Malware Analysis Report

2024-10-19 09:28

Sample ID 240712-232c1sxame
Target Ticket Receipt and Fine.exe
SHA256 d2944ccc7a3e0b9ca0ff84c52abaa3d05c00f6cfc6ff0e669cc152fbb79fd961
Tags
formbook pt46 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2944ccc7a3e0b9ca0ff84c52abaa3d05c00f6cfc6ff0e669cc152fbb79fd961

Threat Level: Known bad

The file Ticket Receipt and Fine.exe was found to be: Known bad.

Malicious Activity Summary

formbook pt46 rat spyware stealer trojan

Formbook

Formbook payload

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-12 23:07

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 23:07

Reported

2024-07-12 23:09

Platform

win7-20240705-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe

"C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe"

Network

N/A

Files

memory/2512-10-0x00000000002A0000-0x00000000002A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 23:07

Reported

2024-07-12 23:09

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 516 set thread context of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe C:\Windows\SysWOW64\svchost.exe
PID 1020 set thread context of 3548 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 1020 set thread context of 3548 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 3752 set thread context of 3548 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe

"C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Ticket Receipt and Fine.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.fakefox.xyz udp
SG 77.37.115.24:80 www.fakefox.xyz tcp
US 8.8.8.8:53 24.115.37.77.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.cloudproduction.cloud udp
US 15.197.148.33:80 www.cloudproduction.cloud tcp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.cb214.pro udp
US 15.197.148.33:80 www.cb214.pro tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.wheresthechocolateat.com udp
US 76.223.105.230:80 www.wheresthechocolateat.com tcp
US 8.8.8.8:53 www.wheresthechocolateat.com udp
US 13.248.243.5:80 www.wheresthechocolateat.com tcp
US 8.8.8.8:53 www.floridawoodworkingmachinery.com udp
US 15.197.148.33:80 www.floridawoodworkingmachinery.com tcp
US 8.8.8.8:53 www.promotegetpaid.info udp
US 3.33.130.190:80 www.promotegetpaid.info tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 76.223.105.230:80 www.wheresthechocolateat.com tcp

Files

memory/516-10-0x00000000021B0000-0x00000000021B4000-memory.dmp

memory/1020-11-0x0000000000640000-0x000000000066F000-memory.dmp

memory/1020-14-0x0000000001100000-0x000000000144A000-memory.dmp

memory/1020-16-0x0000000000D80000-0x0000000000D94000-memory.dmp

memory/1020-15-0x0000000000640000-0x000000000066F000-memory.dmp

memory/3548-17-0x0000000006C40000-0x0000000006D42000-memory.dmp

memory/1020-19-0x0000000000640000-0x000000000066F000-memory.dmp

memory/1020-20-0x0000000002E50000-0x0000000002E64000-memory.dmp

memory/3548-21-0x0000000007C20000-0x0000000007D6F000-memory.dmp

memory/3752-22-0x0000000000100000-0x0000000000157000-memory.dmp

memory/3752-23-0x0000000000100000-0x0000000000157000-memory.dmp

memory/3752-24-0x0000000001000000-0x000000000102F000-memory.dmp

memory/3548-25-0x0000000006C40000-0x0000000006D42000-memory.dmp

memory/3548-27-0x0000000007C20000-0x0000000007D6F000-memory.dmp

memory/3548-29-0x00000000081A0000-0x00000000082A2000-memory.dmp

memory/3548-30-0x00000000081A0000-0x00000000082A2000-memory.dmp

memory/3548-33-0x00000000081A0000-0x00000000082A2000-memory.dmp