Overview

overview

10

Static

static

3

RFQ-ref_05921538.exe

windows7-x64

10

RFQ-ref_05921538.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ-ref_05921538.exe

  • Size

    918KB

  • MD5

    fb14abc040c25c13849b4c44308d962d

  • SHA1

    60f55621f11075f2e3af4ae41baf2794a58d6a66

  • SHA256

    4c3b65dd4922985d090d2c12598837727e199627e48fd19b071472382b240284

  • SHA512

    c2fc0aaee60cafcea97f0158cc013ddff8dc097215375a94ddc633ff2abe14da36c54cfb1e9865bf89984e532c7951b19e1cf776d002c19b49698a5f55cae81b

  • SSDEEP

    12288:90mTFhv5VQZ9WsgF91raePmsr55MGBoIaEXRavD7R5GsYG2ucI0zei:90m/x4xgF9hmDGFGeGVKf

Score
10/10
formbookna10ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

na10

Decoy

tetheus.com

ventlikeyoumeanit.com

tintbliss.com

rinabet357.com

sapphireboutiqueusa.com

abc8bet6.com

xzcn3i7jb13cqei.buzz

pinktravelsnagpur.com

bt365038.com

rtpbossujang303.shop

osthirmaker.com

thelonelyteacup.com

rlc2019.com

couverture-charpente.com

productivagc.com

defendercarcare.com

abcentixdigital.com

petco.ltd

oypivh.top

micro.guru

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:352
      • C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
        3⤵
        • Deletes itself
        PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/352-13-0x0000000074440000-0x0000000074B2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/352-12-0x000000007444E000-0x000000007444F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/352-0-0x000000007444E000-0x000000007444F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/352-3-0x00000000004B0000-0x00000000004F4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/352-4-0x0000000000700000-0x000000000071A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/352-5-0x00000000008D0000-0x00000000008D6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/352-15-0x0000000074440000-0x0000000074B2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/352-2-0x0000000074440000-0x0000000074B2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/352-1-0x0000000001020000-0x000000000110C000-memory.dmp
    Filesize

    944KB

    Download
  • memory/376-25-0x0000000000090000-0x00000000000BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/376-24-0x0000000000C50000-0x0000000000C68000-memory.dmp
    Filesize

    96KB

    Download
  • memory/376-22-0x0000000000C50000-0x0000000000C68000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1204-20-0x0000000003AE0000-0x0000000003BE0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1204-28-0x0000000006410000-0x0000000006582000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1204-21-0x0000000006410000-0x0000000006582000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1204-26-0x0000000000010000-0x0000000000020000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2912-16-0x00000000008D0000-0x0000000000BD3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2912-19-0x0000000000110000-0x0000000000124000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2912-18-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2912-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2912-8-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2912-6-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2912-14-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download