formbook | ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538

Analysis

max time kernel
187s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO KIPO000903 KIND122822.exe
Size

636KB
MD5

3b61d04e555f74f42e22c71a5885ac71
SHA1

9c774e98b87394627d311a552d8bde85d57b327c
SHA256

ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538
SHA512

f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70
SSDEEP

12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/

Score

10^/10

formbook d94i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4460-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4460-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

Processes:

PO KIPO000903 KIND122822.exePO KIPO000903 KIND122822.exe

description	pid	process	target process
PID 4524 set thread context of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4460 set thread context of 772	4460	PO KIPO000903 KIND122822.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PO KIPO000903 KIND122822.exe

pid process

4460 PO KIPO000903 KIND122822.exe
4460 PO KIPO000903 KIND122822.exe
4460 PO KIPO000903 KIND122822.exe
4460 PO KIPO000903 KIND122822.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

PO KIPO000903 KIND122822.exe

pid process

4460 PO KIPO000903 KIND122822.exe
4460 PO KIPO000903 KIND122822.exe
4460 PO KIPO000903 KIND122822.exe

pid	process
4460	PO KIPO000903 KIND122822.exe
4460	PO KIPO000903 KIND122822.exe
4460	PO KIPO000903 KIND122822.exe
4460	PO KIPO000903 KIND122822.exe

pid	process
4460	PO KIPO000903 KIND122822.exe
4460	PO KIPO000903 KIND122822.exe
4460	PO KIPO000903 KIND122822.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO KIPO000903 KIND122822.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4460	PO KIPO000903 KIND122822.exe
Token: SeShutdownPrivilege	772	Explorer.EXE
Token: SeCreatePagefilePrivilege	772	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO KIPO000903 KIND122822.exeExplorer.EXE

description	pid	process	target process
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 4524 wrote to memory of 4460	4524	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 772 wrote to memory of 3268	772	Explorer.EXE	mstsc.exe
PID 772 wrote to memory of 3268	772	Explorer.EXE	mstsc.exe
PID 772 wrote to memory of 3268	772	Explorer.EXE	mstsc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:3268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-142-0x0000000008690000-0x00000000087C7000-memory.dmp

Filesize
1.2MB

Download
memory/3268-144-0x0000000000000000-mapping.dmp

Download
memory/4460-137-0x0000000000000000-mapping.dmp

Download
memory/4460-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-140-0x00000000018A0000-0x0000000001BEA000-memory.dmp

Filesize
3.3MB

Download
memory/4460-141-0x0000000001860000-0x0000000001874000-memory.dmp

Filesize
80KB

Download
memory/4460-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-132-0x0000000000530000-0x00000000005D6000-memory.dmp

Filesize
664KB

Download
memory/4524-133-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/4524-134-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/4524-135-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4524-136-0x0000000000EC0000-0x0000000000F5C000-memory.dmp

Filesize
624KB

Download