Overview

overview

10

Static

static

3

qrpeTtY87wetpUB.exe

windows7-x64

10

qrpeTtY87wetpUB.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qrpeTtY87wetpUB.exe

  • Size

    640KB

  • MD5

    632da6b3d20acaebaaaf82ae60270ce0

  • SHA1

    de0a1cae92d1f5ac0d6055c10e9a559f34c0e1dd

  • SHA256

    9cfc2c5731c5a52202d43ad545f2256b8e00ce44110b6c8c63584de22fce913d

  • SHA512

    1847c2fae54c9768c4a4c007f633ffc3dd8c4ad0d205356b6951e4770ca6328edce034f320cda7c3eac81db5094a0879b1e4139baa9b859dfce676c5b02abc00

  • SSDEEP

    12288:0N4KkzdrJwKcIUPuv07OqH/+uGCuQi9gJfno2VrC4AVW6UMLboHd25hgvd:DcFuv8OqH/gQi98nogCFs6PnoHd4h

Score
10/10
formbookcr12ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\qrpeTtY87wetpUB.exe
      "C:\Users\Admin\AppData\Local\Temp\qrpeTtY87wetpUB.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Users\Admin\AppData\Local\Temp\qrpeTtY87wetpUB.exe
        "C:\Users\Admin\AppData\Local\Temp\qrpeTtY87wetpUB.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4732
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qrpeTtY87wetpUB.exe"
        3⤵
          PID:440

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/892-24-0x0000000001340000-0x000000000136F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/892-23-0x0000000000F50000-0x0000000000F77000-memory.dmp

      Filesize

      156KB

      Download

    • memory/892-22-0x0000000000F50000-0x0000000000F77000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1612-6-0x0000000005CD0000-0x0000000005D6C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1612-4-0x0000000005A00000-0x0000000005A0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1612-5-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1612-0-0x000000007480E000-0x000000007480F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1612-7-0x0000000005F00000-0x0000000005F18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1612-8-0x0000000005F20000-0x0000000005F30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1612-9-0x0000000006F90000-0x0000000007006000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1612-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1612-12-0x0000000074800000-0x0000000074FB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1612-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1612-1-0x0000000000F50000-0x0000000000FF4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/3436-21-0x00000000027F0000-0x00000000028E5000-memory.dmp

      Filesize

      980KB

      Download

    • memory/3436-17-0x00000000088A0000-0x0000000008A44000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3436-26-0x00000000088A0000-0x0000000008A44000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3436-28-0x0000000008530000-0x00000000085CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3436-30-0x0000000008530000-0x00000000085CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3436-33-0x0000000008530000-0x00000000085CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4732-19-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4732-20-0x00000000013F0000-0x0000000001404000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4732-15-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4732-16-0x0000000001390000-0x00000000013A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4732-13-0x0000000001490000-0x00000000017DA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4732-10-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download