Overview

overview

10

Static

static

Quotation_...ls.exe

windows7_x64

10

Quotation_...ls.exe

windows10_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    10-05-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation_23642828687267892387.xls.exe

  • Size

    710KB

  • MD5

    f0e2e2dbb34dbdecb3ce6a3a885e89d5

  • SHA1

    f52c0691574ac454d5bbd50cfe470218b6ad906f

  • SHA256

    ee913da4f5fe43bc6f2457ce36d9364d4b9f7a79adb71dab617ca1dfde879377

  • SHA512

    c3c7e4ba5006551649fd9c18ea8ba6464917746546054205b2839c5ae2f31070d7e27682d7ce90aaf84063fe1fb6f1c756967e755b7d5f8fac54f86605e4f2c4

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.angelgirlm.com/c7jh/

Decoy

melangearte.com

nuaphraka.com

sharongold.net

seriouslysimpledesigns.com

17mpacc.com

customwareperu.com

styleofbliss.com

myvardenafilok.com

anwarnews.net

therecruiterroute.net

wxgdds.com

bmgblve.com

hotel-montmartre.com

ujasiriisihawu.com

childs.farm

landscapesofcapital.com

carolecares.com

wesarzamin.com

yinleba.com

partnershrsolutions.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-66-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/432-67-0x000000000041ED50-mapping.dmp

    Download

  • memory/432-69-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/788-60-0x0000000000B10000-0x0000000000B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/788-62-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/788-63-0x00000000006A0000-0x00000000006AE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/788-64-0x0000000002380000-0x0000000002404000-memory.dmp

    Filesize

    528KB

    Download

  • memory/788-65-0x0000000002240000-0x000000000227D000-memory.dmp

    Filesize

    244KB

    Download