Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06-05-2021 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    955KB

  • MD5

    9246a29da060479960879de3db2f1374

  • SHA1

    fecbed5c0e6cce40444994c85caf7cb838b35df7

  • SHA256

    49a4412c27e5eafc4c4365a2b2aeb962d6bf25849ab58d4e7eeb25fcfb934dcd

  • SHA512

    d463a62e867e1b64e1a0fa22583840f6198b8af9e7cafbf6608da726fb94d66184c5abf172c150513a48ea09711633847e429b50bd3d0df09f5168799c640d7f

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bluesmartsockets.com/mgl/

Decoy

credittipswebinar.com

pewpewlab.com

teamcreativconsultanting.com

bsf.xyz

youthwork.support

fmoues.com

ourcardoctor.com

wwwmoticarshub.net

bellevuedogroomer.com

vorazshop.com

sorteo.gratis

shalinihome.xyz

myschoolmgt.net

we73theunityprojectband.com

xn--n8jx07hkhe20b9k751g.com

gregrunnebaum.com

asnomayritys.com

iremgulmez.com

the1099guy.com

reviewscandy.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "{path}"
        3⤵
          PID:1632
        • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:432
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
          3⤵
          • Deletes itself
          PID:436

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/432-65-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/432-69-0x0000000000340000-0x0000000000354000-memory.dmp
      Filesize

      80KB

      Download
    • memory/432-68-0x00000000008A0000-0x0000000000BA3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/432-66-0x000000000041EB20-mapping.dmp
      Download
    • memory/436-72-0x0000000000000000-mapping.dmp
      Download
    • memory/556-74-0x0000000000070000-0x000000000009E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/556-71-0x0000000000000000-mapping.dmp
      Download
    • memory/556-75-0x0000000002040000-0x0000000002343000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/556-73-0x0000000000A80000-0x0000000000AA6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/556-76-0x00000000003A0000-0x0000000000433000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1208-70-0x0000000004CC0000-0x0000000004E13000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1208-77-0x0000000004F00000-0x0000000004FB4000-memory.dmp
      Filesize

      720KB

      Download
    • memory/1688-64-0x0000000000990000-0x00000000009DA000-memory.dmp
      Filesize

      296KB

      Download
    • memory/1688-63-0x00000000051E0000-0x0000000005278000-memory.dmp
      Filesize

      608KB

      Download
    • memory/1688-62-0x00000000004F0000-0x00000000004FE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1688-61-0x0000000004C80000-0x0000000004C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1688-59-0x0000000000EB0000-0x0000000000EB1000-memory.dmp
      Filesize

      4KB

      Download