formbook | 7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

Analysis

max time kernel
164s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
17-02-2022 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe
Size

400KB
MD5

cb5cd9f8250eaf3861f8774f431032b4
SHA1

1de8f273480f80f18d070f1f71aa722923759137
SHA256

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
SHA512

f7b4bc3996fee5fa1606a85f3d3cce6a1dbd6f14a133c81db0061b91528fc36c9856bd684b5d111ad387fff539720391fc2afd52c3b5803a7e192471a21e74cc

Score

10^/10

formbook k2i4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2i4

Decoy

apehangersbikersgang.com

lhcgrou.com

diveidf.com

timtas.store

jadebody.club

iamjbrussell.com

fwfuv.icu

picchealth.net

batuair.com

z58609.com

punarecotech.com

a-oct.com

xn--wmq0c1qt9mcxhxjkp16a.top

district99.net

5dcoding.com

aripagripoff.biz

abtheagent.com

betterskincareco.com

jsskylight.com

deviseoffice.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1152-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe

description	pid	Process	procid_target
PID 544 set thread context of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe

pid	Process
1152	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe
1152	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	Process
Token: SeShutdownPrivilege	4240	svchost.exe
Token: SeCreatePagefilePrivilege	4240	svchost.exe
Token: SeShutdownPrivilege	4240	svchost.exe
Token: SeCreatePagefilePrivilege	4240	svchost.exe
Token: SeShutdownPrivilege	4240	svchost.exe
Token: SeCreatePagefilePrivilege	4240	svchost.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe
Token: SeRestorePrivilege	5104	TiWorker.exe
Token: SeSecurityPrivilege	5104	TiWorker.exe
Token: SeBackupPrivilege	5104	TiWorker.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe

description	pid	Process	procid_target
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99
PID 544 wrote to memory of 1152	544	7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe	99

C:\Users\Admin\AppData\Local\Temp\7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe
"C:\Users\Admin\AppData\Local\Temp\7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe
  "C:\Users\Admin\AppData\Local\Temp\7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-130-0x000000007476E000-0x000000007476F000-memory.dmp

Filesize
4KB

Download
memory/544-131-0x0000000000E10000-0x0000000000E7A000-memory.dmp

Filesize
424KB

Download
memory/544-132-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/544-133-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/544-134-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/544-135-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/544-139-0x0000000007B90000-0x0000000007C2C000-memory.dmp

Filesize
624KB

Download
memory/1152-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-141-0x0000000000E70000-0x00000000011BA000-memory.dmp

Filesize
3.3MB

Download
memory/4240-136-0x0000022420160000-0x0000022420170000-memory.dmp

Filesize
64KB

Download
memory/4240-137-0x0000022420A70000-0x0000022420A80000-memory.dmp

Filesize
64KB

Download
memory/4240-138-0x0000022423120000-0x0000022423124000-memory.dmp

Filesize
16KB

Download