formbook | 19c0c7bdad5e228179478b4b6c0c0bf282141f64023b15f9d08bb4e140592fbd

Resubmissions

29-09-2022 07:16

220929-h3s7vsaae7 10

19-09-2022 14:00

220919-rbbm6sbhf6 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe
Size

277KB
MD5

adfbf0d0858c2ccf0c3070967f1c5a3e
SHA1

e723c9f072504c3345f91829000ec7d96ac6661a
SHA256

54d71b452ceceb7769f2ab610d157005849ec32aae5544acaa99d08f8d12cd95
SHA512

7c08f20307f27a8f91fdf53efd1280b898e78fbc8382c4b3dd3fc3f7f75204e0c4fafb5e7bc97d53872d46fc3ab72851703c8f0d6e932c407d3b5e6e68f07749
SSDEEP

6144:KAJjLwdO06a3KpeQnaMDCbd9D+E2fCos4OianeAsIJ/8kAG:KjO06IKpRnacCxx+EcCBnbX8kL

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

QYZ6iE9Y+CsiZpCBareS0uU=

N2FQLAaH6xXE

Vc6t0MQXN+Llxsqg

ElBedmSvYGGm6yLDhHqzAtmlCxWl

4VpIWShqHR5cpjfQ4bs=

mepO9miu/iFiQQ==

Z8Owqh54IlwEpDfQ4bs=

qcq4uT5HecWZG3EVwKTiUE7slrGQGiyo

IaYYoJikKDDqgV/NigZCLA==

4Xz5pfoCCW/76NnOUrFEOw==

xiijSkVJ3Yuh9OKDcmui/d2lCxWl

cr8MmfpCEu0ULsO3p6w=

JLm2yKHo7hdVb8O3p6w=

Hriy5svWm2Qfq9mPQib9jJI65gOr

2G3nkRpidunlxsqg

gPHUAeXmi8Q9ARy3

6l5WaOf8BxhQDkp5gKQ=

KHHiXs4WOqXZdPhpaw==

+UQ5Vz5O0Ms9ARy3

pNQygKu0OziAvjOHRGLnJA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 1392 set thread context of 2416	1392	cvtres.exe	41
PID 3132 set thread context of 2416	3132	cmstp.exe	41

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe
4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2416	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1392	cvtres.exe
1392	cvtres.exe
1392	cvtres.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe
3132	cmstp.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe
Token: SeDebugPrivilege	1392	cvtres.exe
Token: SeDebugPrivilege	3132	cmstp.exe
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 936	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	83
PID 4992 wrote to memory of 936	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	83
PID 4992 wrote to memory of 936	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	83
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 4992 wrote to memory of 1392	4992	Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe	84
PID 2416 wrote to memory of 3132	2416	Explorer.EXE	85
PID 2416 wrote to memory of 3132	2416	Explorer.EXE	85
PID 2416 wrote to memory of 3132	2416	Explorer.EXE	85
PID 3132 wrote to memory of 2292	3132	cmstp.exe	92
PID 3132 wrote to memory of 2292	3132	cmstp.exe	92
PID 3132 wrote to memory of 2292	3132	cmstp.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice_Tracking_657895995845HKFDHKLFDLKHDFKLFDKHLFDKL89634.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    PID:936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-133-0x0000000000000000-mapping.dmp

Download
memory/1392-134-0x0000000000000000-mapping.dmp

Download
memory/1392-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-138-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1392-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-140-0x0000000001760000-0x0000000001AAA000-memory.dmp

Filesize
3.3MB

Download
memory/1392-141-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/1392-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-145-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2416-180-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-212-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-152-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-221-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-220-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-219-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-218-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-217-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-162-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-163-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-164-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-165-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-166-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-167-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-168-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-169-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-170-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-171-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-172-0x0000000002FE0000-0x00000000030AD000-memory.dmp

Filesize
820KB

Download
memory/2416-173-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-174-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-176-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-177-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-185-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000002960000-0x0000000002A32000-memory.dmp

Filesize
840KB

Download
memory/2416-181-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x0000000002FE0000-0x00000000030AD000-memory.dmp

Filesize
820KB

Download
memory/2416-178-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-187-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-188-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-189-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-190-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-191-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-192-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-193-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-194-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-195-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2416-196-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-197-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-198-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2416-199-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-200-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-201-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-203-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-202-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2416-206-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-207-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-205-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-204-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-208-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-209-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-210-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-211-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-213-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-214-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-215-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-216-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/3132-149-0x0000000002E30000-0x0000000002EBF000-memory.dmp

Filesize
572KB

Download
memory/3132-148-0x0000000003010000-0x000000000335A000-memory.dmp

Filesize
3.3MB

Download
memory/3132-147-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/3132-146-0x00000000008D0000-0x00000000008E6000-memory.dmp

Filesize
88KB

Download
memory/3132-143-0x0000000000000000-mapping.dmp

Download
memory/3132-151-0x00000000010E0000-0x000000000110D000-memory.dmp

Filesize
180KB

Download
memory/4992-132-0x0000000000800000-0x000000000084A000-memory.dmp

Filesize
296KB

Download