formbook | e31e2c584e256194d62b34964c668413b6db5c95f4ab95db89d80d4df7c15188

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 08:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

newPO.js
Size

4KB
MD5

3ea1401952fe7004973360bbe4aec8b9
SHA1

240dba7f04a06cfc7d23bfcc01f58184f5b432b6
SHA256

e31e2c584e256194d62b34964c668413b6db5c95f4ab95db89d80d4df7c15188
SHA512

d0a41702288c7e01c863d2e975b0d15a7072266f2e2afda87a7ced76c3f56fb70e63ad6b530860650e12f2ed8e3000a1b9e1329454e4ff1ef25c0cb3a10ff62a
SSDEEP

96:NxzcwV39M1Cxfc6PMpotxNAkR2mAzvs/GhWMHduUAp7UoLMY2wH85k4GkcKA6X:fzcwFG1W06PMpaxNA0Uzvs8uUc7UXCWt

Score

10^/10

formbook zx85 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

zx85

Decoy

myclassly.com

rilcon.xyz

miracleun.shop

gadgetward-usa.com

farmaacademy.com

dreamsolutions.group

fffood.online

ziggnl.site

cherpol.com

imprescriptible-tienoscope.biz

yztc.fun

chicagonftweek.com

zz0659.com

hznaixi.com

027-seo.net

korlekded.com

gelatoitaly.com

finlitguru.com

gupingapp.com

manmakecoffee.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/5036-137-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5036-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/176-145-0x0000000000D10000-0x0000000000D3F000-memory.dmp	formbook
behavioral2/memory/176-150-0x0000000000D10000-0x0000000000D3F000-memory.dmp	formbook

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	4856	wscript.exe
8	4856	wscript.exe
10	4856	wscript.exe
12	4856	wscript.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4220	VCXNMCXVNCXXCMB.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 5036 set thread context of 2824	5036	aspnet_compiler.exe	28
PID 176 set thread context of 2824	176	svchost.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
5036	aspnet_compiler.exe
5036	aspnet_compiler.exe
5036	aspnet_compiler.exe
5036	aspnet_compiler.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe
176	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
5036	aspnet_compiler.exe
5036	aspnet_compiler.exe
5036	aspnet_compiler.exe
176	svchost.exe
176	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	aspnet_compiler.exe
Token: SeDebugPrivilege	176	svchost.exe
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4220	4856	wscript.exe	82
PID 4856 wrote to memory of 4220	4856	wscript.exe	82
PID 4856 wrote to memory of 4220	4856	wscript.exe	82
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 4220 wrote to memory of 5036	4220	VCXNMCXVNCXXCMB.exe	84
PID 2824 wrote to memory of 176	2824	Explorer.EXE	85
PID 2824 wrote to memory of 176	2824	Explorer.EXE	85
PID 2824 wrote to memory of 176	2824	Explorer.EXE	85
PID 176 wrote to memory of 4600	176	svchost.exe	90
PID 176 wrote to memory of 4600	176	svchost.exe	90
PID 176 wrote to memory of 4600	176	svchost.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\newPO.js
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\VCXNMCXVNCXXCMB.exe
    "C:\Users\Admin\AppData\Local\Temp\VCXNMCXVNCXXCMB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5036
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:176
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VCXNMCXVNCXXCMB.exe

Filesize
267KB

MD5
b075f711abac52e317e3f0409f6e0165

SHA1
fad93284e3809b31f0308cd38a9b9c60a9d1db5f

SHA256
e14428ccc7d8f6c216db27c0f8ff512439d275d5e7cf6810c4d8ee7422bec464

SHA512
2a249510da8d77fc4776e8d6ff3f4ede6c407fca1f6b5b0db3d41d1bb015cbc8ad99a3b5497a1bd38eb265353ca56fa2637db64507c4eaf70bfd31255bdd0a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCXNMCXVNCXXCMB.exe

Filesize
267KB

MD5
b075f711abac52e317e3f0409f6e0165

SHA1
fad93284e3809b31f0308cd38a9b9c60a9d1db5f

SHA256
e14428ccc7d8f6c216db27c0f8ff512439d275d5e7cf6810c4d8ee7422bec464

SHA512
2a249510da8d77fc4776e8d6ff3f4ede6c407fca1f6b5b0db3d41d1bb015cbc8ad99a3b5497a1bd38eb265353ca56fa2637db64507c4eaf70bfd31255bdd0a41

Download Submit
memory/176-148-0x00000000018A0000-0x0000000001934000-memory.dmp

Filesize
592KB

Download
memory/176-144-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/176-145-0x0000000000D10000-0x0000000000D3F000-memory.dmp

Filesize
188KB

Download
memory/176-150-0x0000000000D10000-0x0000000000D3F000-memory.dmp

Filesize
188KB

Download
memory/176-147-0x0000000001A00000-0x0000000001D4A000-memory.dmp

Filesize
3.3MB

Download
memory/2824-142-0x0000000008550000-0x0000000008630000-memory.dmp

Filesize
896KB

Download
memory/2824-149-0x0000000008630000-0x0000000008759000-memory.dmp

Filesize
1.2MB

Download
memory/2824-151-0x0000000008630000-0x0000000008759000-memory.dmp

Filesize
1.2MB

Download
memory/4220-135-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/5036-141-0x0000000001270000-0x0000000001285000-memory.dmp

Filesize
84KB

Download
memory/5036-140-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download
memory/5036-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download