formbook | cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
Size

293KB
MD5

6f1685cc2b2a642ae65783697ba6e983
SHA1

60cea5318393a8723f150e7fb9ad448489e955c7
SHA256

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568
SHA512

ddcd2f12e5fd098396787e067a52553ee4709f71c82ad5060a1304841d7498d459814bf104e362f563165f1a8919f9bf352c652adedbffc539618b2ff85ae5f3

Score

10^/10

formbook sh persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2024-66-0x0000000000B00000-0x0000000000B2A000-memory.dmp	formbook
behavioral1/memory/1716-71-0x000000000041B5F0-mapping.dmp	formbook
behavioral1/memory/1716-73-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1716-81-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/856-85-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/856-89-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	help.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HZ-DPL3P_2 = "C:\\Program Files (x86)\\Fl4j8nz\\updatedrupftbp.exe"	help.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exehelp.exe

description	pid	process	target process
PID 2024 set thread context of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 1716 set thread context of 1228	1716	vbc.exe	Explorer.EXE
PID 1716 set thread context of 1228	1716	vbc.exe	Explorer.EXE
PID 856 set thread context of 1228	856	help.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

help.exe

description ioc process

File opened for modification C:\Program Files (x86)\Fl4j8nz\updatedrupftbp.exe help.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fl4j8nz\updatedrupftbp.exe	help.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-335065374-4263250628-1829373619-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exehelp.exe

pid	process
2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
1716	vbc.exe
1716	vbc.exe
1716	vbc.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe
856	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

vbc.exehelp.exe

pid process

1716 vbc.exe
1716 vbc.exe
1716 vbc.exe
1716 vbc.exe
856 help.exe
856 help.exe

pid	process
1716	vbc.exe
1716	vbc.exe
1716	vbc.exe
1716	vbc.exe
856	help.exe
856	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
Token: SeDebugPrivilege	1716	vbc.exe
Token: SeDebugPrivilege	856	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.execsc.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2024 wrote to memory of 1992	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 2024 wrote to memory of 1992	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 2024 wrote to memory of 1992	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 2024 wrote to memory of 1992	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 1992 wrote to memory of 996	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 996	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 996	1992	csc.exe	cvtres.exe
PID 1992 wrote to memory of 996	1992	csc.exe	cvtres.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 2024 wrote to memory of 1716	2024	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 1228 wrote to memory of 856	1228	Explorer.EXE	help.exe
PID 1228 wrote to memory of 856	1228	Explorer.EXE	help.exe
PID 1228 wrote to memory of 856	1228	Explorer.EXE	help.exe
PID 1228 wrote to memory of 856	1228	Explorer.EXE	help.exe
PID 856 wrote to memory of 1500	856	help.exe	cmd.exe
PID 856 wrote to memory of 1500	856	help.exe	cmd.exe
PID 856 wrote to memory of 1500	856	help.exe	cmd.exe
PID 856 wrote to memory of 1500	856	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
"C:\Users\Admin\AppData\Local\Temp\cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3pta5k1j\3pta5k1j.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63B3.tmp" "c:\Users\Admin\AppData\Local\Temp\3pta5k1j\CSC2E4A6092C9C3466EA09ED33B6290F55E.TMP"
4⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:628

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3pta5k1j\3pta5k1j.dll
Filesize
15KB

MD5
63010214d722fcaa41c39b836d80b925

SHA1
49de2a4fcf923fb35b4ad821e52947d2b20364de

SHA256
ef983a6ed44a85b6df43006533bb25230b6fe166f9b928114d6548e7f9b6fc07

SHA512
fccd46fd77d0018489504aec311d8d93c690e4fee2d0be10273f91a7f5cc10c7d5f8b7b9cbe9c513b5a587c55d10bbf31a3d5543900177890098ff500938e3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3pta5k1j\3pta5k1j.pdb
Filesize
51KB

MD5
c0d5bcd3e6a060ed2ff69996462efdcb

SHA1
39a0700096a298d1da8d9d632abcf839a29559d3

SHA256
359752761a9d79e5bec466a5b4af7346a706afd42a535771ce61e54def680e52

SHA512
73a5705b8704ba69155792e88b8a4499f6f2ab5d6120a95cbdb15f0b5c9f47ca2a443e3c87d9a34bc9d2d0a536a00996fb6669967529a6cabd8fd805aeddef7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES63B3.tmp
Filesize
1KB

MD5
5b2bad782a38e07756b35808600dacb5

SHA1
47e00c2c11ee10604370ff301dd9b076aa6073ae

SHA256
1608749994098c1c93a14ba2cb99b95c66bb48a6cec096d2686df3de43c70e67

SHA512
2c27c58dfd78357dde9b86a97021ea9833030c8e3167b28f61fab2e936f157635f2b50385a71877d45c318531647e0524d34ecdffafc883fba95b216f3189dac

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logim.jpeg
Filesize
72KB

MD5
8d4ba2a87ad4c0010a420d2d0877df6d

SHA1
1c749d1086bdb91d1995cbce082bed0080379e3d

SHA256
979cdab68d0c8e1914ff4d9614e910f6dae09068114707633629c80caa3a22b2

SHA512
81ead004c9bb06e7524954f2b73c8730ca757209ad0ed9b5ea630ef0b5189c085a39933ac54408ce0e9e7fc5cbd0e841154ac0569e4fcbc2519175485edbc4fa

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3pta5k1j\3pta5k1j.0.cs
Filesize
29KB

MD5
7cf2e534a9a96bea31cc6db531cb6e89

SHA1
b67d75fd89a49fcda03d260ceeab889a91e0062a

SHA256
8430223be6873572809a9ac4f03a0178732abbf923402716e3cb7e6d9e8173c1

SHA512
519ce76ed51b22be2a470114e797a48a866db3cd006c12e473d26944bd1c8a66ce5a47c45f216a33306c2926cac3f324a13758a6f55296a643af5c5c316c3416

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3pta5k1j\3pta5k1j.cmdline
Filesize
248B

MD5
08f5ff6baeae4a96483900de551039de

SHA1
36cc8e1e5fc04ddd03d4f16104e4b85b2be60551

SHA256
9a485704b385d700434a53115c5192e22360ef67e46780deff093d44ae9ef5d4

SHA512
61272d3f9c647f22ad1df548d04561f17a01b89665f90627c31af5e5aabf972401dea627d491a8cb2b638f4890ec32be3be751af2f475e81c832a9a665bba22e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3pta5k1j\CSC2E4A6092C9C3466EA09ED33B6290F55E.TMP
Filesize
1KB

MD5
69709acae363217d22555e43627fd0ae

SHA1
79ba1241a572f242904e54dd765a9a535d5ed23d

SHA256
ded366d94dd8dc0210d4c754b3f6f60c6e4aff19a93e525116ce57c3f04f7a24

SHA512
159c88ddb7cd4341695b1e1a5a9f9648718bce4e1167d2347b7fa6bf14871705e02044cf3cb2d17f313feb75618b5c9ee5fa66a15c4d6c41cb03c373ef9247f0

Download Submit
memory/856-84-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/856-87-0x0000000000770000-0x0000000000803000-memory.dmp

Filesize
588KB

Download
memory/856-91-0x0000000075B81000-0x0000000075B83000-memory.dmp

Filesize
8KB

Download
memory/856-80-0x0000000000000000-mapping.dmp

Download
memory/856-89-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/856-83-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/856-85-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/996-58-0x0000000000000000-mapping.dmp

Download
memory/1228-86-0x0000000004380000-0x0000000004457000-memory.dmp

Filesize
860KB

Download
memory/1228-76-0x0000000004380000-0x0000000004457000-memory.dmp

Filesize
860KB

Download
memory/1228-88-0x0000000004C80000-0x0000000004E05000-memory.dmp

Filesize
1.5MB

Download
memory/1228-79-0x0000000004A60000-0x0000000004B38000-memory.dmp

Filesize
864KB

Download
memory/1228-90-0x0000000004C80000-0x0000000004E05000-memory.dmp

Filesize
1.5MB

Download
memory/1500-82-0x0000000000000000-mapping.dmp

Download
memory/1716-75-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1716-68-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-78-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/1716-67-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-74-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1716-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1716-71-0x000000000041B5F0-mapping.dmp

Download
memory/1716-81-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-55-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000001210000-0x0000000001260000-memory.dmp

Filesize
320KB

Download
memory/2024-66-0x0000000000B00000-0x0000000000B2A000-memory.dmp

Filesize
168KB

Download
memory/2024-65-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2024-64-0x0000000000A30000-0x0000000000A6A000-memory.dmp

Filesize
232KB

Download
memory/2024-63-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download