Overview

overview

10

Static

static

Re.offer.exe

windows7-x64

10

Re.offer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2022 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Re.offer.exe

  • Size

    955KB

  • MD5

    ec7499d16283df35c151934692cf0719

  • SHA1

    82a9a351185b4c6e16886099391f2fd95ad76bee

  • SHA256

    c0f5e01dded221a720c2173447e936c1e1148928016187fa4e8ac8e3a087b4ee

  • SHA512

    3088706e05661ae9251610eeb0101accd8475b1b4221f999c9309fd4a19fb16ca5b1ccd508b08774f9ee76e071eee787d8e3e900554cdad64bb247903cf50bba

  • SSDEEP

    12288:TX2iNahLuyAHmKMvYAssnMmTDCS9Mc0phHZ+5nFYRgW7sZ8zk1tKNds/:TX1MhLuyybMvYA/n7CSg5+4R7Dzkv

Score
10/10
formbookng04ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ng04

Decoy

tevimaq.com

easterspecialtystore.com

smartlever.tech

10312.uk

tanjawiharbi.co.uk

471338.com

horusventure.com

empress-care.com

sinrian.com

465951.com

aemsti.com

nxcourier.com

stargatefarms.com

lalyquainvestment.com

dailysportsadvice.com

justlistmoore.com

stoneonroll.online

tatianakolomiets.com

barcodebbm.com

protectorship.world

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\Re.offer.exe
      "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Users\Admin\AppData\Local\Temp\Re.offer.exe
        "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"
        3⤵
          PID:3020
        • C:\Users\Admin\AppData\Local\Temp\Re.offer.exe
          "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"
          3⤵
            PID:768
          • C:\Users\Admin\AppData\Local\Temp\Re.offer.exe
            "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:3084
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\SysWOW64\svchost.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2036
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\Re.offer.exe"
              3⤵
                PID:4384
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k netsvcs -p
            1⤵
            • Drops file in System32 directory
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:1316

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/768-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2036-155-0x0000000000E90000-0x0000000000EBF000-memory.dmp
            Filesize

            188KB

            Download
          • memory/2036-153-0x0000000001800000-0x0000000001894000-memory.dmp
            Filesize

            592KB

            Download
          • memory/2036-151-0x0000000001900000-0x0000000001C4A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2036-148-0x0000000000570000-0x000000000057E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2036-149-0x0000000000E90000-0x0000000000EBF000-memory.dmp
            Filesize

            188KB

            Download
          • memory/2036-147-0x0000000000000000-mapping.dmp
            Download
          • memory/2388-145-0x0000000001AC0000-0x0000000001AD5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/2388-140-0x0000000000000000-mapping.dmp
            Download
          • memory/2388-141-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/2388-143-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/2388-144-0x00000000015C0000-0x000000000190A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2980-136-0x000000000AFB0000-0x000000000B04C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/2980-137-0x000000000B150000-0x000000000B1B6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2980-132-0x0000000000620000-0x0000000000716000-memory.dmp
            Filesize

            984KB

            Download
          • memory/2980-135-0x00000000050A0000-0x00000000050AA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2980-134-0x0000000005130000-0x00000000051C2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2980-133-0x0000000005640000-0x0000000005BE4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3004-146-0x00000000036A0000-0x000000000380C000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/3004-152-0x00000000036A0000-0x000000000380C000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/3004-154-0x00000000034F0000-0x000000000358F000-memory.dmp
            Filesize

            636KB

            Download
          • memory/3004-156-0x00000000034F0000-0x000000000358F000-memory.dmp
            Filesize

            636KB

            Download
          • memory/3020-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4384-150-0x0000000000000000-mapping.dmp
            Download