Analysis
-
max time kernel
162s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:52
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_august.exe
Resource
win7-20220414-en
General
-
Target
RFQ_august.exe
-
Size
756KB
-
MD5
f5bf9905ff7c573695fe1e53a1338e5c
-
SHA1
1d531327f162c4bb844f42694fe5da4f95dc9510
-
SHA256
e6ef5385235001a8743ac0ee83f839abdd66abed79cff1429020270168bd9357
-
SHA512
f382aa021ee9ece8ea92fda10391bb540b11f9c172f76c85745b12169de1d9aec0edd8a9649d6033edf5c049c98ff00f6b605b604482d1b25cf343536edba17e
Malware Config
Extracted
formbook
4.1
emh
sweetmiya.com
zsyzm.com
carpediem.immo
sparkconfections.com
oliverezechi.net
wearephoenixtraining.com
artistxpressions.com
kesfetmeninkeyfi.com
kasvomaskitnetista.com
mertzlife.com
vcbuild.world
mwessentialcleaningservice.com
fairresale.com
dermot.online
impentri.com
bestsanitizingservice.com
210wscottstj.info
camilafinale.com
pepperhaul.com
centrobiblicomoradasanta.com
brittanyfarmer.com
stencersaintelange.com
filmutam.com
wpierdol.gratis
naturehonest.com
daye5.com
wowyuu.net
dajiangzhibo24.com
768278.com
614express.store
bachelorcourses.com
lys0op.xyz
engineerspost.com
acsn.xyz
ymavispa.com
cubicalmonks.com
phoenixacademys.com
cathywardphotography.com
tomhoge.com
mejorescontigo.com
sorchaashe.com
789yyhh.com
teamborisgaming.com
browngirlfinances.com
container-bnb.com
literarypantry.com
mikageisi.com
mcallistersgiftsandcrafts.com
cobaehorizabita.com
patriotremodelingservices.com
ametrinesupports.com
manageamazonofficialservice.com
myboholife.com
jessicabolton.net
joanakelly.com
theluggageandbaggage.com
themastertout.com
greygathering.com
junjiachina.com
021safe.net
www-kraken.digital
gzyameiao.com
kontacky.com
premiericerinks.com
frecoy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/32-139-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/32-141-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral2/memory/4612-148-0x0000000000D10000-0x0000000000D3D000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2DBXNPXPZD = "C:\\Program Files (x86)\\I8p9\\e4nhdxypzt5tlzi.exe" ipconfig.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ_august.exeRFQ_august.exeipconfig.exedescription pid process target process PID 2748 set thread context of 32 2748 RFQ_august.exe RFQ_august.exe PID 32 set thread context of 2952 32 RFQ_august.exe Explorer.EXE PID 4612 set thread context of 2952 4612 ipconfig.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
ipconfig.exedescription ioc process File opened for modification C:\Program Files (x86)\I8p9\e4nhdxypzt5tlzi.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4612 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
RFQ_august.exeRFQ_august.exeipconfig.exepid process 2748 RFQ_august.exe 2748 RFQ_august.exe 2748 RFQ_august.exe 2748 RFQ_august.exe 2748 RFQ_august.exe 32 RFQ_august.exe 32 RFQ_august.exe 32 RFQ_august.exe 32 RFQ_august.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2952 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RFQ_august.exeipconfig.exepid process 32 RFQ_august.exe 32 RFQ_august.exe 32 RFQ_august.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe 4612 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RFQ_august.exeRFQ_august.exeipconfig.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2748 RFQ_august.exe Token: SeDebugPrivilege 32 RFQ_august.exe Token: SeDebugPrivilege 4612 ipconfig.exe Token: SeShutdownPrivilege 2952 Explorer.EXE Token: SeCreatePagefilePrivilege 2952 Explorer.EXE Token: SeShutdownPrivilege 2952 Explorer.EXE Token: SeCreatePagefilePrivilege 2952 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
RFQ_august.exeExplorer.EXEipconfig.exedescription pid process target process PID 2748 wrote to memory of 4760 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 4760 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 4760 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 2332 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 2332 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 2332 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2748 wrote to memory of 32 2748 RFQ_august.exe RFQ_august.exe PID 2952 wrote to memory of 4612 2952 Explorer.EXE ipconfig.exe PID 2952 wrote to memory of 4612 2952 Explorer.EXE ipconfig.exe PID 2952 wrote to memory of 4612 2952 Explorer.EXE ipconfig.exe PID 4612 wrote to memory of 2276 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 2276 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 2276 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 1960 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 1960 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 1960 4612 ipconfig.exe cmd.exe PID 4612 wrote to memory of 3856 4612 ipconfig.exe Firefox.exe PID 4612 wrote to memory of 3856 4612 ipconfig.exe Firefox.exe PID 4612 wrote to memory of 3856 4612 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ_august.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\690A776U\690logim.jpegFilesize
74KB
MD557aadc13ff50906f113770633ea60a9e
SHA102f18b4e3b5b0c7fc6ab81d4d895a5a385631472
SHA256213acd5a9194a42b68648fcf3d11f0289934564759a89a0235b4c1c5e6388c6a
SHA5125cb6f488dab19f60bb4b3cd7e6dc93e9e43813a36600feb2848ceabb106c9dcf7daa0293ec4c013a6a97bf35c4bc7cc1a3a32f826e0ba7be96dba9ed8659f509
-
C:\Users\Admin\AppData\Roaming\690A776U\690logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\690A776U\690logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\690A776U\690logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\690A776U\690logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/32-138-0x0000000000000000-mapping.dmp
-
memory/32-139-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/32-141-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/32-142-0x0000000001870000-0x0000000001BBA000-memory.dmpFilesize
3.3MB
-
memory/32-143-0x00000000013B0000-0x00000000013C4000-memory.dmpFilesize
80KB
-
memory/1960-152-0x0000000000000000-mapping.dmp
-
memory/2276-146-0x0000000000000000-mapping.dmp
-
memory/2332-137-0x0000000000000000-mapping.dmp
-
memory/2748-135-0x0000000005A00000-0x0000000005A56000-memory.dmpFilesize
344KB
-
memory/2748-131-0x00000000057D0000-0x000000000586C000-memory.dmpFilesize
624KB
-
memory/2748-132-0x0000000005E20000-0x00000000063C4000-memory.dmpFilesize
5.6MB
-
memory/2748-133-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB
-
memory/2748-134-0x0000000005710000-0x000000000571A000-memory.dmpFilesize
40KB
-
memory/2748-130-0x0000000000CA0000-0x0000000000D62000-memory.dmpFilesize
776KB
-
memory/2952-144-0x00000000080D0000-0x00000000081DC000-memory.dmpFilesize
1.0MB
-
memory/2952-151-0x00000000082D0000-0x0000000008407000-memory.dmpFilesize
1.2MB
-
memory/4612-148-0x0000000000D10000-0x0000000000D3D000-memory.dmpFilesize
180KB
-
memory/4612-150-0x0000000001590000-0x0000000001623000-memory.dmpFilesize
588KB
-
memory/4612-149-0x00000000016F0000-0x0000000001A3A000-memory.dmpFilesize
3.3MB
-
memory/4612-145-0x0000000000000000-mapping.dmp
-
memory/4612-147-0x00000000007C0000-0x00000000007CB000-memory.dmpFilesize
44KB
-
memory/4760-136-0x0000000000000000-mapping.dmp