Static task
static1
Behavioral task
behavioral1
Sample
Fatura.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Fatura.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
General
-
Target
11072024_1652_11072024_Fatura.rar
-
Size
434KB
-
MD5
7ac7c7311256fcadff9d5d577a1341cd
-
SHA1
4023a172b0d4ee39eedd857f238967c3caa6dd65
-
SHA256
6292fdf69844ed834e9f6ca211bdabde3b0ac0de7a11a9cca188ca3f99c313ef
-
SHA512
2cdbece21bff99a6b50f2d6f6c3bf4bb57fd2f2fa4058ab6cf30079567435ea7bb9a97d40f731d80b3526e5afad1c7f01f9ad3f4cd98b7910ed12c60df8c025b
-
SSDEEP
6144:tNEXGAIZ2+PZtk05/eM0kJkb1OroG8TcWf75pSolDPdNbN3eHIEkLTcWjt1m50/d:tNEXGRZ7I05/zvrtKpBNb4o7Njt1UHO
Malware Config
Signatures
-
Unsigned PE 2 IoCs
Checks for missing Authenticode signature.
resource unpack002/$PLUGINSDIR/System.dll unpack002/$PLUGINSDIR/nsExec.dll -
NSIS installer 2 IoCs
resource yara_rule static1/unpack001/Fatura.exe nsis_installer_1 static1/unpack001/Fatura.exe nsis_installer_2
Files
-
11072024_1652_11072024_Fatura.rar.rar
Password: infected
-
Fatura.exe.exe windows:5 windows x86 arch:x86
Password: infected
f677acae05efabe7411a40902b2d88fb
Code Sign
19:cd:d4:ef:08:e5:36:6a:0b:2a:51:fe:f5:bb:5c:e7:4a:2d:c2:c6Certificate
IssuerCN=Noteapparatet,OU=Chlorate Promitosis\ ,O=Noteapparatet,L=Rayville,ST=Missouri,C=US,1.2.840.113549.1.9.1=#0c1f466f726d6f646e696e6765726e6573404876616c66616e676572732e466573Not Before22/09/2023, 07:03Not After21/09/2026, 07:03SubjectCN=Noteapparatet,OU=Chlorate Promitosis\ ,O=Noteapparatet,L=Rayville,ST=Missouri,C=US,1.2.840.113549.1.9.1=#0c1f466f726d6f646e696e6765726e6573404876616c66616e676572732e4665739b:b7:29:d5:f8:18:33:ce:63:8a:94:af:4a:01:87:a8:0e:9a:7f:c2:ec:44:55:fb:68:0c:c1:9b:41:c2:fb:c7Signer
Actual PE Digest9b:b7:29:d5:f8:18:33:ce:63:8a:94:af:4a:01:87:a8:0e:9a:7f:c2:ec:44:55:fb:68:0c:c1:9b:41:c2:fb:c7Digest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
advapi32
RegCloseKey
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegQueryValueExA
RegSetValueExA
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
SetFileSecurityA
RegCreateKeyExA
RegOpenKeyExA
shell32
SHBrowseForFolderA
SHFileOperationA
SHGetPathFromIDListA
SHGetFileInfoA
ShellExecuteExA
ole32
OleUninitialize
IIDFromString
OleInitialize
CoTaskMemFree
CoCreateInstance
comctl32
ord17
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
user32
DispatchMessageA
SystemParametersInfoA
LoadCursorA
SetClassLongA
GetSysColor
ScreenToClient
SetCursor
GetWindowRect
TrackPopupMenu
AppendMenuA
EnableMenuItem
CreatePopupMenu
GetSystemMenu
GetSystemMetrics
IsWindowEnabled
EmptyClipboard
SetClipboardData
CloseClipboard
OpenClipboard
CheckDlgButton
EndDialog
DialogBoxParamA
IsWindowVisible
SetWindowPos
CreateWindowExA
GetClassInfoA
RegisterClassA
PeekMessageA
GetMessagePos
CharNextA
ExitWindowsEx
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
LoadImageA
FindWindowExA
SetWindowLongA
InvalidateRect
ReleaseDC
GetDC
SetForegroundWindow
EnableWindow
GetDlgItem
ShowWindow
IsWindow
PostQuitMessage
SendMessageTimeoutA
SendMessageA
wsprintfA
FillRect
GetClientRect
EndPaint
BeginPaint
DrawTextA
DefWindowProcA
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CallWindowProcA
CharPrevA
GetWindowLongA
gdi32
SetBkMode
CreateBrushIndirect
GetDeviceCaps
SelectObject
DeleteObject
SetBkColor
SetTextColor
CreateFontIndirectA
kernel32
GetTempFileNameA
GetLastError
WaitForSingleObject
RemoveDirectoryA
ReadFile
CreateFileA
CreateDirectoryA
lstrcpynA
GlobalLock
GlobalUnlock
CreateThread
GetDiskFreeSpaceA
CopyFileA
lstrlenA
GetVersionExA
GetWindowsDirectoryA
ExitProcess
GetExitCodeProcess
SetErrorMode
GetTempPathA
SetEnvironmentVariableA
GetCommandLineA
GetModuleFileNameA
GetTickCount
GetFileSize
MultiByteToWideChar
MoveFileA
WritePrivateProfileStringA
GetPrivateProfileStringA
lstrcmpiA
lstrcmpA
MulDiv
GetShortPathNameA
GlobalFree
GlobalAlloc
LoadLibraryExA
GetModuleHandleA
FreeLibrary
Sleep
CloseHandle
SetFileTime
SetFilePointer
SetFileAttributesA
GetFullPathNameA
GetFileAttributesA
FindNextFileA
FindFirstFileA
FindClose
DeleteFileA
CompareFileTime
SearchPathA
SetCurrentDirectoryA
ExpandEnvironmentStringsA
WriteFile
CreateProcessA
WideCharToMultiByte
GetSystemDirectoryA
GetProcAddress
lstrcpyA
lstrcatA
MoveFileExA
GetCurrentProcess
Sections
.text Size: 26KB - Virtual size: 26KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 5KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 3.6MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.ndata Size: - Virtual size: 108KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 424KB - Virtual size: 423KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
$PLUGINSDIR/System.dll.dll windows:6 windows x86 arch:x86
Password: infected
595a3fd71239f605bb02d7a5e48fd4df
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
GlobalAlloc
GlobalSize
GlobalFree
lstrcpynA
lstrcpyA
GetLastError
VirtualAlloc
VirtualProtect
VirtualFree
FreeLibrary
GetModuleHandleA
GetProcAddress
LoadLibraryA
lstrlenA
MultiByteToWideChar
WideCharToMultiByte
user32
wsprintfA
ole32
StringFromGUID2
CLSIDFromString
Exports
Exports
Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc
Sections
.text Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1024B - Virtual size: 926B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 68B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 492B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
$PLUGINSDIR/nsExec.dll.dll windows:6 windows x86 arch:x86
Password: infected
0d6ae1f1ecbace583969d8eb8b21d1b8
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
advapi32
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
user32
FindWindowExA
CharNextExA
CharPrevA
CharNextA
OemToCharBuffA
SendMessageA
wsprintfA
kernel32
CopyFileA
GetStartupInfoA
CreateFileMappingA
lstrlenA
lstrcatA
lstrcpyA
lstrcpynA
GetCommandLineA
CreateFileA
DeleteFileA
ReadFile
GetTempFileNameA
CloseHandle
CreatePipe
PeekNamedPipe
WaitForSingleObject
Sleep
GetCurrentProcess
ExitProcess
TerminateProcess
GetExitCodeProcess
CreateProcessA
GetVersion
GetTickCount
MapViewOfFile
UnmapViewOfFile
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GlobalAlloc
GlobalReAlloc
GlobalFree
lstrcmpiA
Exports
Exports
Exec
ExecToLog
ExecToStack
Sections
.text Size: 3KB - Virtual size: 3KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 512B - Virtual size: 252B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Jammer.Opi
-
Politicking.Ine
-
computerspillets.txt
-
disusance.nar