formbook | 7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

Analysis

max time kernel
155s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
09-02-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hussanbinzx.exe
Size

400KB
MD5

cb5cd9f8250eaf3861f8774f431032b4
SHA1

1de8f273480f80f18d070f1f71aa722923759137
SHA256

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
SHA512

f7b4bc3996fee5fa1606a85f3d3cce6a1dbd6f14a133c81db0061b91528fc36c9856bd684b5d111ad387fff539720391fc2afd52c3b5803a7e192471a21e74cc

Score

10^/10

formbook k2i4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2i4

Decoy

apehangersbikersgang.com

lhcgrou.com

diveidf.com

timtas.store

jadebody.club

iamjbrussell.com

fwfuv.icu

picchealth.net

batuair.com

z58609.com

punarecotech.com

a-oct.com

xn--wmq0c1qt9mcxhxjkp16a.top

district99.net

5dcoding.com

aripagripoff.biz

abtheagent.com

betterskincareco.com

jsskylight.com

deviseoffice.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3464-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3464-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2460-151-0x0000000001320000-0x000000000134F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

hussanbinzx.exehussanbinzx.execscript.exe

description	pid	Process	procid_target
PID 4444 set thread context of 3464	4444	hussanbinzx.exe	98
PID 3464 set thread context of 2484	3464	hussanbinzx.exe	44
PID 3464 set thread context of 2484	3464	hussanbinzx.exe	44
PID 2460 set thread context of 2484	2460	cscript.exe	44

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

hussanbinzx.execscript.exe

pid	Process
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe
2460	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2484	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

hussanbinzx.execscript.exe

pid	Process
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
3464	hussanbinzx.exe
2460	cscript.exe
2460	cscript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exehussanbinzx.exeExplorer.EXE

description	pid	Process
Token: SeShutdownPrivilege	1336	svchost.exe
Token: SeCreatePagefilePrivilege	1336	svchost.exe
Token: SeShutdownPrivilege	1336	svchost.exe
Token: SeCreatePagefilePrivilege	1336	svchost.exe
Token: SeShutdownPrivilege	1336	svchost.exe
Token: SeCreatePagefilePrivilege	1336	svchost.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeDebugPrivilege	3464	hussanbinzx.exe
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe
Token: SeSecurityPrivilege	5116	TiWorker.exe
Token: SeBackupPrivilege	5116	TiWorker.exe
Token: SeRestorePrivilege	5116	TiWorker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

hussanbinzx.exehussanbinzx.execscript.exe

description	pid	Process	procid_target
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 4444 wrote to memory of 3464	4444	hussanbinzx.exe	98
PID 3464 wrote to memory of 2460	3464	hussanbinzx.exe	99
PID 3464 wrote to memory of 2460	3464	hussanbinzx.exe	99
PID 3464 wrote to memory of 2460	3464	hussanbinzx.exe	99
PID 2460 wrote to memory of 3636	2460	cscript.exe	100
PID 2460 wrote to memory of 3636	2460	cscript.exe	100
PID 2460 wrote to memory of 3636	2460	cscript.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2484
- C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe
  "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
        5⤵
        
        PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-137-0x0000021CC6380000-0x0000021CC6390000-memory.dmp

Filesize
64KB

Download
memory/1336-138-0x0000021CC8A30000-0x0000021CC8A34000-memory.dmp

Filesize
16KB

Download
memory/1336-136-0x0000021CC6320000-0x0000021CC6330000-memory.dmp

Filesize
64KB

Download
memory/2460-153-0x00000000031B0000-0x0000000003244000-memory.dmp

Filesize
592KB

Download
memory/2460-152-0x0000000003310000-0x000000000365A000-memory.dmp

Filesize
3.3MB

Download
memory/2460-150-0x0000000000F50000-0x0000000000F77000-memory.dmp

Filesize
156KB

Download
memory/2460-151-0x0000000001320000-0x000000000134F000-memory.dmp

Filesize
188KB

Download
memory/2484-149-0x00000000080D0000-0x000000000825C000-memory.dmp

Filesize
1.5MB

Download
memory/2484-145-0x0000000008270000-0x00000000083E1000-memory.dmp

Filesize
1.4MB

Download
memory/2484-154-0x0000000008520000-0x00000000085CE000-memory.dmp

Filesize
696KB

Download
memory/3464-147-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/3464-148-0x0000000001010000-0x0000000001025000-memory.dmp

Filesize
84KB

Download
memory/3464-143-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/3464-144-0x0000000000FB0000-0x0000000000FC5000-memory.dmp

Filesize
84KB

Download
memory/3464-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3464-141-0x00000000010B0000-0x00000000013FA000-memory.dmp

Filesize
3.3MB

Download
memory/4444-135-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4444-130-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/4444-134-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4444-133-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/4444-132-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4444-131-0x0000000000550000-0x00000000005BA000-memory.dmp

Filesize
424KB

Download
memory/4444-139-0x0000000007230000-0x00000000072CC000-memory.dmp

Filesize
624KB

Download