formbook | 7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

Analysis

max time kernel
135s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
09-02-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb5cd9f8250eaf3861f8774f431032b4.exe
Size

400KB
MD5

cb5cd9f8250eaf3861f8774f431032b4
SHA1

1de8f273480f80f18d070f1f71aa722923759137
SHA256

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
SHA512

f7b4bc3996fee5fa1606a85f3d3cce6a1dbd6f14a133c81db0061b91528fc36c9856bd684b5d111ad387fff539720391fc2afd52c3b5803a7e192471a21e74cc

Score

10^/10

formbook k2i4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2i4

Decoy

apehangersbikersgang.com

lhcgrou.com

diveidf.com

timtas.store

jadebody.club

iamjbrussell.com

fwfuv.icu

picchealth.net

batuair.com

z58609.com

punarecotech.com

a-oct.com

xn--wmq0c1qt9mcxhxjkp16a.top

district99.net

5dcoding.com

aripagripoff.biz

abtheagent.com

betterskincareco.com

jsskylight.com

deviseoffice.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2852-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

cb5cd9f8250eaf3861f8774f431032b4.exe

description	pid	Process	procid_target
PID 4788 set thread context of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

cb5cd9f8250eaf3861f8774f431032b4.execb5cd9f8250eaf3861f8774f431032b4.exe

pid	Process
4788	cb5cd9f8250eaf3861f8774f431032b4.exe
4788	cb5cd9f8250eaf3861f8774f431032b4.exe
4788	cb5cd9f8250eaf3861f8774f431032b4.exe
4788	cb5cd9f8250eaf3861f8774f431032b4.exe
2852	cb5cd9f8250eaf3861f8774f431032b4.exe
2852	cb5cd9f8250eaf3861f8774f431032b4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.execb5cd9f8250eaf3861f8774f431032b4.exeTiWorker.exe

description	pid	Process
Token: SeShutdownPrivilege	1080	svchost.exe
Token: SeCreatePagefilePrivilege	1080	svchost.exe
Token: SeShutdownPrivilege	1080	svchost.exe
Token: SeCreatePagefilePrivilege	1080	svchost.exe
Token: SeShutdownPrivilege	1080	svchost.exe
Token: SeCreatePagefilePrivilege	1080	svchost.exe
Token: SeDebugPrivilege	4788	cb5cd9f8250eaf3861f8774f431032b4.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe
Token: SeBackupPrivilege	844	TiWorker.exe
Token: SeRestorePrivilege	844	TiWorker.exe
Token: SeSecurityPrivilege	844	TiWorker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cb5cd9f8250eaf3861f8774f431032b4.exe

description	pid	Process	procid_target
PID 4788 wrote to memory of 2036	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	97
PID 4788 wrote to memory of 2036	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	97
PID 4788 wrote to memory of 2036	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	97
PID 4788 wrote to memory of 4472	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	98
PID 4788 wrote to memory of 4472	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	98
PID 4788 wrote to memory of 4472	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	98
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99
PID 4788 wrote to memory of 2852	4788	cb5cd9f8250eaf3861f8774f431032b4.exe	99

C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
"C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
  "C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
  "C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
  2⤵
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
  "C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-136-0x000001B5D4320000-0x000001B5D4330000-memory.dmp

Filesize
64KB

Download
memory/1080-137-0x000001B5D4380000-0x000001B5D4390000-memory.dmp

Filesize
64KB

Download
memory/1080-138-0x000001B5D6A50000-0x000001B5D6A54000-memory.dmp

Filesize
16KB

Download
memory/2852-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-141-0x0000000000EF0000-0x000000000123A000-memory.dmp

Filesize
3.3MB

Download
memory/4788-130-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/4788-131-0x0000000000950000-0x00000000009BA000-memory.dmp

Filesize
424KB

Download
memory/4788-132-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/4788-133-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/4788-134-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/4788-135-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/4788-139-0x0000000007790000-0x000000000782C000-memory.dmp

Filesize
624KB

Download