Overview

overview

10

Static

static

Inquiry Qr.exe

windows7_x64

10

Inquiry Qr.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-10-2021 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry Qr.exe

  • Size

    780KB

  • MD5

    dd2b68372282c9f889d288ec83409cf0

  • SHA1

    1cd1cc24217ce59a40e8635348d38ef827c1673b

  • SHA256

    96c65dbeb55d5794541c9132447e41735610c1948b78c138d796e9db8528dd87

  • SHA512

    0d7d92e18bd0336bd338b2b1cc2ab06617f801be5222bf66cc35a889b670644012a2dee14e32fd057ab1c286ecbf6878b40a47283078ad20b40543b073d910ff

Score
10/10
formbookubduratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ubdu

C2

http://www.firsttracksdigital.com/ubdu/

Decoy

veermaster.com

atechco.info

ritzelcapital.com

spyhusband.com

therestoretrial.com

quartier-creyole.com

farmintheforest.com

automationadvertising.com

luisxe.info

pranapolarity.com

dwadawdf005.com

joleahfashions.com

silverwoodrestoration.com

blackivorygoldbeautysupply.com

nb-bird.com

silverlakein.xyz

thecleanear.com

rxv3.com

goaltransparent.com

mhs1.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe
      "C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe
        "{path}"
        3⤵
          PID:1840
        • C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe
          "{path}"
          3⤵
            PID:1708
          • C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe
            "{path}"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1756
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\SysWOW64\wscript.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2032
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\Inquiry Qr.exe"
              3⤵
              • Deletes itself
              PID:1156

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1156-78-0x0000000000000000-mapping.dmp
          Download
        • memory/1268-81-0x0000000007E30000-0x0000000007FB5000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1268-74-0x00000000072C0000-0x0000000007455000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/1268-71-0x0000000004250000-0x0000000004320000-memory.dmp
          Filesize

          832KB

          Download
        • memory/1820-55-0x00000000001C0000-0x00000000001C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1820-57-0x0000000074A41000-0x0000000074A43000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1820-58-0x0000000004D80000-0x0000000004D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1820-60-0x0000000004D82000-0x0000000004D83000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1820-59-0x0000000004D81000-0x0000000004D82000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1820-61-0x0000000001FF0000-0x0000000001FFE000-memory.dmp
          Filesize

          56KB

          Download
        • memory/1820-62-0x0000000008500000-0x0000000008581000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1820-63-0x0000000004BF0000-0x0000000004C20000-memory.dmp
          Filesize

          192KB

          Download
        • memory/1996-68-0x00000000009E0000-0x0000000000CE3000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1996-67-0x000000000041ED00-mapping.dmp
          Download
        • memory/1996-70-0x0000000000370000-0x0000000000384000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1996-72-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/1996-73-0x0000000000430000-0x0000000000444000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1996-66-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/1996-65-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/1996-64-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/2032-75-0x0000000000000000-mapping.dmp
          Download
        • memory/2032-76-0x0000000000FC0000-0x0000000000FE6000-memory.dmp
          Filesize

          152KB

          Download
        • memory/2032-77-0x0000000000070000-0x000000000009E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/2032-79-0x0000000000BE0000-0x0000000000EE3000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/2032-80-0x0000000000EF0000-0x0000000000F83000-memory.dmp
          Filesize

          588KB

          Download