formbook | 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773

Analysis

max time kernel
64s
max time network
135s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
Size

976KB
MD5

72d3cb6dec38a72bb9996cf50f9ca152
SHA1

fc0094507beca86633a2ff012a91d9e54a058c0d
SHA256

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773
SHA512

b3f1e45494120de1b50b7497f5ffa9f3ec105fdc3928d6951f8194a5c427d980d03c062d75f068714eb7540715e85aebf33211dafc9b6bdfaa8ac2207ee9214a
SSDEEP

12288:Rt1rtR29DwSwNy6ZgFwg0jPacng2WnAH+QIMYHCoDaMycZ+rfF8hWf:RnxhSwNy6eFGC+jv+QIPHtDocoJf

Score

10^/10

formbook modiloader yko3 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

yko3

Decoy

marathonpetrolevm.com

starakonoba.com

serenemaldives.com

molinahealthacre.com

tesetturhane.com

szmyjq.com

souiti-stone1.com

lxgnu-jcpm.xyz

outercolitis.life

zebzecim.xyz

dynamic-guard.com

sabzifrosh.com

aimm2.com

ancientroots-healing.com

isp.coffee

selfsolution-session.com

cpcsnesscity.com

wwwcaresact.com

managementskillsdaily.com

oficialforclean.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1380-70-0x0000000004A50000-0x0000000004A7E000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-64-0x0000000004500000-0x0000000004549000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nikij = "C:\\Users\\Public\\Libraries\\jikiN.url"	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1576 1380 WerFault.exe 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

pid process

1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

pid	pid_target	process	target process
1576	1380	WerFault.exe	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

pid	process
1380	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe

description	pid	process	target process
PID 1380 wrote to memory of 1576	1380	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe	WerFault.exe
PID 1380 wrote to memory of 1576	1380	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe	WerFault.exe
PID 1380 wrote to memory of 1576	1380	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe	WerFault.exe
PID 1380 wrote to memory of 1576	1380	4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
"C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1396
2⤵
- Program crash
PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-55-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/1380-61-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1380-64-0x0000000004500000-0x0000000004549000-memory.dmp

Filesize
292KB

Download
memory/1380-70-0x0000000004A50000-0x0000000004A7E000-memory.dmp

Filesize
184KB

Download
memory/1380-72-0x0000000004D50000-0x0000000005053000-memory.dmp

Filesize
3.0MB

Download
memory/1576-71-0x0000000000000000-mapping.dmp

Download