Overview

overview

10

Static

static

RFQ ITALY.exe

windows7_x64

10

RFQ ITALY.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    169s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ ITALY.exe

  • Size

    339KB

  • MD5

    3d352883f99e989706cf2dd5c282b1bc

  • SHA1

    9fdebf8594c52b23ee132454bd3e9882e0f93cd1

  • SHA256

    24faef493cc61205b4f7f963641879ab92f06686932338163f905a82fb68b72d

  • SHA512

    311293aa8077e48282e13d2f51232106b84253d9a2fc80e19f4d9d40b5df00964ed8327a07874453b9f128164813c8ed8cb5a5d027e79224df0254df18590602

Score
10/10
formbookq5eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RFQ ITALY.exe"
        3⤵
          PID:4176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2040-135-0x00000000080B0000-0x000000000816C000-memory.dmp
      Filesize

      752KB

      Download
    • memory/2040-142-0x0000000008170000-0x0000000008229000-memory.dmp
      Filesize

      740KB

      Download
    • memory/2244-131-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/2244-132-0x0000000003170000-0x00000000034BA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2244-133-0x0000000002CC1000-0x0000000002D16000-memory.dmp
      Filesize

      340KB

      Download
    • memory/2244-134-0x00000000030C0000-0x00000000030D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2576-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2576-139-0x0000000001200000-0x000000000122D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/2576-138-0x0000000000D00000-0x0000000000D0A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2576-140-0x00000000019B0000-0x0000000001CFA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2576-141-0x00000000017F0000-0x0000000001883000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4176-137-0x0000000000000000-mapping.dmp
      Download