA512

    9d0d367d8c4e27132956fbfc73bc0f5119746c2773f0bdbe46c5df1a07366a533662203cc0d2ef92ac4fab9a5f809983e2e015156fe82625e4203268782abc9b

  • SSDEEP

    3072:QEhKzShSycSMGJi3uwWHD0nDZBbTcLWsi1bXaWOPk2ne6049GDKq4DmuYC/cu8:QBn1Ki3iHD0ttcXLkWe60RDY3YC/z8

Score
10/10
formbooktc10ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tc10

Decoy

mwigyu.com

sepuluholx.com

nsdigitalagency.com

horrorkore.com

santaclaracoimbrakarate.com

myeternalsummer.com

laosmidnight-lotto.com

haremp.xyz

boyace.top

unusualwithdrawal.com

wildflowerkidsri.com

backlitvps.dev

topwellgas.com

k3nnsworld3.com

wanbang.xyz

cntvc.net

sjcamden.church

pussit24.com

claml.com

statisticsturkey.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 5 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe
      "C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3620
      • C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe
        "C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe" C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afu
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe
          "C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4284
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe"
        3⤵
          PID:3680

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\eouzuqz.n
      Filesize

      185KB

      MD5

      dde54c62eb4d82ef59619ef10b17bbd3

      SHA1

      f1932d68c3bfcbd4f85fb132a25032b9b57e6840

      SHA256

      62bbb454488f2531e8de5e5427817c8998dd0a0c3e9b5ad42a09ad9260ec535a

      SHA512

      ad772f777b8131e94ff0a15f4c77cd81618ff5d4f5722d4969e6f9c6d9414f0425d3e27aa155373c8739dd55e03982b50892fa2782068454cc3b6f0473760d37

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe
      Filesize

      12KB

      MD5

      45d4f4b100f5d5fade2613f0496661a3

      SHA1

      f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a

      SHA256

      ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1

      SHA512

      1ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe
      Filesize

      12KB

      MD5

      45d4f4b100f5d5fade2613f0496661a3

      SHA1

      f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a

      SHA256

      ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1

      SHA512

      1ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nqrvmnqh.exe
      Filesize

      12KB

      MD5

      45d4f4b100f5d5fade2613f0496661a3

      SHA1

      f2dbecffe01db8a1f2ee9a0a5fb61cfe92736f2a

      SHA256

      ef1e94355199fc03fb166c1f785e05f2b85d7ef9ad2a35576e30343c059d59c1

      SHA512

      1ee41f4dd86c44d7d90d0a974485c6b2c3b7ed37555cc92538627371b0c157cef1c3a962f8183f32e31cbb181f7797c7e2dd4cf01572bf3fa8d8d8b3be2ecfec

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\rrfqclrrjcd.afu
      Filesize

      5KB

      MD5

      eabbfb92ebb6dc43cc8c1f64946db5e2

      SHA1

      99c6b5f32dc2d0746f78dbc516c97132b5722efb

      SHA256

      dbf8bc9863a3788330fef03c9c27e4b6515b93ecce16e5474c118eea426e09bd

      SHA512

      e79d6641233791cfa189d05a33075e7ccfedcbb3eb4a43a2cdd4ee96988a6228b8d5e87dfc746f215ce1b61be27b426d1e8a94a377dfe9d9063be647c9b001b2

      Download Submit
    • memory/1392-151-0x0000000002F20000-0x000000000326A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1392-146-0x0000000000000000-mapping.dmp
      Download
    • memory/1392-155-0x0000000001000000-0x000000000102F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1392-153-0x0000000002D90000-0x0000000002E23000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1392-150-0x0000000001000000-0x000000000102F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1392-149-0x0000000000600000-0x000000000073A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2116-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2648-152-0x0000000007E80000-0x0000000007FB0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2648-145-0x0000000007E80000-0x0000000007FB0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2648-156-0x0000000007FB0000-0x0000000008078000-memory.dmp
      Filesize

      800KB

      Download
    • memory/2648-154-0x0000000007FB0000-0x0000000008078000-memory.dmp
      Filesize

      800KB

      Download
    • memory/2648-142-0x0000000002470000-0x0000000002528000-memory.dmp
      Filesize

      736KB

      Download
    • memory/3680-148-0x0000000000000000-mapping.dmp
      Download
    • memory/4284-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4284-141-0x0000000001420000-0x0000000001434000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4284-144-0x0000000002D50000-0x0000000002D64000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4284-140-0x0000000000FD0000-0x000000000131A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4284-147-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4284-139-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4284-143-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download