Overview

overview

10

Static

static

1

fatura.hk.exe

windows7-x64

10

fatura.hk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 12:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fatura.hk.exe

  • Size

    322KB

  • MD5

    8104841622a72073beb0f28da060a864

  • SHA1

    5b9b45998957d6742bb6a2c108702f2cdf298536

  • SHA256

    8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba

  • SHA512

    770b9561f0a2a3dca5eff576738cf088b127a46c1cfbe1cd521acf3c790f7a7ed99e00756d948ac80598c5227a48a1173f5a4cabbce5ee4c047525ed5672dca6

  • SSDEEP

    6144:QBn1FyGPg0kL7SAoDYx0AbFfVB6wRNd8kyqZkJ4ocFOnLipUE9b33hkKb:gFLozv5oDY+AbFdDR78ZbQOemEV3Co

Score
10/10
formbooktc10ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tc10

Decoy

mwigyu.com

sepuluholx.com

nsdigitalagency.com

horrorkore.com

santaclaracoimbrakarate.com

myeternalsummer.com

laosmidnight-lotto.com

haremp.xyz

boyace.top

unusualwithdrawal.com

wildflowerkidsri.com

backlitvps.dev

topwellgas.com

k3nnsworld3.com

wanbang.xyz

cntvc.net

sjcamden.church

pussit24.com

claml.com

statisticsturkey.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe
      "C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
        "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe" C:\Users\Admin\AppData\Local\Temp\usbtj.t
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
          "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1932
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe"
        3⤵
          PID:744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\iubxsew.h
      Filesize

      185KB

      MD5

      1c2c23901515e429615ead3767cac439

      SHA1

      2a8c43828771a38a3bb6981f831db04a386a2fa8

      SHA256

      b4fd5c0b6bfdbb3cbc377d385653babeabba1c4b12dffd70cfd66164bc5c7902

      SHA512

      ff14e44c3660818aa8b333ed36b8350a71b39c6f22ae0efc15dd22062be40a723fc8769498391adaaaf67104a997862eca0feb5b048567b77bf86235c89504ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
      Filesize

      267KB

      MD5

      1dd0df5125aa1c11275e8a33ba56eea7

      SHA1

      878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

      SHA256

      39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

      SHA512

      f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
      Filesize

      267KB

      MD5

      1dd0df5125aa1c11275e8a33ba56eea7

      SHA1

      878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

      SHA256

      39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

      SHA512

      f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
      Filesize

      267KB

      MD5

      1dd0df5125aa1c11275e8a33ba56eea7

      SHA1

      878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

      SHA256

      39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

      SHA512

      f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\usbtj.t
      Filesize

      5KB

      MD5

      1d38231c9e7aa6467bcab6ffe0451159

      SHA1

      de6aa8f5a9045cfd11af655c57be35d658c549f6

      SHA256

      df74eb7933d7fe22e390632f5361b04a6dadd9bad0bc5f2d8d69d91f0be91823

      SHA512

      1d250a3c2bc04c5fef6cbf8c4061619984cdc80cc78407e18941b908dd6d8bf3c9a9cc2afca091858601e6f65b3b05619dccd5ee1c5196783b944c2c66864715

      Download Submit

    • memory/744-144-0x0000000000000000-mapping.dmp

      Download

    • memory/1932-137-0x0000000000000000-mapping.dmp

      Download

    • memory/1932-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1932-140-0x0000000001100000-0x000000000144A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1932-141-0x0000000000C40000-0x0000000000C54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2692-142-0x0000000008700000-0x000000000885B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2692-150-0x0000000009180000-0x0000000009307000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2692-151-0x0000000009180000-0x0000000009307000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4456-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4456-145-0x0000000000660000-0x0000000000667000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4456-146-0x0000000000C00000-0x0000000000C2F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4456-147-0x0000000001370000-0x00000000016BA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4456-148-0x0000000001150000-0x00000000011E3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/4456-149-0x0000000000C00000-0x0000000000C2F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4900-132-0x0000000000000000-mapping.dmp

      Download