Overview

overview

10

Static

static

Quotation_...ls.exe

windows7_x64

10

Quotation_...ls.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-05-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation_23642828687267892387.xls.exe

  • Size

    710KB

  • MD5

    f0e2e2dbb34dbdecb3ce6a3a885e89d5

  • SHA1

    f52c0691574ac454d5bbd50cfe470218b6ad906f

  • SHA256

    ee913da4f5fe43bc6f2457ce36d9364d4b9f7a79adb71dab617ca1dfde879377

  • SHA512

    c3c7e4ba5006551649fd9c18ea8ba6464917746546054205b2839c5ae2f31070d7e27682d7ce90aaf84063fe1fb6f1c756967e755b7d5f8fac54f86605e4f2c4

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.angelgirlm.com/c7jh/

Decoy

melangearte.com

nuaphraka.com

sharongold.net

seriouslysimpledesigns.com

17mpacc.com

customwareperu.com

styleofbliss.com

myvardenafilok.com

anwarnews.net

therecruiterroute.net

wxgdds.com

bmgblve.com

hotel-montmartre.com

ujasiriisihawu.com

childs.farm

landscapesofcapital.com

carolecares.com

wesarzamin.com

yinleba.com

partnershrsolutions.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation_23642828687267892387.xls.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3692-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3692-128-0x0000000001940000-0x0000000001C60000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3692-126-0x000000000041ED50-mapping.dmp
    Download
  • memory/3972-121-0x00000000055D0000-0x0000000005ACE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3972-119-0x0000000005460000-0x0000000005461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-120-0x0000000005850000-0x0000000005851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-114-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-122-0x00000000054C0000-0x00000000054CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3972-123-0x00000000062D0000-0x0000000006354000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3972-124-0x00000000014E0000-0x000000000151D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/3972-118-0x00000000055D0000-0x00000000055D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-117-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3972-116-0x00000000054D0000-0x00000000054D1000-memory.dmp
    Filesize

    4KB

    Download