88d766e1d4cbb025175bec2ab8f960d52cf104bfac481da64f536bb7401842c0

General

Target

FuckBot.exe
Size

8.7MB
MD5

e934eb2bc8d75b3a635a69b7c3063a2c
SHA1

3e1077207b6f65f6f8ea65f1b00a2ac8022e2d22
SHA256

88d766e1d4cbb025175bec2ab8f960d52cf104bfac481da64f536bb7401842c0
SHA512

99115358cc9567de2a201b60ad9e7a5d9708ccc2b3a60d0c0a542ac87bad1fb1ef149b5675a92501e0475346664776750c9ca6a43dacd63b4e8bc2a64fbb141b
SSDEEP

196608:rgcnBJnK4TnsxHUmjqocHNz/o3l7jzMqtX3QzlbsD1o:rgcLn/Tsh4//MlttX3Qzj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	FuckBot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2172	4452	FuckBot.exe	85
PID 4452 wrote to memory of 2172	4452	FuckBot.exe	85
PID 4452 wrote to memory of 2172	4452	FuckBot.exe	85
PID 2172 wrote to memory of 372	2172	cmd.exe	88
PID 2172 wrote to memory of 372	2172	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\FuckBot.exe
"C:\Users\Admin\AppData\Local\Temp\FuckBot.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\temp\launch.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\ProgramData\Oracle\Java\javapath\java.exe
    java -server -Xmx2G -XX:+UseConcMarkSweepGC -XX:MaxGCPauseMillis=50 -Dfile.encoding=UTF-8 -jar FuckBot.jar --nojline
    3⤵
    PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp\FuckBot.jar

Filesize
51KB

MD5
e6a8431184459fe853894613e41db1b8

SHA1
7a4e63fbfb0701b03d9652e1ceb8167c4fc65158

SHA256
ffb604ae3a6d73d790c5baf478e50612e9b0c4800cec17f3680dfbcca86024f7

SHA512
3426a8387efdf10c343648aadfe9f84c3a7ba5a6b5c42a91cdd182b90fda7f7d5f30a8b16f54b77a66e3e9b8841efa17f3e411249eda6b112e4c66e587ed50d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp\Launch.bat

Filesize
183B

MD5
a04b72213c45b0741459243c4d40241a

SHA1
92a407f96335013d1afcafb82df4b7efc91c5543

SHA256
f8c677e1471ea9685b1c111a1ef6e31951ab00027c46bf71b72d4ccc3bb980fe

SHA512
484bb7b117b1810247a2e5da5264a34a01ce9346fc97aff420ae4835463061a0e342c6d49cf4d48b2ab9dd8e2af784b0d9e785e571dcd5bdc891e24e2d0566cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp\Library.jar

Filesize
9.5MB

MD5
a515de5f35b3cdb408d03ea994e3bacb

SHA1
785abb5e27a2411ca202efcae9a277d12b5b5fde

SHA256
7809eb17a621ac892be364148e2c511887387abcab3bca69090a9b0686678a35

SHA512
1e88b49f399f0dd774061edc2cb043fc7d01c7e760d31eb6024a16002886b916d8d38580ee063fbcb4851bd63b9a778ce1983e9f888735e6822cd91ad8d366c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp\Settings.yml

Filesize
1KB

MD5
c37d28d43144c17bdeea1a0c26dccb9b

SHA1
aaf0c084e0e019efcad2da64e0e1b18bbf1a2da1

SHA256
5b76d15f754288ccb31d100e64dd30dac26e0f75df525e540b847b347f43a61c

SHA512
b5516edd49046cf891850a155fe3b4738e37439728f93608b32ec1a5f367db1a4d2501e4af1750092a4ce9556ab015bda61f08d3426b85ef58c220367597442f

Download Submit
memory/372-320-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-321-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-208-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-266-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-289-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-305-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-306-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-309-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-314-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-316-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-176-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-214-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-325-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-333-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-337-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-339-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-346-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-357-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-359-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-364-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-369-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-381-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-397-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/372-428-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing