formbook | c292ddac09c57630068c0ed4b57ea874549ec12627cfcaf0a25277b26d042b46

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shdybron2.1.exe
Size

275KB
MD5

27f98194ef5c1923e2cf716ef07f8ff4
SHA1

e0ad7c09afe99a1bb9bcef7f4c59b078a836fa9d
SHA256

c292ddac09c57630068c0ed4b57ea874549ec12627cfcaf0a25277b26d042b46
SHA512

00142e5291844df5052e0a613e826d9b83745f46e341672e84af99734f4dd406dcea8d6a491c16e6bf9da02ad0b5c512f332844a9a9f904adb72aac5e59768ba
SSDEEP

6144:HNeZmUFKKJn1RLblwHHvbgutRnKK+IRI+3BMaOI:HNlHY+HvbnRnKP+3B7

Score

10^/10

formbook sk29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk29

Decoy

invycons.com

txirla.com

skygrade.site

mydubai.website

giftr.online

fotothink.com

receitaspanelacaseira.online

theroost.dev

hy-allure.com

homefilmcompany.online

qest-mall.net

palochkiotrollov.online

aibset-terms.com

clecrffp.work

entel04.online

conveyancercentralcoast.com

evaij.info

meitue.shop

rothchild.top

detecter-un-logiciel-espion.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4800-144-0x0000000000730000-0x000000000075F000-memory.dmp	formbook
behavioral2/memory/4800-149-0x0000000000730000-0x000000000075F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
1668	nhifjvitar.exe

Loads dropped DLL 1 IoCs

pid	Process
3376	nhifjvitar.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 3376	1668	nhifjvitar.exe	83
PID 3376 set thread context of 2576	3376	nhifjvitar.exe	18
PID 4800 set thread context of 2576	4800	cmd.exe	18

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4848	1668	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3376	nhifjvitar.exe
3376	nhifjvitar.exe
3376	nhifjvitar.exe
3376	nhifjvitar.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe
4800	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3376	nhifjvitar.exe
3376	nhifjvitar.exe
3376	nhifjvitar.exe
4800	cmd.exe
4800	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	nhifjvitar.exe
Token: SeShutdownPrivilege	2576	Explorer.EXE
Token: SeCreatePagefilePrivilege	2576	Explorer.EXE
Token: SeDebugPrivilege	4800	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 1668	1528	shdybron2.1.exe	82
PID 1528 wrote to memory of 1668	1528	shdybron2.1.exe	82
PID 1528 wrote to memory of 1668	1528	shdybron2.1.exe	82
PID 1668 wrote to memory of 3376	1668	nhifjvitar.exe	83
PID 1668 wrote to memory of 3376	1668	nhifjvitar.exe	83
PID 1668 wrote to memory of 3376	1668	nhifjvitar.exe	83
PID 1668 wrote to memory of 3376	1668	nhifjvitar.exe	83
PID 2576 wrote to memory of 4800	2576	Explorer.EXE	87
PID 2576 wrote to memory of 4800	2576	Explorer.EXE	87
PID 2576 wrote to memory of 4800	2576	Explorer.EXE	87
PID 4800 wrote to memory of 3468	4800	cmd.exe	91
PID 4800 wrote to memory of 3468	4800	cmd.exe	91
PID 4800 wrote to memory of 3468	4800	cmd.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\shdybron2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\shdybron2.1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe
    "C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe
      "C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 400
      4⤵
      Program crash
      PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe"
    3⤵
    PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1668 -ip 1668
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe

Filesize
123KB

MD5
1222ecde9c2f111e61638da9bb79c9f7

SHA1
194989e976b273b4e21f45491871fe67bb9e4720

SHA256
1b0e3017d539b5bcd3942acee9c45853ebccdd0848be21c21e04b676912e2240

SHA512
a47fa4086174608ac30bbc15ff0d3bdcd6dbd11bc7efa49f11ed3c50871a4dc726a6b2d8f17e864063e1dde03f940696cb8652b5c6202bea2664881e7e5dec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe

Filesize
123KB

MD5
1222ecde9c2f111e61638da9bb79c9f7

SHA1
194989e976b273b4e21f45491871fe67bb9e4720

SHA256
1b0e3017d539b5bcd3942acee9c45853ebccdd0848be21c21e04b676912e2240

SHA512
a47fa4086174608ac30bbc15ff0d3bdcd6dbd11bc7efa49f11ed3c50871a4dc726a6b2d8f17e864063e1dde03f940696cb8652b5c6202bea2664881e7e5dec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhifjvitar.exe

Filesize
123KB

MD5
1222ecde9c2f111e61638da9bb79c9f7

SHA1
194989e976b273b4e21f45491871fe67bb9e4720

SHA256
1b0e3017d539b5bcd3942acee9c45853ebccdd0848be21c21e04b676912e2240

SHA512
a47fa4086174608ac30bbc15ff0d3bdcd6dbd11bc7efa49f11ed3c50871a4dc726a6b2d8f17e864063e1dde03f940696cb8652b5c6202bea2664881e7e5dec05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocpbpmtfx.a

Filesize
185KB

MD5
9c64cc197145edb8151838e997b12e33

SHA1
d2669867a4363153f1d8c70862cfc8ca8c5baa16

SHA256
5f50368260449b547cb6799e8fe63fb0ba6a0a32d102fa16922951f8aa008fce

SHA512
4bc66e58afc186f3db9b1321eeb3ccde1ce2e493e58db550a3ecb5bb36578ec70692dc84b67374fecf3cf04c4bbf44ca73e716e11dcd8b98588a87bae6ce6802

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuzopr.qh

Filesize
4KB

MD5
b626c32fd36f4c55053b126a3511ee61

SHA1
1f8a39bbbea3b297eeb1231caeaaf55c8155e3b3

SHA256
7285e0500dd734505edfa9242321db0adfe428f9ad45d5edc9dcdc598dd12627

SHA512
23dcfef7079e45587638a04eda8f9dd9ba866649fae54a59a1cafff535bd0845eab701c5d3150263eaf2a07d818adb8a341e331e926caf3a095c7722faeb459a

Download Submit
memory/2576-141-0x00000000077D0000-0x000000000789C000-memory.dmp

Filesize
816KB

Download
memory/2576-148-0x00000000087E0000-0x0000000008934000-memory.dmp

Filesize
1.3MB

Download
memory/2576-150-0x00000000087E0000-0x0000000008934000-memory.dmp

Filesize
1.3MB

Download
memory/3376-139-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download
memory/3376-140-0x0000000001610000-0x0000000001624000-memory.dmp

Filesize
80KB

Download
memory/4800-143-0x0000000000190000-0x00000000001EA000-memory.dmp

Filesize
360KB

Download
memory/4800-144-0x0000000000730000-0x000000000075F000-memory.dmp

Filesize
188KB

Download
memory/4800-146-0x0000000000FB0000-0x00000000012FA000-memory.dmp

Filesize
3.3MB

Download
memory/4800-147-0x0000000000E20000-0x0000000000EB3000-memory.dmp

Filesize
588KB

Download
memory/4800-149-0x0000000000730000-0x000000000075F000-memory.dmp

Filesize
188KB

Download