Overview

overview

10

Static

static

3

Invoice an...on.exe

windows7-x64

10

Invoice an...on.exe

windows10-2004-x64

7

qxbcmmh.exe

windows7-x64

3

qxbcmmh.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice and Quotation.exe

  • Size

    289KB

  • MD5

    2e07da5fa7627362c6666c94210a40fe

  • SHA1

    8fe040d7df872ae78e702f11827bd236a6201981

  • SHA256

    c58e97524572e398ed81f73169c0fad3cbfd691761b997cf09be2a69ef5a6be0

  • SHA512

    23af93e3f00ca661a33e03d1063b3c1fe9b974c62ef136233092153b7b9839e8a807bcdb24c3b079c0d28aa1909e0e543dbf102a569dfa846ceb1e9db095fe5a

  • SSDEEP

    6144:owdWxpYqbDdleIkpq7pvzkh3p1YCuzcAGz7FGpxvFu20RCp93Nn0:YxpYqbDdleMdzktTYCuAAAilNphu

Score
10/10
formbookg09ediscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g09e

Decoy

flyinglarkgp.com

spiritsyncing.net

sushikreci.com

drssdup.com

mobileappsus.com

lvrcprbrisbane.com

nfjnwa.icu

ottenbruch.immo

strinosoft.com

portershoecollection.com

electriccarsus.com

lecai.icu

piplespnd.quest

talkrecords.com

lowcodeconnection.com

lastwagenfahrerjobshierorg.com

kpallman.com

dcrdr.com

chainalysisinfo.com

einayaa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\Invoice and Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice and Quotation.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe
        C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe C:\Users\Admin\AppData\Local\Temp\cucpwml
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe
          C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe C:\Users\Admin\AppData\Local\Temp\cucpwml
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2824
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qxbcmmh.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cucpwml
    Filesize

    4KB

    MD5

    1b170c978765a651c824be0f1c1e486c

    SHA1

    efff465225cba6bc49f377662fc6665258994e58

    SHA256

    db2ac9ed9296e1dfd69e9cdd5539d21772fb135b49722b5e01f8c728c8f0ffaa

    SHA512

    e34f4c522d8a57d3781bd61421a6574f6c236be7d5ce97590392129e76d2bae69b19c0c5e143c35211e59f89591bc4e58a48512714a8025e6ad0b98908517135

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\l1g2u9lfjcqmh2
    Filesize

    211KB

    MD5

    827020ced381e55262695f58f84f278f

    SHA1

    ddc57871c40731903747162ae79bb9115b0838f2

    SHA256

    44bf31710fb7db97cfd76c864473981b648a5d175ce3ef0186bf2d2ff9966a5a

    SHA512

    9721ab681dd84abd526b36b99c59765903d9e635fe48d60c97fbea9428c0e332c72cb41bf90a73b3922170fda1b72e1ab838b27f2f19db8d898a566202ee0ede

    Download Submit

  • \Users\Admin\AppData\Local\Temp\qxbcmmh.exe
    Filesize

    117KB

    MD5

    65facecea332bbb51b802e66b329eb18

    SHA1

    019140dda8ec2d92fe2597c8949208a7ebe95c6e

    SHA256

    c6935a83136101694625c5904af17387b6cf2a2a0b91ae394615e4d1fa61bb28

    SHA512

    d9d241441345f5c2e0bbd9e41489d9907d5c722f030249fa0f8285c13c5b3c872a8805a8b673060cba16f72a4ad8feba3a1ffd93524930193fe08bbe443a3842

    Download Submit

  • memory/1196-17-0x0000000005130000-0x00000000052C9000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1196-23-0x0000000005130000-0x00000000052C9000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2132-9-0x00000000002B0000-0x00000000002B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2824-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2824-16-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3016-20-0x0000000000650000-0x000000000066C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3016-21-0x0000000000650000-0x000000000066C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3016-22-0x0000000000080000-0x00000000000AF000-memory.dmp

    Filesize

    188KB

    Download