formbook | f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0

Analysis

max time kernel
99s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe
Size

986KB
MD5

557232ed6bcc3043cba02aedcbc96891
SHA1

bd739f8686a3a535b9d2faee8990c77f0de06884
SHA256

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0
SHA512

d24bab222f53b70ec8e551a81ae5524991c58baa8602fdcd65d37ece4bfeee0b470ba3177acd0cf2c4f3b5e7b7bdd7ae6a88b8e12c24e7b5b0610e465b205d9d

Score

10^/10

formbook modiloader t3c9 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t3c9

Decoy

waidfu.com

sjglyshsv.com

sdztgy.com

health-magazines.info

bajoarmadura.com

oxian.xyz

jonspearman.com

fusodu.online

jx1718.net

arminva6tinderella.xyz

susuhiwah.com

novotherm.online

superbloomerz.com

kuaida56.com

74hc86.com

stellumml.com

neurocalibration.com

pinkspirit.store

solitaipat.com

eassiy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3984-228-0x0000000050480000-0x00000000504AF000-memory.dmp	formbook

ModiLoader Second Stage 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-158-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-171-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-172-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-173-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-174-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-175-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-176-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-177-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-178-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-179-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-180-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-181-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-182-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-183-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-184-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-185-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-186-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-187-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-188-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-189-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-190-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-191-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-193-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-192-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-194-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-195-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-196-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-197-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-198-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-199-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-200-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-201-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-202-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-203-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-204-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-205-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-207-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-206-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-208-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-210-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-209-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-211-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-213-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-214-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-212-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-216-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-218-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-219-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-217-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-220-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-221-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-222-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-223-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-225-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-227-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-226-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-224-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-229-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-231-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-230-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-232-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-233-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-234-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2
behavioral2/memory/4528-235-0x0000000005830000-0x0000000005894000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tdceco = "C:\\Users\\Public\\Libraries\\ocecdT.url"	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3420 3984 WerFault.exe SndVol.exe

pid	pid_target	process	target process
3420	3984	WerFault.exe	SndVol.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

pid	process
4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe
4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SndVol.exe

pid process

3984 SndVol.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SndVol.exe

pid process

3984 SndVol.exe
3984 SndVol.exe

pid	process
3984	SndVol.exe

pid	process
3984	SndVol.exe
3984	SndVol.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe

description	pid	process	target process
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe
PID 4528 wrote to memory of 3984	4528	f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe	SndVol.exe

C:\Users\Admin\AppData\Local\Temp\f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe
"C:\Users\Admin\AppData\Local\Temp\f28fc7b2cb76f0a714ef1e43b37ec0f5aa6c497d25d7de4379e8e0b91913d1c0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SysWOW64\SndVol.exe
"C:\Windows\System32\SndVol.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1020
3⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3984 -ip 3984
1⤵
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3984-215-0x0000000000000000-mapping.dmp

Download
memory/3984-228-0x0000000050480000-0x00000000504AF000-memory.dmp

Filesize
188KB

Download
memory/4528-158-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-171-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-172-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-173-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-174-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-175-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-176-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-177-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-178-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-179-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-180-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-181-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-182-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-183-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-184-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-185-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-186-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-187-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-188-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-189-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-190-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-191-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-193-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-192-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-194-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-195-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-196-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-197-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-198-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-199-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-200-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-201-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-202-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-203-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-204-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-205-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-207-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-206-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-208-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-210-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-209-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-211-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-213-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-214-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-212-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-216-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-218-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-219-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-217-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-220-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-221-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-222-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-223-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-225-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-227-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-226-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-224-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-229-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-231-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-230-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-232-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-233-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-234-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download
memory/4528-235-0x0000000005830000-0x0000000005894000-memory.dmp

Filesize
400KB

Download