formbook | cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

Analysis

max time kernel
157s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
Size

293KB
MD5

6f1685cc2b2a642ae65783697ba6e983
SHA1

60cea5318393a8723f150e7fb9ad448489e955c7
SHA256

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568
SHA512

ddcd2f12e5fd098396787e067a52553ee4709f71c82ad5060a1304841d7498d459814bf104e362f563165f1a8919f9bf352c652adedbffc539618b2ff85ae5f3

Score

10^/10

formbook sh persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4292-142-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4292-144-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1908-150-0x0000000000800000-0x000000000082A000-memory.dmp	formbook
behavioral2/memory/1908-155-0x0000000000800000-0x000000000082A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNPLG8LHNTN = "C:\\Program Files (x86)\\Aabc8f\\servicesol_dufw.exe"	ipconfig.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exeipconfig.exe

description	pid	process	target process
PID 4404 set thread context of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4292 set thread context of 3060	4292	vbc.exe	Explorer.EXE
PID 1908 set thread context of 3060	1908	ipconfig.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

ipconfig.exe

description ioc process

File opened for modification C:\Program Files (x86)\Aabc8f\servicesol_dufw.exe ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1908 ipconfig.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Aabc8f\servicesol_dufw.exe	ipconfig.exe

pid	process
1908	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exeipconfig.exe

pid	process
4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
4292	vbc.exe
4292	vbc.exe
4292	vbc.exe
4292	vbc.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe
1908	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exeipconfig.exe

pid process

4292 vbc.exe
4292 vbc.exe
4292 vbc.exe
1908 ipconfig.exe
1908 ipconfig.exe

pid	process
3060	Explorer.EXE

pid	process
4292	vbc.exe
4292	vbc.exe
4292	vbc.exe
1908	ipconfig.exe
1908	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exevbc.exeipconfig.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
Token: SeDebugPrivilege	4292	vbc.exe
Token: SeDebugPrivilege	1908	ipconfig.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.execsc.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4404 wrote to memory of 4564	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 4404 wrote to memory of 4564	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 4404 wrote to memory of 4564	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	csc.exe
PID 4564 wrote to memory of 2112	4564	csc.exe	cvtres.exe
PID 4564 wrote to memory of 2112	4564	csc.exe	cvtres.exe
PID 4564 wrote to memory of 2112	4564	csc.exe	cvtres.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 4404 wrote to memory of 4292	4404	cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe	vbc.exe
PID 3060 wrote to memory of 1908	3060	Explorer.EXE	ipconfig.exe
PID 3060 wrote to memory of 1908	3060	Explorer.EXE	ipconfig.exe
PID 3060 wrote to memory of 1908	3060	Explorer.EXE	ipconfig.exe
PID 1908 wrote to memory of 2092	1908	ipconfig.exe	cmd.exe
PID 1908 wrote to memory of 2092	1908	ipconfig.exe	cmd.exe
PID 1908 wrote to memory of 2092	1908	ipconfig.exe	cmd.exe
PID 1908 wrote to memory of 3384	1908	ipconfig.exe	cmd.exe
PID 1908 wrote to memory of 3384	1908	ipconfig.exe	cmd.exe
PID 1908 wrote to memory of 3384	1908	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe
"C:\Users\Admin\AppData\Local\Temp\cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bydvlsxo\bydvlsxo.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA686.tmp" "c:\Users\Admin\AppData\Local\Temp\bydvlsxo\CSCAE267A9719BB4481B2AA3B1CF2493434.TMP"
4⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA686.tmp
Filesize
1KB

MD5
19d1ea9d5b0c885b614134f879791ca2

SHA1
55392d463bc4e0de72ab6ab0fcbb92363ba0a872

SHA256
2b0e5f86d262989bb7acc6a09d49bd4096cc8ecb10056c59433e7999639c81c1

SHA512
9afbad5b82c1c838e4f4fd4acf59b6ec094234462735cf177b0c1071b92e33d48670f35968ab65b5a08dcfc933a8b0d15ca4aafc307c4d247ef0d5cd3ac83ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bydvlsxo\bydvlsxo.dll
Filesize
15KB

MD5
7acc49a3948e7709d2db7de3a5e4b8ff

SHA1
aa0ff5821f87524f83ea83cece372aeee2f17773

SHA256
c07eb6d2b41a1211eee43e81c5cfdaebfb87e241675cb082723b79896af7a857

SHA512
2515ff53eee56dd42cd0bc4383bc4cf4c122b956bca1beb0c444a9027e471c36fe32e94c9f4da3ea356fee9076c9c544308b29580fe32b761e0098d7fef871f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bydvlsxo\bydvlsxo.pdb
Filesize
51KB

MD5
727b0f6f4ba0e20d8a5bfe6f6ca7a915

SHA1
436e5902a5a4431844af25d4a77473f8542be293

SHA256
0a0636a088b4221f1eb01e1858a79be1282b1804000b6f9c8ebeca0aa65c49a2

SHA512
bff8bf31c0ddbd4809d7e90478eea83b8899ed43fdc1fda573ced94edff403cab023900811b215c0f204127fad64c0cf485dd1f8b1d3266ef07ce1feaeff8d88

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logim.jpeg
Filesize
75KB

MD5
52e069123a30e287e2bda3b6e518e616

SHA1
abb4f76a9fee54dd9510391dbe6ba26f1152ae37

SHA256
36bb1df51f2c1b3c7c4a0ed34a98ace6dc58d32f60da97b3a308d853e58d6615

SHA512
b34d3b7430d73d573faaeb75325e06b8153731c9592a786fe589bd149deb9b1a1ed650a8ee9ae355fb2fc0da0af935c6a984538d259879c4339b952841993951

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrg.ini
Filesize
38B

MD5
4aadf49fed30e4c9b3fe4a3dd6445ebe

SHA1
1e332822167c6f351b99615eada2c30a538ff037

SHA256
75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

SHA512
eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\5Q6010RE\5Q6logrv.ini
Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bydvlsxo\CSCAE267A9719BB4481B2AA3B1CF2493434.TMP
Filesize
1KB

MD5
13d70786e57574390806bf14afe5bdb6

SHA1
d95d9aacb835d5dbe0b9e4522271eb359df3866b

SHA256
86cdd0591d874dfe94353bfbf567691e00905325e355f5630333b79d55cd0c01

SHA512
2357c68dec8b2d77b9c567b0768c1f9c6c5c25ddc81df0b2822b5ad599748e7d32dab3afcd4ece9d86407c65556491835b335588f187a9f0af59e6dd506fbaaa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bydvlsxo\bydvlsxo.0.cs
Filesize
29KB

MD5
7cf2e534a9a96bea31cc6db531cb6e89

SHA1
b67d75fd89a49fcda03d260ceeab889a91e0062a

SHA256
8430223be6873572809a9ac4f03a0178732abbf923402716e3cb7e6d9e8173c1

SHA512
519ce76ed51b22be2a470114e797a48a866db3cd006c12e473d26944bd1c8a66ce5a47c45f216a33306c2926cac3f324a13758a6f55296a643af5c5c316c3416

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bydvlsxo\bydvlsxo.cmdline
Filesize
248B

MD5
0e6bd7b2510d3a6bc2c3625f26fc99a6

SHA1
4bc5d7f584546de87c37e95fe5a2112a23196c2a

SHA256
2ab92f9ccf3395f0d1d612a9be7212fc653713e874380df8f80153fa43ed0f86

SHA512
cabea88a8eb52937cdadefd057d93403f37eb6c9abb20a21c95d1aa3fd0ada030ec82152261e97eb4a065af7d787afb96545ff42d659f5ef824bee93df62ba4f

Download Submit
memory/1908-155-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/1908-153-0x0000000001370000-0x0000000001403000-memory.dmp

Filesize
588KB

Download
memory/1908-152-0x0000000001020000-0x000000000136A000-memory.dmp

Filesize
3.3MB

Download
memory/1908-150-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/1908-149-0x0000000000E60000-0x0000000000E6B000-memory.dmp

Filesize
44KB

Download
memory/1908-148-0x0000000000000000-mapping.dmp

Download
memory/2092-151-0x0000000000000000-mapping.dmp

Download
memory/2112-134-0x0000000000000000-mapping.dmp

Download
memory/3060-154-0x0000000008590000-0x00000000086DD000-memory.dmp

Filesize
1.3MB

Download
memory/3060-147-0x0000000002AE0000-0x0000000002C3F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-156-0x0000000008590000-0x00000000086DD000-memory.dmp

Filesize
1.3MB

Download
memory/3384-157-0x0000000000000000-mapping.dmp

Download
memory/4292-146-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/4292-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4292-142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4292-141-0x0000000000000000-mapping.dmp

Download
memory/4292-145-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/4404-130-0x0000000000F10000-0x0000000000F60000-memory.dmp

Filesize
320KB

Download
memory/4404-140-0x0000000006040000-0x00000000060DC000-memory.dmp

Filesize
624KB

Download
memory/4404-139-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/4564-131-0x0000000000000000-mapping.dmp

Download