Overview

overview

10

Static

static

1

Justifican...ia.exe

windows7-x64

10

Justifican...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Justificante de transferencia.exe

  • Size

    324KB

  • MD5

    89c1af7470bf3a699a914a62a7a37c1f

  • SHA1

    75112e7df02461e8dc0266d6a147959b2ae3701c

  • SHA256

    c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415

  • SHA512

    fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6

  • SSDEEP

    6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx

Score
10/10
formbookguloaderbd16downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bd16

Decoy

fjosephsolicitor.co.uk

itworx.store

firstlinebeefits.com

cadimaglobalservices.com

inclevin.com

kashmirimasale.com

charalambidis.com

homeliday.co.uk

joseguardiola.dev

wowmomofranchise.info

halongbaycruisestours.com

000217.com

dslt.xyz

careyinmobiliaria.com

ucankofteci.net

brisace.com

fastestcleaningservice.com

cornbreadnchicken.com

sizeable.app

labradordiamond.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe
      "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe
        "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:404
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Justificante de transferencia.exe"
        3⤵
          PID:1728

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nse6CD9.tmp\AdvSplash.dll
      Filesize

      6KB

      MD5

      e8b67a37fb41d54a7eda453309d45d97

      SHA1

      96be9bf7a988d9cea06150d57cd1de19f1fec19e

      SHA256

      2ad232bccf4ca06cf13475af87b510c5788aa790785fd50509be483afc0e0bcf

      SHA512

      20effae18eebb2df90d3186a281fa9233a97998f226f7adead0784fbc787feee419973962f8369d8822c1bbcdfb6e7948d9ca6086c9cf90190c8ab3ec97f4c38

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nse6CD9.tmp\System.dll
      Filesize

      11KB

      MD5

      8b3830b9dbf87f84ddd3b26645fed3a0

      SHA1

      223bef1f19e644a610a0877d01eadc9e28299509

      SHA256

      f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

      SHA512

      d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

      Download Submit

    • memory/404-178-0x0000000001660000-0x0000000002B92000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/404-180-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/404-156-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/404-157-0x0000000001660000-0x0000000002B92000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/404-170-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/404-171-0x0000000000400000-0x0000000001654000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/404-172-0x0000000001660000-0x0000000002B92000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/404-173-0x0000000001660000-0x0000000002B92000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/404-174-0x0000000033150000-0x000000003349A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/404-175-0x0000000032F90000-0x0000000032FA4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1596-182-0x00000000029E0000-0x0000000002D2A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1596-177-0x0000000000720000-0x0000000000747000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1596-179-0x0000000000720000-0x0000000000747000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1596-181-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1596-183-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1596-185-0x0000000002820000-0x00000000028B3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/1628-155-0x00000000041E0000-0x0000000005712000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/1628-154-0x00000000041E0000-0x0000000005712000-memory.dmp

      Filesize

      21.2MB

      Download

    • memory/3112-176-0x00000000089B0000-0x0000000008B05000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3112-186-0x0000000008E30000-0x0000000008FB4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3112-187-0x0000000008E30000-0x0000000008FB4000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3112-189-0x0000000008E30000-0x0000000008FB4000-memory.dmp

      Filesize

      1.5MB

      Download