formbook | d092923bdc00cd1f84007efe05cc2bd459dd1134acb0b9543cae766adf982c10

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2022, 16:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

185KB
MD5

62a166dcbf9f11c4b88edd0b3eb24b7e
SHA1

7e5915d7bb41e2a2cdfbb68c333d885df3e0384f
SHA256

d092923bdc00cd1f84007efe05cc2bd459dd1134acb0b9543cae766adf982c10
SHA512

1e1c8c14857e57531e474407403c9a34c4b9509888323203572ca0a35b43779fcfcea4d5072adeb8373cc8ff39bcf5a900a8a4d7b44cf719649163c103a09b25
SSDEEP

3072:6KpKktx/p5hm3KB2MmbGqbLcykhYDqYxVzXerDcQvM6wYOx8f:pvQKoMqfbLcykhhYxVzXADpvjS8f

Score

10^/10

formbook p205 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p205

Decoy

orderactivgreens.com

quickshipfloors.com

planetcompression.com

deluxparlor.net

heartrootspirit.com

getmoremail.com

ourbranch30225.com

louisvuittonsmen.com

heritageshore.com

7336m.com

nationalcl.com

elluciangovernmentcloud.com

youniiqueproducts.com

stlukesparkcity.com

dundeemrc.co.uk

homecheck-in.com

vintage-charm.co.uk

empreendedoranatural.com

fineduconnect.com

nvcukipj6.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3376-138-0x0000000000550000-0x000000000057F000-memory.dmp	formbook
behavioral2/memory/3376-143-0x0000000000550000-0x000000000057F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 2556	4532	tmp.exe	34
PID 3376 set thread context of 2556	3376	colorcpl.exe	34

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4532	tmp.exe
4532	tmp.exe
4532	tmp.exe
4532	tmp.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe
3376	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4532	tmp.exe
4532	tmp.exe
4532	tmp.exe
3376	colorcpl.exe
3376	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	tmp.exe
Token: SeDebugPrivilege	3376	colorcpl.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3376	2556	Explorer.EXE	80
PID 2556 wrote to memory of 3376	2556	Explorer.EXE	80
PID 2556 wrote to memory of 3376	2556	Explorer.EXE	80
PID 3376 wrote to memory of 1432	3376	colorcpl.exe	83
PID 3376 wrote to memory of 1432	3376	colorcpl.exe	83
PID 3376 wrote to memory of 1432	3376	colorcpl.exe	83

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-140-0x00000000089C0000-0x0000000008B0C000-memory.dmp

Filesize
1.3MB

Download
memory/2556-144-0x0000000008CA0000-0x0000000008DBC000-memory.dmp

Filesize
1.1MB

Download
memory/2556-134-0x00000000089C0000-0x0000000008B0C000-memory.dmp

Filesize
1.3MB

Download
memory/2556-142-0x0000000008CA0000-0x0000000008DBC000-memory.dmp

Filesize
1.1MB

Download
memory/3376-137-0x0000000000B20000-0x0000000000B39000-memory.dmp

Filesize
100KB

Download
memory/3376-139-0x0000000002680000-0x00000000029CA000-memory.dmp

Filesize
3.3MB

Download
memory/3376-138-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/3376-141-0x0000000002520000-0x00000000025B3000-memory.dmp

Filesize
588KB

Download
memory/3376-143-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/4532-132-0x0000000001360000-0x00000000016AA000-memory.dmp

Filesize
3.3MB

Download
memory/4532-133-0x0000000000DE0000-0x0000000000DF4000-memory.dmp

Filesize
80KB

Download