formbook | 1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe
Size

236KB
MD5

359fcad9ab0d8c7e8b7a37a71ad3ca62
SHA1

ce1a50828ef2bf7ac4e4a8087be562608d6ea333
SHA256

1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857
SHA512

eb1cf064da1c8c79d7df9f54e07f7cbfbbc8b2ade7a1e7a6cdf876a1f37d68950a168a93de057a2be89c5797ace88335521eb9301d930d274e168b56ec48ab17
SSDEEP

6144:QhfSqW96QlU0yyw1GvwrH+vhSTLlG3S+GSh:txKGorevKG3LGS

Score

10^/10

formbook s6n0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

s6n0

Decoy

Rjdlh6/zHSTR8l/qBc5Sli4N

bhgURHTfHUEmULTxQLSp

3Mn6FAv7Rt3FIPw5+kA=

zzm54WQwP1JMitEUPCXw2Mtf7nw=

lH+0SLi17B0EImL9kIHJZTzN0g==

w4e94tKevUJDrXDKWQ==

jX0l3sCks02uxLWsBEY=

0HzjTYsaHz32

9uPhvBK58Xw=

AHhhDXWv7IXlXM1M

iudYICANV+wWQVi7yvUscCc=

nhEVQEw1bBqdx1aARrFLZjA=

hOLnEhr977jtBeQlD5GrJG0F

WztsD4N8tOilL+oaXA==

XjhvrbHxpFuwL+oaXA==

o30u6uO9C7rY+fVt5dFbflBuv2M=

oo3Lbi1e215kpdUB/HDcZTzN0g==

uZHWfdvQBDpCVl7qhnlDZTzN0g==

LJmOPvgvTFz7XrDXlBtSli4N

VxULunnWfwDG92nqBMgaXE8r63Y=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 2612 set thread context of 2648	2612	cvtres.exe	30
PID 2072 set thread context of 2648	2072	control.exe	30

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe
1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2612	cvtres.exe
2612	cvtres.exe
2612	cvtres.exe
2072	control.exe
2072	control.exe
2072	control.exe
2072	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe
Token: SeDebugPrivilege	2612	cvtres.exe
Token: SeDebugPrivilege	2072	control.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2544	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	80
PID 1380 wrote to memory of 2544	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	80
PID 1380 wrote to memory of 2544	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	80
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 1380 wrote to memory of 2612	1380	1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe	81
PID 2648 wrote to memory of 2072	2648	Explorer.EXE	82
PID 2648 wrote to memory of 2072	2648	Explorer.EXE	82
PID 2648 wrote to memory of 2072	2648	Explorer.EXE	82
PID 2072 wrote to memory of 2320	2072	control.exe	91
PID 2072 wrote to memory of 2320	2072	control.exe	91
PID 2072 wrote to memory of 2320	2072	control.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe
  "C:\Users\Admin\AppData\Local\Temp\1e2499187de0cc218823f81fe3d62a284a9220d62401a1510489682de9b32857.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    PID:2544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-132-0x0000000000560000-0x000000000059E000-memory.dmp

Filesize
248KB

Download
memory/2072-145-0x0000000000E90000-0x0000000000EBB000-memory.dmp

Filesize
172KB

Download
memory/2072-143-0x0000000000E90000-0x0000000000EBB000-memory.dmp

Filesize
172KB

Download
memory/2072-146-0x0000000002C40000-0x0000000002CCF000-memory.dmp

Filesize
572KB

Download
memory/2072-141-0x0000000000000000-mapping.dmp

Download
memory/2072-144-0x0000000002F10000-0x000000000325A000-memory.dmp

Filesize
3.3MB

Download
memory/2072-142-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/2544-133-0x0000000000000000-mapping.dmp

Download
memory/2612-134-0x0000000000000000-mapping.dmp

Download
memory/2612-139-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2612-138-0x00000000012D0000-0x000000000161A000-memory.dmp

Filesize
3.3MB

Download
memory/2612-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2612-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2648-140-0x00000000030F0000-0x0000000003214000-memory.dmp

Filesize
1.1MB

Download
memory/2648-147-0x0000000008920000-0x0000000008A62000-memory.dmp

Filesize
1.3MB

Download
memory/2648-148-0x0000000008920000-0x0000000008A62000-memory.dmp

Filesize
1.3MB

Download