Malware Analysis Report

2025-01-18 12:38

Sample ID 240404-fwkk2aff5x
Target General Specification -INVACO PVT.exe
SHA256 2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1
Tags
formbook kh11 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1

Threat Level: Known bad

The file General Specification -INVACO PVT.exe was found to be: Known bad.

Malicious Activity Summary

formbook kh11 rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-04 05:13

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 05:13

Reported

2024-04-04 05:15

Platform

win7-20240319-en

Max time kernel

146s

Max time network

136s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2528 set thread context of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1364 set thread context of 1240 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2056 set thread context of 1240 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1240 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1240 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1240 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1240 wrote to memory of 2056 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2700 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.gltip2le.shop udp
HK 47.243.184.4:80 www.gltip2le.shop tcp
US 8.8.8.8:53 www.gltip2le.shop udp
HK 47.243.184.4:80 www.gltip2le.shop tcp
US 8.8.8.8:53 www.assurelinkenterprises.com udp
US 8.8.8.8:53 www.drhandgrip.com udp
US 8.8.8.8:53 www.unitygiftingco.store udp
US 35.241.18.84:80 www.unitygiftingco.store tcp
US 8.8.8.8:53 www.cattaillake.com udp
US 3.33.130.190:80 www.cattaillake.com tcp

Files

memory/2528-10-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1364-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1364-12-0x0000000000710000-0x0000000000A13000-memory.dmp

memory/1364-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1364-16-0x0000000000190000-0x00000000001A4000-memory.dmp

memory/1240-15-0x0000000000320000-0x0000000000420000-memory.dmp

memory/1240-17-0x0000000006F80000-0x000000000710F000-memory.dmp

memory/2056-18-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2056-19-0x0000000000330000-0x0000000000336000-memory.dmp

memory/2056-20-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2056-21-0x0000000000820000-0x0000000000B23000-memory.dmp

memory/2056-22-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2056-24-0x0000000000640000-0x00000000006D3000-memory.dmp

memory/1240-26-0x0000000006F80000-0x000000000710F000-memory.dmp

memory/1240-30-0x0000000004CC0000-0x0000000004E0D000-memory.dmp

memory/1240-31-0x0000000004CC0000-0x0000000004E0D000-memory.dmp

memory/1240-34-0x0000000004CC0000-0x0000000004E0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 05:13

Reported

2024-04-04 05:16

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 644 set thread context of 1676 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1676 set thread context of 3408 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1676 set thread context of 3408 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1028 set thread context of 3408 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.gadilglobal.com udp
FR 94.23.165.248:80 www.gadilglobal.com tcp
US 8.8.8.8:53 248.165.23.94.in-addr.arpa udp
US 8.8.8.8:53 www.gamer24.top udp
US 172.67.220.25:80 www.gamer24.top tcp
US 8.8.8.8:53 25.220.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.jessicachristina.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.gltip2le.shop udp
HK 47.243.184.4:80 www.gltip2le.shop tcp
US 8.8.8.8:53 www.gltip2le.shop udp
HK 47.243.184.4:80 www.gltip2le.shop tcp
US 8.8.8.8:53 www.santefe4g.com udp
US 3.33.130.190:80 www.santefe4g.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 www.shopynuts.site udp
US 198.54.117.242:80 www.shopynuts.site tcp
US 8.8.8.8:53 242.117.54.198.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/644-10-0x0000000000340000-0x0000000000344000-memory.dmp

memory/1676-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1676-12-0x0000000001800000-0x0000000001B4A000-memory.dmp

memory/1676-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1676-15-0x00000000015B0000-0x00000000015C4000-memory.dmp

memory/3408-16-0x00000000082F0000-0x00000000083CB000-memory.dmp

memory/1676-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1676-19-0x0000000003670000-0x0000000003684000-memory.dmp

memory/3408-20-0x0000000008CB0000-0x0000000008E22000-memory.dmp

memory/1028-21-0x0000000000D70000-0x0000000000D82000-memory.dmp

memory/1028-23-0x0000000000D70000-0x0000000000D82000-memory.dmp

memory/1028-25-0x0000000000D70000-0x0000000000D82000-memory.dmp

memory/1028-26-0x0000000000FD0000-0x0000000000FFF000-memory.dmp

memory/1028-27-0x00000000030A0000-0x00000000033EA000-memory.dmp

memory/1028-28-0x0000000000FD0000-0x0000000000FFF000-memory.dmp

memory/3408-30-0x00000000082F0000-0x00000000083CB000-memory.dmp

memory/1028-31-0x0000000002F00000-0x0000000002F93000-memory.dmp

memory/3408-32-0x0000000008CB0000-0x0000000008E22000-memory.dmp

memory/3408-34-0x0000000008E30000-0x0000000008F8E000-memory.dmp

memory/3408-35-0x0000000008E30000-0x0000000008F8E000-memory.dmp

memory/3408-38-0x0000000008E30000-0x0000000008F8E000-memory.dmp