formbook | e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2022 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

purchase order.scr
Size

715KB
MD5

78c4f66f2cc6141bb625193b77cbb50a
SHA1

b9bf9128275a92cc3e7f0fddc65de08adf64149b
SHA256

e233d86e74d3846be66e323c4850b495c66658ca63cd28ec1a47a3b0c95f7559
SHA512

b4ea89531126555b6c421c6140fb9bb2f9b5d70721e2ddf172d33f8584526ef21c4960fdf20108ff445afb60fc44223c968697248a1b7cdfb9916296c8243554

Score

10^/10

formbook modiloader p94a persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

oootmuim.top

ricondizionato.info

eatarriveoh.top

tuo.wtf

plottaacuse.xyz

maripazcovarrubias.com

pasolaity.sbs

schoolstool.store

davincimuch.net

yh-fl.com

merielchapman.co.uk

omsecuritysolution.com

jqhuafei.com

fypa.site

isdgolf.com

aromasoils.com

dcmaxween.xyz

keilewn.online

billiger-atomstrom.com

chickens93.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2360-146-0x0000000003840000-0x000000000386F000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

purchase order.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lykjvfajy = "C:\\Users\\Public\\Libraries\\yjafvjkyL.url"	purchase order.scr

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1236 2360 WerFault.exe purchase order.scr

pid	pid_target	process	target process
1236	2360	WerFault.exe	purchase order.scr

C:\Users\Admin\AppData\Local\Temp\purchase order.scr
"C:\Users\Admin\AppData\Local\Temp\purchase order.scr" /S
1⤵
- Adds Run key to start application
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1924
2⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2360 -ip 2360
1⤵
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2360-146-0x0000000003840000-0x000000000386F000-memory.dmp

Filesize
188KB

Download