formbook | 502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e

Analysis

max time kernel
52s
max time network
67s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23-11-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
Size

6KB
MD5

d2b6ec246c1627c4eff844ec15de05b2
SHA1

252ed9f325c178cc4e054fbbad59b68e27728439
SHA256

502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e
SHA512

e6c07de510ffc22447fd76b77c41631a6d060c3b2d4971ef8cd92260c9f69842b8e621bb7c28a29ebf3960bf61e26c6b3107b97eebcdb738b1bdb853c913d2ac
SSDEEP

48:6N/UH4k/Hlw2u9h3rlJ4ff1DIMQrYhJp6LOQDhRW4xyiXiiVcqBHfOulVt+hXuFW:Qkq5h334fd44JshRW4hieckRNkuzNt

Score

10^/10

formbook do25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

do25

Decoy

nickifarina.site

nfptrwge.bar

nobreemporio.com

split-acres.com

sharingservice-act.com

nakedinktees.shop

zhensheng1988.com

ipiton.com

liftoffdigitalmarketing.com

karen.cool

theprotestantchurch.com

shirhadarr.com

azdtwp.com

comzestdent.com

jnsjh.com

in-heat-cool.com

dfefej.top

tumingchun.com

eisei-shouji.tokyo

sparecreeping.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3776-296-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/3776-303-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

description	pid	process	target process
PID 2748 set thread context of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

pid	process
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3776	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
3776	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
Token: SeDebugPrivilege	1184	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

description	pid	process	target process
PID 2748 wrote to memory of 1184	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	powershell.exe
PID 2748 wrote to memory of 1184	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	powershell.exe
PID 2748 wrote to memory of 1184	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	powershell.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
PID 2748 wrote to memory of 3776	2748	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe	502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe

C:\Users\Admin\AppData\Local\Temp\502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
"C:\Users\Admin\AppData\Local\Temp\502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
C:\Users\Admin\AppData\Local\Temp\502f5ca3567e3c23c443376a14c0e4e86ec453e37696f12d723aab77e332a46e.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-209-0x0000000000000000-mapping.dmp

Download
memory/1184-245-0x0000000007120000-0x0000000007156000-memory.dmp

Filesize
216KB

Download
memory/1184-250-0x0000000007880000-0x0000000007EA8000-memory.dmp

Filesize
6.2MB

Download
memory/1184-269-0x0000000008100000-0x0000000008166000-memory.dmp

Filesize
408KB

Download
memory/1184-270-0x0000000007F20000-0x0000000007F86000-memory.dmp

Filesize
408KB

Download
memory/1184-289-0x0000000009DA0000-0x000000000A418000-memory.dmp

Filesize
6.5MB

Download
memory/1184-290-0x0000000009720000-0x000000000973A000-memory.dmp

Filesize
104KB

Download
memory/1184-278-0x00000000088E0000-0x0000000008956000-memory.dmp

Filesize
472KB

Download
memory/1184-274-0x0000000008A30000-0x0000000008A7B000-memory.dmp

Filesize
300KB

Download
memory/1184-273-0x0000000008170000-0x000000000818C000-memory.dmp

Filesize
112KB

Download
memory/2748-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-162-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-127-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-128-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-129-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-130-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-131-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-132-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-133-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-134-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-135-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-137-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-136-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-138-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-139-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-140-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-141-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-142-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-143-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-144-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-145-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-146-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-147-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-153-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2748-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-125-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-156-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-126-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-169-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-171-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-172-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-174-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-175-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-176-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-179-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-181-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-182-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-183-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-184-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-124-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-123-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-122-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-121-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-120-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2748-192-0x0000000005B60000-0x0000000005D8C000-memory.dmp

Filesize
2.2MB

Download
memory/2748-193-0x0000000005EB0000-0x0000000005F42000-memory.dmp

Filesize
584KB

Download
memory/2748-195-0x0000000005F80000-0x0000000005FA2000-memory.dmp

Filesize
136KB

Download
memory/2748-194-0x0000000006450000-0x000000000694E000-memory.dmp

Filesize
5.0MB

Download
memory/2748-197-0x00000000060C0000-0x0000000006410000-memory.dmp

Filesize
3.3MB

Download
memory/3776-296-0x000000000041F160-mapping.dmp

Download
memory/3776-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3776-304-0x0000000001720000-0x0000000001A40000-memory.dmp

Filesize
3.1MB

Download