Malware Analysis Report

2025-04-14 08:32

Sample ID 240924-njn2pasgmj
Target 24092024_1125_23092024_Quotation #10091.zip
SHA256 5d79ea664c17c4e122a2444d57d1414e49754ab63811874e44ae3c6acb43de11
Tags
formbook c89p discovery rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d79ea664c17c4e122a2444d57d1414e49754ab63811874e44ae3c6acb43de11

Threat Level: Known bad

The file 24092024_1125_23092024_Quotation #10091.zip was found to be: Known bad.

Malicious Activity Summary

formbook c89p discovery rat spyware stealer trojan upx

Formbook

Formbook payload

UPX packed file

Suspicious use of SetThreadContext

AutoIT Executable

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Gathers network information

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 11:25

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 11:25

Reported

2024-09-24 11:30

Platform

win10v2004-20240802-en

Max time kernel

295s

Max time network

281s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe C:\Windows\SysWOW64\svchost.exe
PID 2184 set thread context of 3492 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2512 set thread context of 3492 N/A C:\Windows\SysWOW64\ipconfig.exe C:\Windows\Explorer.EXE

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\ipconfig.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"

C:\Windows\SysWOW64\ipconfig.exe

"C:\Windows\SysWOW64\ipconfig.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.hapanda.fun udp
US 8.8.8.8:53 www.ransportationmmsytpro.top udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.lood-test-jp-1.bond udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.aycare-service-99683.bond udp
US 8.8.8.8:53 www.usymomsmakingmoney.online udp
US 8.8.8.8:53 www.rail.cruises udp
DE 217.160.0.10:80 www.rail.cruises tcp
US 8.8.8.8:53 10.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 www.69-11-luxury-watches.shop udp
US 8.8.8.8:53 www.ftersaleb.top udp
US 8.8.8.8:53 www.igmoto.info udp
DE 89.31.143.90:80 www.igmoto.info tcp
US 8.8.8.8:53 90.143.31.89.in-addr.arpa udp
US 8.8.8.8:53 www.r64mh1.vip udp
US 8.8.8.8:53 www.okenexchange.art udp
US 8.8.8.8:53 www.iam-saaab.buzz udp

Files

memory/2924-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2924-3-0x0000000004030000-0x0000000004230000-memory.dmp

memory/2184-4-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2924-6-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2184-7-0x0000000001600000-0x000000000194A000-memory.dmp

memory/2184-10-0x0000000001570000-0x0000000001584000-memory.dmp

memory/2184-9-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3492-11-0x0000000002630000-0x00000000026F2000-memory.dmp

memory/2512-12-0x00000000004E0000-0x00000000004EB000-memory.dmp

memory/2512-13-0x00000000004E0000-0x00000000004EB000-memory.dmp

memory/2512-14-0x0000000000B40000-0x0000000000B6F000-memory.dmp

memory/3492-15-0x0000000002630000-0x00000000026F2000-memory.dmp

memory/3492-19-0x0000000007B60000-0x0000000007C41000-memory.dmp

memory/3492-20-0x0000000007B60000-0x0000000007C41000-memory.dmp

memory/3492-22-0x0000000007B60000-0x0000000007C41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 11:25

Reported

2024-09-24 11:30

Platform

win7-20240903-en

Max time kernel

300s

Max time network

269s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2984 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe C:\Windows\SysWOW64\svchost.exe
PID 2544 set thread context of 1192 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE
PID 2100 set thread context of 1192 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\Explorer.EXE

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wscript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\SysWOW64\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.uickautoquote.net udp
US 8.8.8.8:53 www.oursmile.vip udp
US 8.8.8.8:53 www.osmits.net udp
US 8.8.8.8:53 www.acuum-cleaner-84018.bond udp
US 8.8.8.8:53 www.astysavor.website udp
US 8.8.8.8:53 www.rail.cruises udp
DE 217.160.0.10:80 www.rail.cruises tcp
US 8.8.8.8:53 www.aycare-service-99683.bond udp
US 8.8.8.8:53 www.ransportationmmsytpro.top udp
US 8.8.8.8:53 www.areerfest.xyz udp
US 8.8.8.8:53 www.j7zd12m.xyz udp
US 8.8.8.8:53 www.innivip.bio udp
US 8.8.8.8:53 www.bsboffchatrussummsa.online udp

Files

memory/2984-0-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2984-3-0x0000000002E40000-0x0000000003040000-memory.dmp

memory/2544-4-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2984-6-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2544-7-0x00000000009D0000-0x0000000000CD3000-memory.dmp

memory/2544-10-0x00000000001F0000-0x0000000000204000-memory.dmp

memory/2544-9-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1192-11-0x0000000006FC0000-0x000000000716A000-memory.dmp

memory/2100-12-0x0000000000220000-0x0000000000246000-memory.dmp

memory/2100-13-0x0000000000220000-0x0000000000246000-memory.dmp

memory/2100-14-0x00000000001D0000-0x00000000001FF000-memory.dmp

memory/1192-15-0x0000000006FC0000-0x000000000716A000-memory.dmp

memory/1192-20-0x00000000051D0000-0x000000000528C000-memory.dmp

memory/1192-21-0x00000000051D0000-0x000000000528C000-memory.dmp

memory/1192-23-0x00000000051D0000-0x000000000528C000-memory.dmp