formbook | 5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe
Size

212KB
MD5

0d6ae9500984c013e717fac3aa020e0f
SHA1

d87df965c6ae2e75380d6752dc0030fc7b891a1d
SHA256

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769
SHA512

e23dcd8c19590785409c789c47fb4a69e51dde2534f739a635b8b5b23f73705a42dbc6ef8dfaa336c1fad01d7355e4755717e5fba52f970fda5542356dd95dcf

Score

10^/10

formbook sh persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1680-67-0x0000000000510000-0x000000000053A000-memory.dmp	formbook
behavioral1/memory/1972-72-0x000000000041B5F0-mapping.dmp	formbook
behavioral1/memory/1972-74-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/268-82-0x0000000000090000-0x00000000000BA000-memory.dmp	formbook
behavioral1/memory/268-86-0x0000000000090000-0x00000000000BA000-memory.dmp	formbook

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FNJPZLYX = "C:\\Program Files (x86)\\Alds\\audiodg8pj81.exe"	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exevbc.exerundll32.exe

description	pid	process	target process
PID 1680 set thread context of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1972 set thread context of 1184	1972	vbc.exe	Explorer.EXE
PID 268 set thread context of 1184	268	rundll32.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Program Files (x86)\Alds\audiodg8pj81.exe rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Alds\audiodg8pj81.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exevbc.exerundll32.exe

pid	process
1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe
1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe
1972	vbc.exe
1972	vbc.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe
268	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exerundll32.exe

pid process

1972 vbc.exe
1972 vbc.exe
1972 vbc.exe
268 rundll32.exe
268 rundll32.exe

pid	process
1972	vbc.exe
1972	vbc.exe
1972	vbc.exe
268	rundll32.exe
268	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exevbc.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe
Token: SeDebugPrivilege	1972	vbc.exe
Token: SeDebugPrivilege	268	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE

pid	process
1184	Explorer.EXE
1184	Explorer.EXE

pid	process
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.execsc.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1652	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	csc.exe
PID 1680 wrote to memory of 1652	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	csc.exe
PID 1680 wrote to memory of 1652	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	csc.exe
PID 1680 wrote to memory of 1652	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	csc.exe
PID 1652 wrote to memory of 1140	1652	csc.exe	cvtres.exe
PID 1652 wrote to memory of 1140	1652	csc.exe	cvtres.exe
PID 1652 wrote to memory of 1140	1652	csc.exe	cvtres.exe
PID 1652 wrote to memory of 1140	1652	csc.exe	cvtres.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1680 wrote to memory of 1972	1680	5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe	vbc.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 1184 wrote to memory of 268	1184	Explorer.EXE	rundll32.exe
PID 268 wrote to memory of 628	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 628	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 628	268	rundll32.exe	cmd.exe
PID 268 wrote to memory of 628	268	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe
"C:\Users\Admin\AppData\Local\Temp\5814e53e67e68d674db42f492fb1265b2fa65c70f31d706e38ef65b3bf3c8769.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uo53p1p0\uo53p1p0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59D.tmp" "c:\Users\Admin\AppData\Local\Temp\uo53p1p0\CSC86709A863F94508BB993E717BDA3BBA.TMP"
4⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES59D.tmp
Filesize
1KB

MD5
4f40a39edabab9866001d4fceba680a2

SHA1
ea4d361812235aec2db7b4f1460b1652635a5375

SHA256
e1f2c12322ce61bbaed23428f2bb0c4470afa5d78d3be74117990c6fb4f64823

SHA512
f5b334089c5f2838b7b1de1d183b4a4a1646263271c91425f6113a751d48f1de4d0a8dd8cb0c63fdb3fe38d5af710984f43df37ee5f629b455b0285dd257942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo53p1p0\uo53p1p0.dll
Filesize
6KB

MD5
92da577a002e7bac90cac084e7059882

SHA1
442a0a55964ecf0e0a17d5e5e109e7b9f341b562

SHA256
e3f035ee2b823de41ed503c089fbf97a7989c9d6a0a831b0d9ad8c81339fdfe4

SHA512
3c4e3abf0853e97b583750974129a9d682d58f604e36d0975904237f21f32ec4f3a006af8ec11fbda7e23e1ec292e77c49e5770e467b4381243e12320e5f15ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\uo53p1p0\uo53p1p0.pdb
Filesize
15KB

MD5
f80a718f252bc14117c6c90b487f7bfc

SHA1
8e954b656df4eb0d0347b3072eb91fe478bd961c

SHA256
3332809ae446951a0f975deb177741af279fdabc44d1a3756f78f8fccf324378

SHA512
8bbf6a5cf70ecf2cd2e2a2c34d06781610b3b4aa5205125045e282979d36309289b1cee7998f12d12488802fb1d5e7f95a3ead032179cbc40a833d955ee22920

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logim.jpeg
Filesize
69KB

MD5
5af434ffd7ddd0d551cb91498a9ffb0c

SHA1
ae0cd29101bdf8c04d9c44acc7595cd92afd2e4c

SHA256
0d8df84447fcc1347dd19aaf9a439c2db155c61d7a086e6b9445f90f0cca8606

SHA512
9e3c56c38faf9612b86224eb5120722e3656188f33b59e6f41d8a6ef0a00ae7799f47e5f316685ab3e578dcfc4db1dc0e31c570a038cee0acfc7bafbb6e16b7c

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uo53p1p0\CSC86709A863F94508BB993E717BDA3BBA.TMP
Filesize
1KB

MD5
35a697b99f4deea25c9d6a33132b9f26

SHA1
e715da841fdcf6a6daeedfbdde098c1307aca477

SHA256
0358cc2177a1ff7b26edc756ae9cbe922509c8ba1925a00f8e2b34ce1a4340d1

SHA512
71a10cd0296224e25c5b4f471e939ae97288660cb22b37bec49a4ad8f5827c916a278405febce289fc62233eb0ad368dfd4255f09cc5afb7edb07892dbbde042

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uo53p1p0\uo53p1p0.0.cs
Filesize
2KB

MD5
421361a3d045f5360f16aa4c0c7c03c3

SHA1
cb476e91cd6e5e0c19a3523579ebbcefc15b306f

SHA256
282195a76f75c630af8034d6059dc421f05e2aa6d27b25ce2bb0ea4a7d9bd08b

SHA512
232179493833a5251412533d571e2919792e895341c7bed9f93802b9563e441ee1b657b676db432960d17ae397baad09134da3b1ddb57ee346faca176b563164

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uo53p1p0\uo53p1p0.cmdline
Filesize
248B

MD5
15876a12feb57b3adade729e4129f018

SHA1
6b7d1d24ffbece03adf023a39dc37123f11cba83

SHA256
2017e506dda68e3bb049439f5467d0b773da0b22dd060f2c8c0a339e3f751f11

SHA512
0564d6624d5d7204f4df36f6daa73672485a5c7ca283c382855bf87ef504360ae7751d0a262e8e20632f93d91f84a6adf232f04e9bbf408052d4aabf2191c9d4

Download Submit
memory/268-82-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/268-78-0x0000000000000000-mapping.dmp

Download
memory/268-86-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/268-84-0x0000000000A80000-0x0000000000B13000-memory.dmp

Filesize
588KB

Download
memory/268-83-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/268-81-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/628-80-0x0000000000000000-mapping.dmp

Download
memory/1140-58-0x0000000000000000-mapping.dmp

Download
memory/1184-77-0x0000000004D20000-0x0000000004E88000-memory.dmp

Filesize
1.4MB

Download
memory/1184-85-0x0000000004AE0000-0x0000000004BE8000-memory.dmp

Filesize
1.0MB

Download
memory/1184-87-0x0000000004AE0000-0x0000000004BE8000-memory.dmp

Filesize
1.0MB

Download
memory/1652-55-0x0000000000000000-mapping.dmp

Download
memory/1680-54-0x0000000000C70000-0x0000000000CAA000-memory.dmp

Filesize
232KB

Download
memory/1680-67-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/1680-66-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1680-64-0x0000000000490000-0x00000000004CA000-memory.dmp

Filesize
232KB

Download
memory/1680-63-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/1680-65-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1972-72-0x000000000041B5F0-mapping.dmp

Download
memory/1972-68-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-75-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1972-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1972-76-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download