formbook | d91c6941790f363546482c6dd71f70a1c54cf1e9f4666f4aaca5931d3395593b

Analysis

max time kernel
150s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
10-05-2021 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMAGE 005667.exe
Size

774KB
MD5

e001b88c46b3e8da9380d8e0f5ee879e
SHA1

450d538f9d57f78075dd5fbf889841d4a0822172
SHA256

d91c6941790f363546482c6dd71f70a1c54cf1e9f4666f4aaca5931d3395593b
SHA512

d574afe8394696528b08c037615cf41a138207e8c653072dd85b31ac47f76dcb56ef692b6a8dd607357b2a6b467d3c5ae2bc65ac54c8cd9d65a3c2b795fdd0ce

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2344-142-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2344-143-0x000000000041ED80-mapping.dmp	formbook
behavioral2/memory/1564-206-0x0000000003060000-0x000000000308E000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

IMAGE 005667.exeIMAGE 005667.exeraserver.exe

description	pid	process	target process
PID 800 set thread context of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 2344 set thread context of 2568	2344	IMAGE 005667.exe	Explorer.EXE
PID 2344 set thread context of 2568	2344	IMAGE 005667.exe	Explorer.EXE
PID 1564 set thread context of 2568	1564	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3076 schtasks.exe

pid	process
3076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

IMAGE 005667.exeIMAGE 005667.exepowershell.exepowershell.exepowershell.exeraserver.exe

pid	process
800	IMAGE 005667.exe
800	IMAGE 005667.exe
800	IMAGE 005667.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
1648	powershell.exe
1140	powershell.exe
3740	powershell.exe
1140	powershell.exe
1648	powershell.exe
3740	powershell.exe
1140	powershell.exe
1648	powershell.exe
3740	powershell.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe
1564	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

IMAGE 005667.exeraserver.exe

pid process

2344 IMAGE 005667.exe
2344 IMAGE 005667.exe
2344 IMAGE 005667.exe
2344 IMAGE 005667.exe
1564 raserver.exe
1564 raserver.exe

pid	process
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
2344	IMAGE 005667.exe
1564	raserver.exe
1564	raserver.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

IMAGE 005667.exepowershell.exepowershell.exeIMAGE 005667.exepowershell.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	800	IMAGE 005667.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2344	IMAGE 005667.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	1564	raserver.exe
Token: SeShutdownPrivilege	2568	Explorer.EXE
Token: SeCreatePagefilePrivilege	2568	Explorer.EXE
Token: SeShutdownPrivilege	2568	Explorer.EXE
Token: SeCreatePagefilePrivilege	2568	Explorer.EXE
Token: SeShutdownPrivilege	2568	Explorer.EXE
Token: SeCreatePagefilePrivilege	2568	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

IMAGE 005667.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 800 wrote to memory of 1140	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 1140	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 1140	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 1648	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 1648	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 1648	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 3076	800	IMAGE 005667.exe	schtasks.exe
PID 800 wrote to memory of 3076	800	IMAGE 005667.exe	schtasks.exe
PID 800 wrote to memory of 3076	800	IMAGE 005667.exe	schtasks.exe
PID 800 wrote to memory of 3740	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 3740	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 3740	800	IMAGE 005667.exe	powershell.exe
PID 800 wrote to memory of 3828	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 3828	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 3828	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 800 wrote to memory of 2344	800	IMAGE 005667.exe	IMAGE 005667.exe
PID 2568 wrote to memory of 1564	2568	Explorer.EXE	raserver.exe
PID 2568 wrote to memory of 1564	2568	Explorer.EXE	raserver.exe
PID 2568 wrote to memory of 1564	2568	Explorer.EXE	raserver.exe
PID 1564 wrote to memory of 3188	1564	raserver.exe	cmd.exe
PID 1564 wrote to memory of 3188	1564	raserver.exe	cmd.exe
PID 1564 wrote to memory of 3188	1564	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe
  "C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bdBwgPFLxF.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bdBwgPFLxF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp369C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bdBwgPFLxF.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe
    "C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe"
    3⤵
    PID:3828
- - C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe
    "C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\IMAGE 005667.exe"
    3⤵
    PID:3188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c49e1e3a5015a958c06a38e6905a2617

SHA1
80e9c5a775d4939ecec7463417c222497b9f11c5

SHA256
3fb02378f18fef428b67400a7a1b24166962775048823b5fdb063d59e0310fd3

SHA512
1c3b0fd72f22e8da62d6196ec8199261163e1398f47e56126217170c37c829702c590c717f4ad6ef9930ecaee490a5d86383e489edebff8cfb014c6b2737032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
c49e1e3a5015a958c06a38e6905a2617

SHA1
80e9c5a775d4939ecec7463417c222497b9f11c5

SHA256
3fb02378f18fef428b67400a7a1b24166962775048823b5fdb063d59e0310fd3

SHA512
1c3b0fd72f22e8da62d6196ec8199261163e1398f47e56126217170c37c829702c590c717f4ad6ef9930ecaee490a5d86383e489edebff8cfb014c6b2737032c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp369C.tmp

MD5
b31820eb266de3b4cd83bba56765d2e5

SHA1
9e0d9969bfa4860493ed5f7ac1a6b4a9e2a8084c

SHA256
064220d88f807ab4c6b45c90947f1bb9c20cfc90b4738a8f14c775dc86d7ecd6

SHA512
ed944d0a728995e62f5f96dcffe6ef9915dfb3448682114319e4e3473bb0492ceb1f7ffa14b7b4168170f032d5bdf131f1fb47157bcce0763311f948e289c879

Download Submit
memory/800-121-0x0000000007A50000-0x0000000007A54000-memory.dmp

Filesize
16KB

Download
memory/800-120-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/800-119-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/800-122-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/800-123-0x00000000028F0000-0x0000000002971000-memory.dmp

Filesize
516KB

Download
memory/800-124-0x0000000000EE0000-0x0000000000F18000-memory.dmp

Filesize
224KB

Download
memory/800-114-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/800-118-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/800-117-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/800-116-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1140-131-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/1140-125-0x0000000000000000-mapping.dmp

Download
memory/1140-163-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/1140-136-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1140-129-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1140-166-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/1140-169-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/1140-196-0x000000007E630000-0x000000007E631000-memory.dmp

Filesize
4KB

Download
memory/1140-155-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/1140-198-0x00000000010B3000-0x00000000010B4000-memory.dmp

Filesize
4KB

Download
memory/1140-137-0x00000000010B2000-0x00000000010B3000-memory.dmp

Filesize
4KB

Download
memory/1564-203-0x0000000000000000-mapping.dmp

Download
memory/1564-207-0x0000000004630000-0x0000000004950000-memory.dmp

Filesize
3.1MB

Download
memory/1564-206-0x0000000003060000-0x000000000308E000-memory.dmp

Filesize
184KB

Download
memory/1564-204-0x0000000000D70000-0x0000000000D8F000-memory.dmp

Filesize
124KB

Download
memory/1564-211-0x00000000049F0000-0x0000000004A83000-memory.dmp

Filesize
588KB

Download
memory/1648-200-0x00000000068B3000-0x00000000068B4000-memory.dmp

Filesize
4KB

Download
memory/1648-197-0x000000007F3C0000-0x000000007F3C1000-memory.dmp

Filesize
4KB

Download
memory/1648-128-0x0000000000000000-mapping.dmp

Download
memory/1648-158-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1648-138-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/1648-139-0x00000000068B2000-0x00000000068B3000-memory.dmp

Filesize
4KB

Download
memory/2344-201-0x00000000012C0000-0x00000000012D4000-memory.dmp

Filesize
80KB

Download
memory/2344-154-0x0000000001330000-0x0000000001650000-memory.dmp

Filesize
3.1MB

Download
memory/2344-161-0x0000000001270000-0x0000000001284000-memory.dmp

Filesize
80KB

Download
memory/2344-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2344-143-0x000000000041ED80-mapping.dmp

Download
memory/2568-162-0x0000000006070000-0x00000000061CC000-memory.dmp

Filesize
1.4MB

Download
memory/2568-202-0x0000000006A90000-0x0000000006BEA000-memory.dmp

Filesize
1.4MB

Download
memory/2568-212-0x0000000006BF0000-0x0000000006D32000-memory.dmp

Filesize
1.3MB

Download
memory/3076-130-0x0000000000000000-mapping.dmp

Download
memory/3188-205-0x0000000000000000-mapping.dmp

Download
memory/3740-148-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3740-152-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/3740-199-0x00000000011D3000-0x00000000011D4000-memory.dmp

Filesize
4KB

Download
memory/3740-141-0x0000000000000000-mapping.dmp

Download
memory/3740-195-0x000000007F530000-0x000000007F531000-memory.dmp

Filesize
4KB

Download
memory/3740-172-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/3740-153-0x00000000011D2000-0x00000000011D3000-memory.dmp

Filesize
4KB

Download