formbook | 388292015e4c2d075b935a8299d99335d957e3ad5134a33f28c4dc7f5e3687c5

Resubmissions

28/03/2025, 01:18

250328-bn2gcszyfy 10

21/02/2022, 14:26

220221-rrw9taaed3 10

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
21/02/2022, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_BUSAN_HOCHIMINH_FEB.25.exe
Size

738KB
MD5

08b4042d2a89ebcff8537ba458295e48
SHA1

91e3fd4718786c523620c31465232113580ea477
SHA256

388292015e4c2d075b935a8299d99335d957e3ad5134a33f28c4dc7f5e3687c5
SHA512

5be0e94d68f8d0599c9323bb4c03635a0e000ff541b9924f6b83eba8adeda55c9528c818093f690249f51cd1976389c77d841e7f373fb1b5d362ba57ea36a222

Score

10^/10

formbook a04s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a04s

Decoy

lovelyveganfoods.com

wahidi.net

hwcstl.com

psnews.today

depress-elastic.com

r3mixlogistics.com

crimeawartoken.com

changethewayyouseegreen.com

mfa-azubi.com

maximizeprofit.store

alternativesclimat.net

turkcellsuperonline.xyz

extractword.com

radiotec-solutions.com

flawlesscity.com

schatzbenifits.com

gymzf.xyz

runpa.site

cryptocdes.biz

harryhoppe.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2276-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1844-164-0x0000000000380000-0x00000000003AF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	_BUSAN_HOCHIMINH_FEB.25.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 2276 set thread context of 2436	2276	vbc.exe	28
PID 1844 set thread context of 2436	1844	explorer.exe	28

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
336	_BUSAN_HOCHIMINH_FEB.25.exe
336	_BUSAN_HOCHIMINH_FEB.25.exe
336	_BUSAN_HOCHIMINH_FEB.25.exe
336	_BUSAN_HOCHIMINH_FEB.25.exe
992	powershell.exe
2276	vbc.exe
2276	vbc.exe
992	powershell.exe
2276	vbc.exe
2276	vbc.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2276	vbc.exe
2276	vbc.exe
2276	vbc.exe
1844	explorer.exe
1844	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3592	svchost.exe
Token: SeCreatePagefilePrivilege	3592	svchost.exe
Token: SeShutdownPrivilege	3592	svchost.exe
Token: SeCreatePagefilePrivilege	3592	svchost.exe
Token: SeShutdownPrivilege	3592	svchost.exe
Token: SeCreatePagefilePrivilege	3592	svchost.exe
Token: SeDebugPrivilege	336	_BUSAN_HOCHIMINH_FEB.25.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2276	vbc.exe
Token: SeDebugPrivilege	1844	explorer.exe
Token: SeShutdownPrivilege	2436	Explorer.EXE
Token: SeCreatePagefilePrivilege	2436	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 992	336	_BUSAN_HOCHIMINH_FEB.25.exe	98
PID 336 wrote to memory of 992	336	_BUSAN_HOCHIMINH_FEB.25.exe	98
PID 336 wrote to memory of 992	336	_BUSAN_HOCHIMINH_FEB.25.exe	98
PID 336 wrote to memory of 3968	336	_BUSAN_HOCHIMINH_FEB.25.exe	100
PID 336 wrote to memory of 3968	336	_BUSAN_HOCHIMINH_FEB.25.exe	100
PID 336 wrote to memory of 3968	336	_BUSAN_HOCHIMINH_FEB.25.exe	100
PID 336 wrote to memory of 260	336	_BUSAN_HOCHIMINH_FEB.25.exe	102
PID 336 wrote to memory of 260	336	_BUSAN_HOCHIMINH_FEB.25.exe	102
PID 336 wrote to memory of 260	336	_BUSAN_HOCHIMINH_FEB.25.exe	102
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 336 wrote to memory of 2276	336	_BUSAN_HOCHIMINH_FEB.25.exe	103
PID 2436 wrote to memory of 1844	2436	Explorer.EXE	104
PID 2436 wrote to memory of 1844	2436	Explorer.EXE	104
PID 2436 wrote to memory of 1844	2436	Explorer.EXE	104
PID 1844 wrote to memory of 820	1844	explorer.exe	105
PID 1844 wrote to memory of 820	1844	explorer.exe	105
PID 1844 wrote to memory of 820	1844	explorer.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\_BUSAN_HOCHIMINH_FEB.25.exe
  "C:\Users\Admin\AppData\Local\Temp\_BUSAN_HOCHIMINH_FEB.25.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YtGUemuxgzC.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YtGUemuxgzC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5EB.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-139-0x0000000006ED0000-0x0000000006F6C000-memory.dmp

Filesize
624KB

Download
memory/336-131-0x0000000000310000-0x00000000003CE000-memory.dmp

Filesize
760KB

Download
memory/336-132-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/336-133-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/336-134-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/336-135-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/336-130-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/992-151-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/992-156-0x0000000005015000-0x0000000005017000-memory.dmp

Filesize
8KB

Download
memory/992-140-0x0000000002A60000-0x0000000002A96000-memory.dmp

Filesize
216KB

Download
memory/992-170-0x0000000007990000-0x0000000007998000-memory.dmp

Filesize
32KB

Download
memory/992-142-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/992-169-0x00000000079B0000-0x00000000079CA000-memory.dmp

Filesize
104KB

Download
memory/992-145-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/992-144-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/992-146-0x0000000005012000-0x0000000005013000-memory.dmp

Filesize
4KB

Download
memory/992-147-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/992-148-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/992-149-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/992-168-0x00000000078A0000-0x00000000078AE000-memory.dmp

Filesize
56KB

Download
memory/992-166-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/992-165-0x00000000076E0000-0x00000000076EA000-memory.dmp

Filesize
40KB

Download
memory/992-162-0x000000007F8D0000-0x000000007F8D1000-memory.dmp

Filesize
4KB

Download
memory/992-161-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/992-160-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/992-157-0x0000000006960000-0x0000000006992000-memory.dmp

Filesize
200KB

Download
memory/992-158-0x0000000071490000-0x00000000714DC000-memory.dmp

Filesize
304KB

Download
memory/992-159-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/1844-164-0x0000000000380000-0x00000000003AF000-memory.dmp

Filesize
188KB

Download
memory/1844-171-0x0000000002790000-0x0000000002824000-memory.dmp

Filesize
592KB

Download
memory/1844-167-0x0000000002C00000-0x0000000002F4A000-memory.dmp

Filesize
3.3MB

Download
memory/1844-163-0x0000000000520000-0x0000000000953000-memory.dmp

Filesize
4.2MB

Download
memory/2276-152-0x00000000017B0000-0x0000000001AFA000-memory.dmp

Filesize
3.3MB

Download
memory/2276-153-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/2276-154-0x0000000001750000-0x0000000001765000-memory.dmp

Filesize
84KB

Download
memory/2276-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-155-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/2436-172-0x0000000002E80000-0x0000000002F29000-memory.dmp

Filesize
676KB

Download
memory/3592-138-0x000001E974600000-0x000001E974604000-memory.dmp

Filesize
16KB

Download
memory/3592-136-0x000001E971980000-0x000001E971990000-memory.dmp

Filesize
64KB

Download
memory/3592-137-0x000001E971F20000-0x000001E971F30000-memory.dmp

Filesize
64KB

Download