Overview

overview

10

Static

static

1

Quotation ...87.exe

windows7-x64

10

Quotation ...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation approved 02887.exe

  • Size

    566KB

  • MD5

    7df9e584bf64bcf76701b0177b673e48

  • SHA1

    07199478434332e2b57650e506d9933f89ee18ae

  • SHA256

    12fb27d7a59c168a82317baa0b127b8a826cc98dd108fc37fd022d8a842b06bc

  • SHA512

    93c251fd6a6c556bf1b2b3fd5b649f305f5890af725191e0398834357d2a821ff2042de06177c2d9c2b0bf5e816d8928841e4fefa0ef1aed76814d45cd23ebca

  • SSDEEP

    12288:/4gZMDGR1CtxLLOt26jGz3mBNWaoCfWwHDasYbinls94Wqs9MWXa5WSkR:VMDGALgRGz2LpW+DvlsWps9d9h

Score
10/10
formbookvr01ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr01

Decoy

eclipsefoodservice.com

oregonjobs.co

ethicai.pro

frontierconnects.co

elcaporalburley.com

exoticskinco.com

topdeals.biz

carmensbookstore.com

mayorii.com

viewhird.com

bharatcrimecontrol24news.com

sampleshubusa.com

molobeverello.com

nicholsonflooringservices.com

kidscircle.shop

771010.cc

poseidoncrm.com

liviafiorelli.com

flavorfog.online

xaqh.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\Quotation approved 02887.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation approved 02887.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Users\Admin\AppData\Local\Temp\Quotation approved 02887.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation approved 02887.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotation approved 02887.exe"
        3⤵
          PID:1220

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2892-18-0x00000000008C0000-0x00000000008E7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2892-24-0x0000000002790000-0x0000000002823000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2892-22-0x0000000000800000-0x000000000082F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2892-21-0x00000000029C0000-0x0000000002D0A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2892-20-0x0000000000800000-0x000000000082F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2892-19-0x00000000008C0000-0x00000000008E7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3004-13-0x0000000001130000-0x000000000147A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3004-10-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3004-15-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3004-16-0x0000000000C60000-0x0000000000C74000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3484-17-0x00000000073C0000-0x0000000007499000-memory.dmp
      Filesize

      868KB

      Download
    • memory/3484-32-0x00000000088F0000-0x00000000089BD000-memory.dmp
      Filesize

      820KB

      Download
    • memory/3484-29-0x00000000088F0000-0x00000000089BD000-memory.dmp
      Filesize

      820KB

      Download
    • memory/3484-28-0x00000000088F0000-0x00000000089BD000-memory.dmp
      Filesize

      820KB

      Download
    • memory/3484-25-0x00000000073C0000-0x0000000007499000-memory.dmp
      Filesize

      868KB

      Download
    • memory/3836-12-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3836-6-0x0000000005230000-0x0000000005242000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3836-5-0x0000000005150000-0x000000000515A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3836-4-0x0000000005170000-0x0000000005180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3836-3-0x0000000004F90000-0x0000000005022000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3836-2-0x0000000005450000-0x00000000059F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3836-0-0x0000000000530000-0x00000000005C0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/3836-1-0x00000000750F0000-0x00000000758A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3836-7-0x0000000005250000-0x000000000525C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3836-9-0x0000000008C20000-0x0000000008CBC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3836-8-0x0000000006470000-0x00000000064E6000-memory.dmp
      Filesize

      472KB

      Download