formbook | e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10-20220414-en
submitted
28-06-2022 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
Size

854KB
MD5

cc3b22bd3d92f8209de3a45f1b49b05d
SHA1

46f5d875d74b9dc5f4519b6aff1efdf62df70c73
SHA256

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a
SHA512

81eef9b07333b31a8016986f15a6ad519e77643bab1f2c557a5bea4014e1626702854c5c180c883c517ecaebd8a1a823da63d2533e7f9f73c0b8a1d7fd4612cf

Score

10^/10

formbook ba17 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ba17

Decoy

bearwant.com

sdsguanfang.com

steamcommunityvia.top

sugarplumtreasures.com

koronislakefishing.com

jmae.xyz

xhxnqemkiqe.xyz

playzcrew.com

zatwsbq.com

lankofix.com

sh-zhepeng.com

mibodamisxv.online

butterflyjewelry.store

finestrecitalto-spottoday.info

globomateria.com

royalmdarts.com

d4af10836709.com

shepwill.com

67aldrich.info

trustedmakers.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1552-211-0x000000000041F1E0-mapping.dmp	formbook
behavioral1/memory/1552-234-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4020-255-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook
behavioral1/memory/4020-272-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exeRegSvcs.exenetsh.exe

description	pid	process	target process
PID 2756 set thread context of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 1552 set thread context of 3152	1552	RegSvcs.exe	Explorer.EXE
PID 4020 set thread context of 3152	4020	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2600 schtasks.exe

pid	process
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exeRegSvcs.exenetsh.exe

pid	process
2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe
4020	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exenetsh.exe

pid process

1552 RegSvcs.exe
1552 RegSvcs.exe
1552 RegSvcs.exe
4020 netsh.exe
4020 netsh.exe

pid	process
3152	Explorer.EXE

pid	process
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
4020	netsh.exe
4020	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exeRegSvcs.exenetsh.exe

description	pid	process
Token: SeDebugPrivilege	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
Token: SeDebugPrivilege	1552	RegSvcs.exe
Token: SeDebugPrivilege	4020	netsh.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2756 wrote to memory of 2600	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	schtasks.exe
PID 2756 wrote to memory of 2600	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	schtasks.exe
PID 2756 wrote to memory of 2600	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	schtasks.exe
PID 2756 wrote to memory of 1908	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1908	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1908	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 2756 wrote to memory of 1552	2756	e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe	RegSvcs.exe
PID 3152 wrote to memory of 4020	3152	Explorer.EXE	netsh.exe
PID 3152 wrote to memory of 4020	3152	Explorer.EXE	netsh.exe
PID 3152 wrote to memory of 4020	3152	Explorer.EXE	netsh.exe
PID 4020 wrote to memory of 4652	4020	netsh.exe	cmd.exe
PID 4020 wrote to memory of 4652	4020	netsh.exe	cmd.exe
PID 4020 wrote to memory of 4652	4020	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe
"C:\Users\Admin\AppData\Local\Temp\e10cbd14bad3693345f6fa7d09e1336c1b2033900e1b1b55ccf0a76a98b1c79a.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OHyOwWfiz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp"
3⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp
Filesize
1KB

MD5
cbb466540307605b6f35f815cd1c3843

SHA1
5b64d0670d0cd9557af3cf4bed9e50890dff8c5c

SHA256
7b64d378aec2337e9986c00ddb2335a0762c2471c65da9a8efebd3936b6d4219

SHA512
f6e34709f018454025085d791abaa1c6cc2bddf3a788d8212c00110a95062f068ab71627c719b53a6888959b7c2d7812126a04085ec50461c452ec20813efd71

Download Submit
memory/1552-211-0x000000000041F1E0-mapping.dmp

Download
memory/1552-234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-235-0x00000000016B0000-0x00000000019D0000-memory.dmp

Filesize
3.1MB

Download
memory/1552-236-0x0000000001510000-0x00000000016AE000-memory.dmp

Filesize
1.6MB

Download
memory/2600-190-0x0000000000000000-mapping.dmp

Download
memory/2756-153-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-145-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-117-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-118-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-119-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-157-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-121-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-122-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-124-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-123-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-125-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-126-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-127-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-128-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-129-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-130-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-131-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-132-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-133-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-134-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-135-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-136-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-137-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-138-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-139-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-140-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-141-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-142-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-143-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-144-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-156-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-146-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-147-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-148-0x0000000000A30000-0x0000000000B0C000-memory.dmp

Filesize
880KB

Download
memory/2756-149-0x0000000005960000-0x0000000005E5E000-memory.dmp

Filesize
5.0MB

Download
memory/2756-150-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-151-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/2756-152-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-115-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-154-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/2756-171-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-116-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-120-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-158-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-159-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-160-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-161-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-162-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-163-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-164-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-165-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-166-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-167-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-168-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-169-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/2756-170-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-155-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-172-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-173-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-174-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-175-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-176-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-177-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-178-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-179-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-180-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-114-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-181-0x0000000007950000-0x000000000795A000-memory.dmp

Filesize
40KB

Download
memory/2756-182-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-183-0x0000000007F70000-0x0000000008036000-memory.dmp

Filesize
792KB

Download
memory/2756-184-0x0000000008050000-0x00000000080C4000-memory.dmp

Filesize
464KB

Download
memory/2756-185-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-237-0x00000000030A0000-0x0000000003159000-memory.dmp

Filesize
740KB

Download
memory/3152-271-0x0000000005790000-0x0000000005865000-memory.dmp

Filesize
852KB

Download
memory/3152-274-0x0000000005790000-0x0000000005865000-memory.dmp

Filesize
852KB

Download
memory/4020-238-0x0000000000000000-mapping.dmp

Download
memory/4020-254-0x0000000001580000-0x000000000159E000-memory.dmp

Filesize
120KB

Download
memory/4020-255-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/4020-258-0x00000000035A0000-0x00000000038C0000-memory.dmp

Filesize
3.1MB

Download
memory/4020-270-0x0000000001370000-0x0000000001501000-memory.dmp

Filesize
1.6MB

Download
memory/4020-272-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/4020-273-0x0000000001370000-0x0000000001501000-memory.dmp

Filesize
1.6MB

Download
memory/4652-256-0x0000000000000000-mapping.dmp

Download