formbook | 26434fabc4eae6db7c246b4dfbd2f9153f15024c29f4d2350e91183c4fc64293

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DUE PAY.exe
Size

449KB
MD5

194874f2b4133a202568b640967e6e37
SHA1

af9378a9a173d46b099305653d9606a6503c4f5e
SHA256

26434fabc4eae6db7c246b4dfbd2f9153f15024c29f4d2350e91183c4fc64293
SHA512

ee03a017a4f008cd9429b3aaeb67fd84a92cdb2a560e186e7b92193f3ec2871eec1ae515c8c1201dd0c8d37310f908c4452319eab48da3810fd91e0e9b5e8cfb
SSDEEP

12288:y9qlqw40eerkszUlfEHol7wSUVQpa5HGIl:gql95ewksIqIvYKa5HGu

Score

10^/10

formbook vwc9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

vwc9

Decoy

pLjMtZTmuvLDXV4=

iENWNhKVPRzYDQq4Pmlm

H1YAUssvvLhmmxpDTg==

oqvSpIpvoo0sNVE=

66bBokqaVC4XsLUW4Mhu

RURVG9EIxXETEsazT/Hgzw==

CMgRC53FjBhJ

5IJKxmGnWZA+b2CKOx6ddChogl8=

NM/MXgc6pylgwH6ssRgCXyhogl8=

rsQB00iulp0WQEY=

zgKE25H+rCAxoVieoNVu

xPVZTso09oMrsGiD

ihTBLxl7B4i0Bwq4Pmlm

q0IcfPZP2dbymxpDTg==

rFbwTgdhK9z2KydgVog6uQqQ+7Ee2g==

qKb0/bYHu2359OMhF21Wqq6WL41B

ygBgFPMlo6RdmxpDTg==

NF1zQfdkC/4PWBYoQJpbIy5e

1/1QMM0x0GAbZhkS8GZqXu91CnPXnPoC

5v5NJMIoFNKQkA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

DUE PAY.exeCasPol.exemstsc.exe

description	pid	process	target process
PID 1712 set thread context of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1096 set thread context of 3004	1096	CasPol.exe	Explorer.EXE
PID 2916 set thread context of 3004	2916	mstsc.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

CasPol.exemstsc.exe

pid	process
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
1096	CasPol.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe
2916	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3004 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CasPol.exemstsc.exe

pid process

1096 CasPol.exe
1096 CasPol.exe
1096 CasPol.exe
2916 mstsc.exe
2916 mstsc.exe
2916 mstsc.exe
2916 mstsc.exe

pid	process
3004	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

DUE PAY.exeCasPol.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1712	DUE PAY.exe
Token: SeDebugPrivilege	1096	CasPol.exe
Token: SeDebugPrivilege	2916	mstsc.exe
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DUE PAY.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 1712 wrote to memory of 1096	1712	DUE PAY.exe	CasPol.exe
PID 3004 wrote to memory of 2916	3004	Explorer.EXE	mstsc.exe
PID 3004 wrote to memory of 2916	3004	Explorer.EXE	mstsc.exe
PID 3004 wrote to memory of 2916	3004	Explorer.EXE	mstsc.exe
PID 2916 wrote to memory of 3316	2916	mstsc.exe	Firefox.exe
PID 2916 wrote to memory of 3316	2916	mstsc.exe	Firefox.exe
PID 2916 wrote to memory of 3316	2916	mstsc.exe	Firefox.exe

C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe
"C:\Users\Admin\AppData\Local\Temp\DUE PAY.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1092

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3992

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1096-141-0x0000000001460000-0x00000000017AA000-memory.dmp

Filesize
3.3MB

Download
memory/1096-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-139-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1096-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-142-0x0000000001150000-0x0000000001160000-memory.dmp

Filesize
64KB

Download
memory/1096-135-0x00000000004012B0-mapping.dmp

Download
memory/1096-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-132-0x000001F2B97F0000-0x000001F2B9864000-memory.dmp

Filesize
464KB

Download
memory/1712-133-0x00007FFE943A0000-0x00007FFE94E61000-memory.dmp

Filesize
10.8MB

Download
memory/1712-137-0x00007FFE943A0000-0x00007FFE94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2916-144-0x0000000000000000-mapping.dmp

Download
memory/2916-152-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/2916-147-0x0000000000BD0000-0x0000000000D0A000-memory.dmp

Filesize
1.2MB

Download
memory/2916-148-0x00000000004A0000-0x00000000004CD000-memory.dmp

Filesize
180KB

Download
memory/2916-149-0x0000000002610000-0x000000000295A000-memory.dmp

Filesize
3.3MB

Download
memory/2916-150-0x00000000023A0000-0x000000000242F000-memory.dmp

Filesize
572KB

Download
memory/3004-190-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-200-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-153-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-154-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-155-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-156-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-157-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-158-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-159-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-160-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-163-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-162-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-164-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-161-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-165-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-166-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-167-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-168-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-169-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-170-0x0000000007BD0000-0x0000000007BE0000-memory.dmp

Filesize
64KB

Download
memory/3004-171-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/3004-172-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/3004-173-0x0000000002850000-0x0000000002944000-memory.dmp

Filesize
976KB

Download
memory/3004-174-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/3004-175-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/3004-176-0x0000000007C00000-0x0000000007C10000-memory.dmp

Filesize
64KB

Download
memory/3004-177-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-178-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-179-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-180-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-181-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-182-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-183-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-185-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-184-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-186-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-187-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-188-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-189-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-143-0x0000000007970000-0x0000000007AC3000-memory.dmp

Filesize
1.3MB

Download
memory/3004-191-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-192-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-193-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-194-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-196-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-195-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-197-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-198-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-199-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-151-0x0000000002850000-0x0000000002944000-memory.dmp

Filesize
976KB

Download
memory/3004-201-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3004-202-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-203-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-204-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-206-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3004-208-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-207-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-205-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-209-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-210-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-211-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-212-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-213-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-214-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-215-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-216-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-218-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-217-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-219-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-220-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-221-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-222-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-223-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-224-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/3004-225-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-226-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-227-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-228-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-229-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-233-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-232-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-231-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-230-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-234-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-235-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-236-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-237-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-239-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-238-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-240-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-244-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-245-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-246-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-247-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-248-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-265-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-266-0x0000000007AD0000-0x0000000007AE0000-memory.dmp

Filesize
64KB

Download
memory/3004-267-0x0000000007B60000-0x0000000007B70000-memory.dmp

Filesize
64KB

Download