formbook | 3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wire_deposito# 00711 23-09-2022_IMG.exe
Size

294KB
MD5

ebf3bd44feb646d0113e34451935faec
SHA1

ff2c6c0ceacd9a97c845a1e4056ab7e1c097cf51
SHA256

3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8
SHA512

b30b45f6c9b86be224078bd524f45df6db5b4d488ad257743c9ceb869e993e2c1c1296361f29c0279890c32a071950c3678651d5d9a70526cd489f96baaa05e1
SSDEEP

6144:UL8i9w0XHrJ7Cj3Z3I5shJd78mf9EFV2PsN2sFzVELTlg:ImqF7Mp3IKhJ58mf9E/QOFz8Tlg

Score

10^/10

formbook dqrv rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dqrv

Decoy

gBpw3Y4HTb1jiULo0eCNvVa1AUM=

ZrxXzYYGEr9rmw==

WZd0tp8eMltMtoAQ

sTwbDYOvwP/e+cIy7A==

2x9+6pABEr9rmw==

5APZR17a7SLBJ+uLaEHxQVMMVQ==

To5y5LGTop5N9MKIDJI7Rqg=

HmLC9XPWGo8wbVA1OzzbDM4Dgob+z9M=

qU4wemvm5BXKPhm7k4I6bXMpXw==

1/9k1Q9Dz2scN+VeSlk9UKk=

ocWw8L31/TrpUDjjh8hx2g==

ULSzhA6L41v+PzP1wJ5BbXMpXw==

2WPGn5/sP28R

CjKXeM4dKWwZ

219OmV+FktZrolf1zb1esHSEyvduDQ==

O3zrtJsXCr9ekQ==

QakRaQV0wTrlFwfVh8hx2g==

7kG0LMk1hfuox2rTkaJSbXMpXw==

+UQrlVma3UXyhDAA7g==

A4Hkzb/3ubdkJdfXmOw=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 744 set thread context of 2804	744	aspnet_compiler.exe	48
PID 4932 set thread context of 2804	4932	raserver.exe	48

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
744	aspnet_compiler.exe
744	aspnet_compiler.exe
744	aspnet_compiler.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe
4932	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	aspnet_compiler.exe
Token: SeDebugPrivilege	4932	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2736 wrote to memory of 744	2736	wire_deposito# 00711 23-09-2022_IMG.exe	82
PID 2804 wrote to memory of 4932	2804	Explorer.EXE	98
PID 2804 wrote to memory of 4932	2804	Explorer.EXE	98
PID 2804 wrote to memory of 4932	2804	Explorer.EXE	98
PID 4932 wrote to memory of 2112	4932	raserver.exe	105
PID 4932 wrote to memory of 2112	4932	raserver.exe	105
PID 4932 wrote to memory of 2112	4932	raserver.exe	105

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe
  "C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3912
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4588
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4964
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1960
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4972
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:520
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4912
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1180
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4924
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-138-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/744-139-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download
memory/744-140-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/2736-132-0x00000000005A0000-0x00000000005EA000-memory.dmp

Filesize
296KB

Download
memory/2804-141-0x0000000008200000-0x0000000008335000-memory.dmp

Filesize
1.2MB

Download
memory/2804-146-0x0000000008200000-0x0000000008335000-memory.dmp

Filesize
1.2MB

Download
memory/2804-149-0x00000000028D0000-0x0000000002974000-memory.dmp

Filesize
656KB

Download
memory/2804-150-0x00000000028D0000-0x0000000002974000-memory.dmp

Filesize
656KB

Download
memory/4932-143-0x0000000000EC0000-0x0000000000EDF000-memory.dmp

Filesize
124KB

Download
memory/4932-144-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download
memory/4932-145-0x00000000024A0000-0x00000000027EA000-memory.dmp

Filesize
3.3MB

Download
memory/4932-147-0x0000000000C90000-0x0000000000D1F000-memory.dmp

Filesize
572KB

Download
memory/4932-148-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download