formbook | 392d84c160a17dd93a78b8549f5298d43d1f2ead6d236a1780bc290cc864e615

Resubmissions

25/10/2022, 14:04

221025-rdmhfschd5 10

25/10/2022, 13:32

221025-qs4jvachar 10

Analysis

max time kernel
267s
max time network
253s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

formbook5.exe
Size

718KB
MD5

39cffb366d87292f4b5efecf69c32774
SHA1

104fe2e617556e97af1a6f5082bba003a8e9ff3d
SHA256

37e9f15077e6491eade2a03b73b9f48b0037c6995a5fbecdae7a942710d1dde1
SHA512

d508a86dc49fc5737904b23ceab055329ebf47dc77b119297a8d1fb6c1f17217a24ec0a714787e8dcda215381549a04d77d8212f0fd83ddcf1de545453d4078f
SSDEEP

12288:3hUWMtLdsIJ4Il6RXTTpbe0RRnT7QLtAeSfN5r5pHM2as8i9Rr5o7We:xhMtBsy6R82RnTEmewN5rr8i98

Score

10^/10

formbook gs25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gs25

Decoy

real-food.store

marketdatalibrary.com

jolidens.space

ydental.info

tattoosbyjayinked.com

buytradesellpei.com

61983.xyz

identitysolver.xyz

mgfang.com

teizer.one

staychillax.com

ylanzarote.com

workte.net

maukigato.shop

coolbag.site

btya1r.com

dkhaohao.shop

zugaro.xyz

boon168.com

xn--80aeegahlwtdkp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1848-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1848-66-0x000000000041F1B0-mapping.dmp	formbook
behavioral1/memory/1848-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1604-76-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1848	2012	formbook5.exe	35
PID 1848 set thread context of 1248	1848	RegSvcs.exe	14
PID 1604 set thread context of 1248	1604	rundll32.exe	14
PID 1604 set thread context of 1388	1604	rundll32.exe	26
PID 1604 set thread context of 1960	1604	rundll32.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
672	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1656	chrome.exe
1388	chrome.exe
1388	chrome.exe
2012	formbook5.exe
1848	RegSvcs.exe
1848	RegSvcs.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
1848	RegSvcs.exe
1848	RegSvcs.exe
1848	RegSvcs.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	formbook5.exe
Token: SeDebugPrivilege	1848	RegSvcs.exe
Token: SeDebugPrivilege	1604	rundll32.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE
Token: SeShutdownPrivilege	1248	Explorer.EXE

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1248	Explorer.EXE
1248	Explorer.EXE
1388	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1388	chrome.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1960	1388	chrome.exe	27
PID 1388 wrote to memory of 1960	1388	chrome.exe	27
PID 1388 wrote to memory of 1960	1388	chrome.exe	27
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1640	1388	chrome.exe	28
PID 1388 wrote to memory of 1656	1388	chrome.exe	29
PID 1388 wrote to memory of 1656	1388	chrome.exe	29
PID 1388 wrote to memory of 1656	1388	chrome.exe	29
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30
PID 1388 wrote to memory of 964	1388	chrome.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
- C:\Users\Admin\AppData\Local\Temp\formbook5.exe
  "C:\Users\Admin\AppData\Local\Temp\formbook5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YaFLXNhWEOOsy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefadf4f50,0x7fefadf4f60,0x7fefadf4f70
    3⤵
    PID:1960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1256 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1812 /prefetch:8
    3⤵
    PID:964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1
    3⤵
    PID:332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
    3⤵
    PID:1440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
    3⤵
    PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2628 /prefetch:2
    3⤵
    PID:1168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:8
    3⤵
    PID:2064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,9164813278214776594,18295872967839984109,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
    3⤵
    PID:2072
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC4D6.tmp

Filesize
1KB

MD5
d36df179aa835b811185e1fc166e8d36

SHA1
a72d85d514e98b5aea0064bc864886900cb949fb

SHA256
f88a156674cf178984f3fe5360bc17381dfc19e60309e63a520a6d1524e8c95f

SHA512
2fd8e5fea570b624c57ebd4f8d92f626d28effba56e339fcf77a9fdcbf053ea734359a8478a631de8bd5c064e2971c1ecc55eaa833d6a279578c1f72fb50eda2

Download Submit
memory/1248-81-0x00000000073E0000-0x0000000007532000-memory.dmp

Filesize
1.3MB

Download
memory/1248-79-0x00000000073E0000-0x0000000007532000-memory.dmp

Filesize
1.3MB

Download
memory/1248-71-0x00000000071E0000-0x0000000007338000-memory.dmp

Filesize
1.3MB

Download
memory/1604-75-0x0000000000E80000-0x0000000000E8E000-memory.dmp

Filesize
56KB

Download
memory/1604-77-0x0000000002290000-0x0000000002593000-memory.dmp

Filesize
3.0MB

Download
memory/1604-80-0x0000000000920000-0x00000000009B4000-memory.dmp

Filesize
592KB

Download
memory/1604-78-0x0000000000920000-0x00000000009B4000-memory.dmp

Filesize
592KB

Download
memory/1604-76-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1848-69-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/1848-70-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/1848-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1848-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-59-0x0000000000860000-0x0000000000894000-memory.dmp

Filesize
208KB

Download
memory/2012-58-0x00000000052A0000-0x0000000005328000-memory.dmp

Filesize
544KB

Download
memory/2012-54-0x0000000000910000-0x00000000009CA000-memory.dmp

Filesize
744KB

Download
memory/2012-56-0x0000000000270000-0x0000000000290000-memory.dmp

Filesize
128KB

Download
memory/2012-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download