formbook | fc0b038b3931bb1d93280890148fb4d4260e8c70a55438109b9255fcd1422e33

Analysis

max time kernel
108s
max time network
112s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-11-2022 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504-2022-285E.exe
Size

277KB
MD5

3e77705d1c4d75670cdb6221d07a2562
SHA1

a7c0b6609f1740d02270d7c6f1ee9851a26642c3
SHA256

4ec38c8028003269f3576dba1c4776266a9a8c4d26eb91e2148b1bc1a9994a7c
SHA512

0a4bed3e39f2d753a970336801121dac4891b4956e4c5b93069d407f15191dbcfac0219b399de2aeaa60af298ad4c1803aa9fc8902cdb6985f5e7e08c39e8e19
SSDEEP

6144:vaZ+bfg9FKfw7Jmv+e4uZk7/wA0mBJSrMQNrEA:vaZqgFMv+e4uZlmrXQP

Score

10^/10

formbook ermr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

504-2022-285E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	504-2022-285E.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

504-2022-285E.exe504-2022-285E.exehelp.exe

description	pid	process	target process
PID 2384 set thread context of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 4816 set thread context of 2576	4816	504-2022-285E.exe	Explorer.EXE
PID 2832 set thread context of 2576	2832	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

504-2022-285E.exehelp.exe

pid	process
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
4816	504-2022-285E.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe
2832	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

504-2022-285E.exehelp.exe

pid process

4816 504-2022-285E.exe
4816 504-2022-285E.exe
4816 504-2022-285E.exe
2832 help.exe
2832 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

504-2022-285E.exehelp.exe

description pid process

Token: SeDebugPrivilege 4816 504-2022-285E.exe
Token: SeDebugPrivilege 2832 help.exe

description	pid	process
Token: SeDebugPrivilege	4816	504-2022-285E.exe
Token: SeDebugPrivilege	2832	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

504-2022-285E.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2384 wrote to memory of 4816	2384	504-2022-285E.exe	504-2022-285E.exe
PID 2576 wrote to memory of 2832	2576	Explorer.EXE	help.exe
PID 2576 wrote to memory of 2832	2576	Explorer.EXE	help.exe
PID 2576 wrote to memory of 2832	2576	Explorer.EXE	help.exe
PID 2832 wrote to memory of 3612	2832	help.exe	cmd.exe
PID 2832 wrote to memory of 3612	2832	help.exe	cmd.exe
PID 2832 wrote to memory of 3612	2832	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\504-2022-285E.exe
"C:\Users\Admin\AppData\Local\Temp\504-2022-285E.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\504-2022-285E.exe
"C:\Users\Admin\AppData\Local\Temp\504-2022-285E.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\504-2022-285E.exe"
3⤵
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-161-0x00000000048C0000-0x0000000004926000-memory.dmp

Filesize
408KB

Download
memory/2384-153-0x0000000000040000-0x000000000008A000-memory.dmp

Filesize
296KB

Download
memory/2384-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-159-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/2384-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2384-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2576-231-0x0000000006720000-0x0000000006824000-memory.dmp

Filesize
1.0MB

Download
memory/2576-228-0x0000000006720000-0x0000000006824000-memory.dmp

Filesize
1.0MB

Download
memory/2576-195-0x00000000031F0000-0x00000000032A2000-memory.dmp

Filesize
712KB

Download
memory/2832-196-0x0000000000000000-mapping.dmp

Download
memory/2832-215-0x0000000000CE0000-0x0000000000CE7000-memory.dmp

Filesize
28KB

Download
memory/2832-230-0x0000000000AD0000-0x0000000000C66000-memory.dmp

Filesize
1.6MB

Download
memory/2832-229-0x0000000000680000-0x00000000006AD000-memory.dmp

Filesize
180KB

Download
memory/2832-227-0x0000000000AD0000-0x0000000000C66000-memory.dmp

Filesize
1.6MB

Download
memory/2832-217-0x0000000002CF0000-0x0000000003010000-memory.dmp

Filesize
3.1MB

Download
memory/2832-216-0x0000000000680000-0x00000000006AD000-memory.dmp

Filesize
180KB

Download
memory/3612-209-0x0000000000000000-mapping.dmp

Download
memory/4816-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-188-0x0000000001910000-0x0000000001921000-memory.dmp

Filesize
68KB

Download
memory/4816-198-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4816-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-170-0x0000000000420330-mapping.dmp

Download
memory/4816-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-183-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-186-0x0000000001510000-0x0000000001830000-memory.dmp

Filesize
3.1MB

Download
memory/4816-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-189-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-169-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4816-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-187-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4816-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download