formbook | 267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe
Size

381KB
MD5

bc0d9c5250c435e2b08aad396db5fbea
SHA1

8ef94d5400b6d10fa683ca6bad7efd19ef2282c3
SHA256

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8
SHA512

70f75fa30063fdd3b0452e4d0b2936d27de2bfa3c7c5430bb96e532229211ffab167dcf32cfb552463c075b12f01427132c207f530026df710cd4e72174c6269
SSDEEP

6144:bDsrpmOp5fjFopppppppp4a5pppppppppppppppppppppppppppppppppppppppQ:bDsdRBGpppppppp/ppppppppppppppp

Score

10^/10

formbook mi persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

deliris.net

tqcsi-yaran.com

sgrejg.info

vertical-boiler.com

10-56milanstreetmentone.com

electricoslaheroica.com

bombergersarchive.com

177vno.info

hydbad.com

amazonsignage.com

marcelkulhanek.com

purebeautyorganic.com

icerinkcoffee.com

hengshuiyafeng.com

improvereligion.com

hydroponics-aeroponics.com

botmatridee.com

summerfieldalignment.com

xeroaccountantmelbourne.net

babelgrim.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-66-0x0000000000750000-0x000000000077A000-memory.dmp	formbook
behavioral1/memory/584-71-0x000000000041B670-mapping.dmp	formbook
behavioral1/memory/584-78-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1452-81-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/1452-85-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

mscbc.exe

pid process

1884 mscbc.exe

pid	process
1884	mscbc.exe

Drops startup file 1 IoCs

Processes:

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K6XPDX807VW = "C:\\Program Files (x86)\\Altatq\\mscbc.exe"	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exevbc.exechkdsk.exe

description	pid	process	target process
PID 848 set thread context of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 584 set thread context of 1272	584	vbc.exe	Explorer.EXE
PID 1452 set thread context of 1272	1452	chkdsk.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

Explorer.EXEchkdsk.exe

description	ioc	process
File created	C:\Program Files (x86)\Altatq\mscbc.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Altatq\mscbc.exe	chkdsk.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exevbc.exechkdsk.exe

pid	process
848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe
848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe
584	vbc.exe
584	vbc.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe
1452	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exechkdsk.exe

pid process

584 vbc.exe
584 vbc.exe
584 vbc.exe
1452 chkdsk.exe
1452 chkdsk.exe

pid	process
1272	Explorer.EXE

pid	process
584	vbc.exe
584	vbc.exe
584	vbc.exe
1452	chkdsk.exe
1452	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exevbc.exechkdsk.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe
Token: SeDebugPrivilege	584	vbc.exe
Token: SeDebugPrivilege	1452	chkdsk.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.execsc.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 848 wrote to memory of 1712	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	csc.exe
PID 848 wrote to memory of 1712	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	csc.exe
PID 848 wrote to memory of 1712	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	csc.exe
PID 848 wrote to memory of 1712	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	csc.exe
PID 1712 wrote to memory of 1168	1712	csc.exe	cvtres.exe
PID 1712 wrote to memory of 1168	1712	csc.exe	cvtres.exe
PID 1712 wrote to memory of 1168	1712	csc.exe	cvtres.exe
PID 1712 wrote to memory of 1168	1712	csc.exe	cvtres.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 848 wrote to memory of 584	848	267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe	vbc.exe
PID 1272 wrote to memory of 1452	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1452	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1452	1272	Explorer.EXE	chkdsk.exe
PID 1272 wrote to memory of 1452	1272	Explorer.EXE	chkdsk.exe
PID 1452 wrote to memory of 1500	1452	chkdsk.exe	cmd.exe
PID 1452 wrote to memory of 1500	1452	chkdsk.exe	cmd.exe
PID 1452 wrote to memory of 1500	1452	chkdsk.exe	cmd.exe
PID 1452 wrote to memory of 1500	1452	chkdsk.exe	cmd.exe
PID 1272 wrote to memory of 1884	1272	Explorer.EXE	mscbc.exe
PID 1272 wrote to memory of 1884	1272	Explorer.EXE	mscbc.exe
PID 1272 wrote to memory of 1884	1272	Explorer.EXE	mscbc.exe
PID 1272 wrote to memory of 1884	1272	Explorer.EXE	mscbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe
  "C:\Users\Admin\AppData\Local\Temp\267cdbd24ba0c232c80967c7c39f454db0e59b6943836750a5cfbaf2540768d8.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t5ojh40j\t5ojh40j.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2369.tmp" "c:\Users\Admin\AppData\Local\Temp\t5ojh40j\CSC8E65E8A940AF4A2D9C4B4E83DCF2B4A2.TMP"
      4⤵
      PID:1168
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    PID:1500
- C:\Program Files (x86)\Altatq\mscbc.exe
  "C:\Program Files (x86)\Altatq\mscbc.exe"
  2⤵
  - Executes dropped EXE
  PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Altatq\mscbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Program Files (x86)\Altatq\mscbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2369.tmp

Filesize
1KB

MD5
652d3d0e082b244bea6aefc680aac615

SHA1
a6da1a3d28cc9b88846d8c244fce79000d52c38a

SHA256
b8b06ec6cea189ed12967949be22ab0586bc542ad98ad4ec4f84499dd8fd36c5

SHA512
59d50fea73d58a48a8f1cdb0e085bcaa27dbc0a855d2d42369d6857bbd8cdd48622bde5e311933b73f564c9ce6afc12f9f88894a182f6b92e5c1e58fe23230fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5ojh40j\t5ojh40j.dll

Filesize
14KB

MD5
7d50eee9a05021e1cb8e422e3a20c6f4

SHA1
b43606adc425eee47ae9e9766bf211f3c268ca44

SHA256
6670b31e4e32c325fa259a133a5cc1e93590f41b8881603fdc19e55a717dcced

SHA512
1e9d8a7b3814eed10808a68b5278d10452d4000adc979b8b6b716127e96f6666a9b95fa22bd38e8d4967ef1b20033d6d27026b469e98a3e982e848d49f031922

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5ojh40j\t5ojh40j.pdb

Filesize
49KB

MD5
98f219f5d12240dadb657e2a1a7831e3

SHA1
5f31900c3d69371028991c8f5a58d156f8cffd79

SHA256
3552eff842851a62fc24e4784c133e9e01ab5a9b61b71ec856d0fa32ebbf55e9

SHA512
5b02950ab1ed65ffa2e81ddce034474b76d0e91b1d2290af2b88de6c87d27160f295a9db0810d782b26ad75f6b67a3b82b51607e9f74ae10ad6d8a8b246b8f5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url

Filesize
117B

MD5
aaa2d3064ed00c9e6a22d7d52977833c

SHA1
07e2bd798ba4c9efee59030886451ed1ea957e61

SHA256
4783e428ab0a625aee2544be9ccd05479875e4c39021703dd8716e31c5787dd8

SHA512
234627a9da1cce1e47eedfb7842ff690da1b67144d02c65772020f09a6402bec11b5838b5c177248e22ef48cb2885a8241ac5f4827eea615d8a460cc0205a67d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5ojh40j\CSC8E65E8A940AF4A2D9C4B4E83DCF2B4A2.TMP

Filesize
1KB

MD5
7b3060f791f5664ea48ce59ac282fab1

SHA1
12cb84e26f920e253f9b3613b3b39c14c8b24145

SHA256
36257a58163a32139e065dcc7c9af51ff3cffdfd3da1750cbb0eec672013ddc0

SHA512
7bff714c9564d4253946633d58e3947965cdd2f7ef4f7d907c142bde65db12cae5996c69c10ca028e3dec7a79a51e49956d0be8372e1cddf6f99e4447636c73f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5ojh40j\t5ojh40j.0.cs

Filesize
26KB

MD5
034b7ff6021dabbe765304758ae537dc

SHA1
42c9be44efa31bd97e496df6b3dd051f7f735e5e

SHA256
ed8359eec525cd11d29b30119d345617a26e10eb6034f048d8bf7f71863a5b78

SHA512
1e792efa914b27a1102f658ef0394963c61a00b068e9024b8543eb9d68363124bf063e71cc0365977e43fb360e8b9d252ce560bb8c62f7185d1340da01b33693

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t5ojh40j\t5ojh40j.cmdline

Filesize
248B

MD5
7065d06676d31a2d85a3867aeb67c760

SHA1
b1ee5848e6ff0813d13f8e3e676a8326bd1d607b

SHA256
612c01de1f4fa5d1a2944d6e1666567de8a737c88e7ba031f8d7a9dc73e2a2b8

SHA512
25f4601ddc75471059b8d133d45b4d968a511a89267cfd06e2c597733c1165438ba36fb68eeeaaaf4b04c96113e362d0acb1b6b5760ea1734df0ac56f739272a

Download Submit
memory/584-71-0x000000000041B670-mapping.dmp

Download
memory/584-78-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/584-75-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/584-74-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/584-67-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/584-68-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/848-63-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/848-54-0x0000000000340000-0x00000000003A6000-memory.dmp

Filesize
408KB

Download
memory/848-66-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/848-65-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/848-64-0x00000000005A0000-0x00000000005DA000-memory.dmp

Filesize
232KB

Download
memory/1168-58-0x0000000000000000-mapping.dmp

Download
memory/1272-84-0x0000000007360000-0x00000000074A8000-memory.dmp

Filesize
1.3MB

Download
memory/1272-86-0x0000000007360000-0x00000000074A8000-memory.dmp

Filesize
1.3MB

Download
memory/1272-76-0x0000000006E10000-0x0000000006F67000-memory.dmp

Filesize
1.3MB

Download
memory/1452-80-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/1452-81-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1452-82-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1452-83-0x00000000022F0000-0x0000000002383000-memory.dmp

Filesize
588KB

Download
memory/1452-77-0x0000000000000000-mapping.dmp

Download
memory/1452-85-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/1452-87-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1500-79-0x0000000000000000-mapping.dmp

Download
memory/1712-55-0x0000000000000000-mapping.dmp

Download
memory/1884-88-0x0000000000000000-mapping.dmp

Download