Malware Analysis Report

2025-01-18 12:39

Sample ID 240404-fwzpysgb56
Target General Specification -INVACO PVT.exe
SHA256 2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1
Tags
formbook kh11 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1

Threat Level: Known bad

The file General Specification -INVACO PVT.exe was found to be: Known bad.

Malicious Activity Summary

formbook kh11 rat spyware stealer trojan

Formbook

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Gathers network information

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 05:14

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 05:14

Reported

2024-04-04 05:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

134s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 2512 set thread context of 1404 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2616 set thread context of 1404 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1936 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 1404 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1404 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 2616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\wininit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.northcuttmediacompany.com udp
US 34.149.87.45:80 www.northcuttmediacompany.com tcp
US 8.8.8.8:53 www.onehourbookclub.com udp
US 3.33.130.190:80 www.onehourbookclub.com tcp
US 8.8.8.8:53 www.thesimplestudio.io udp
US 198.185.159.144:80 www.thesimplestudio.io tcp
US 8.8.8.8:53 www.chicprems.xyz udp
DE 91.195.240.19:80 www.chicprems.xyz tcp
US 8.8.8.8:53 www.shpoifypos.app udp
US 99.83.176.46:80 www.shpoifypos.app tcp

Files

memory/1936-10-0x0000000000120000-0x0000000000124000-memory.dmp

memory/2512-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2512-12-0x0000000000720000-0x0000000000A23000-memory.dmp

memory/2512-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1404-15-0x0000000002940000-0x0000000002A40000-memory.dmp

memory/2512-16-0x0000000000360000-0x0000000000374000-memory.dmp

memory/1404-17-0x0000000007210000-0x000000000739E000-memory.dmp

memory/2616-18-0x00000000006F0000-0x000000000070A000-memory.dmp

memory/2616-19-0x00000000006F0000-0x000000000070A000-memory.dmp

memory/2616-20-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2616-21-0x0000000001FC0000-0x00000000022C3000-memory.dmp

memory/2616-22-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2616-24-0x0000000000580000-0x0000000000613000-memory.dmp

memory/1404-26-0x0000000007210000-0x000000000739E000-memory.dmp

memory/1404-30-0x00000000074A0000-0x00000000075A7000-memory.dmp

memory/1404-31-0x00000000074A0000-0x00000000075A7000-memory.dmp

memory/1404-34-0x00000000074A0000-0x00000000075A7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 05:14

Reported

2024-04-04 05:16

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

159s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4620 set thread context of 4892 N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe C:\Windows\SysWOW64\svchost.exe
PID 4892 set thread context of 3448 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 496 set thread context of 3448 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\Explorer.EXE

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\SysWOW64\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.coalswap.com udp
US 76.76.21.61:80 www.coalswap.com tcp
US 8.8.8.8:53 61.21.76.76.in-addr.arpa udp
US 8.8.8.8:53 www.dentalemergencybakersfield.com udp
US 66.235.200.22:80 www.dentalemergencybakersfield.com tcp
US 8.8.8.8:53 22.200.235.66.in-addr.arpa udp
US 8.8.8.8:53 www.itsmisshodges.com udp
CA 23.227.38.74:80 www.itsmisshodges.com tcp
US 8.8.8.8:53 74.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.worxservicesllc.com udp
US 198.185.159.144:80 www.worxservicesllc.com tcp
US 8.8.8.8:53 144.159.185.198.in-addr.arpa udp
US 8.8.8.8:53 www.foroupskirt.com udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/4620-10-0x0000000000C40000-0x0000000000C44000-memory.dmp

memory/4892-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4892-12-0x0000000001800000-0x0000000001B4A000-memory.dmp

memory/4892-14-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4892-15-0x0000000000DE0000-0x0000000000DF4000-memory.dmp

memory/3448-16-0x0000000008630000-0x000000000877F000-memory.dmp

memory/496-17-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

memory/496-18-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

memory/496-19-0x0000000000FD0000-0x0000000000FFF000-memory.dmp

memory/496-20-0x00000000019B0000-0x0000000001CFA000-memory.dmp

memory/496-21-0x0000000000FD0000-0x0000000000FFF000-memory.dmp

memory/496-23-0x00000000017F0000-0x0000000001883000-memory.dmp

memory/3448-24-0x0000000008630000-0x000000000877F000-memory.dmp

memory/3448-26-0x0000000008780000-0x000000000889E000-memory.dmp

memory/3448-27-0x0000000008780000-0x000000000889E000-memory.dmp

memory/3448-31-0x0000000008780000-0x000000000889E000-memory.dmp