formbook | 9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f

Analysis

max time kernel
159s
max time network
168s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05-12-2022 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe
Size

413KB
MD5

a2b43ba6d6a6af9f0fa07cab1a1ffd64
SHA1

0d63ee2545439dff61486e040fb8d921bee79ae3
SHA256

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f
SHA512

2a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb
SSDEEP

6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy

Score

10^/10

formbook 8rmt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

8rmt

Decoy

3472cc.com

takecareyourhair.com

kontolajigasd21.xyz

daihaitrinh.net

syncmostlatestinfo-file.info

lovesolutionsastrologist.info

angelapryan.com

rio727casino.com

jjsgagets.com

devyatkina.online

thegoldenbeautyqatar.com

czytaj-unas24live.monster

timepoachers.com

gayxxxporn.site

72308.xyz

kristanolivo.com

hijrahfwd.com

bmfighters.com

alfamx.website

handfulofbabesbows.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2204-221-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2204-242-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/5028-289-0x00000000005C0000-0x00000000005EF000-memory.dmp	formbook
behavioral1/memory/5028-295-0x00000000005C0000-0x00000000005EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ycayuhnew.exeycayuhnew.exe

pid process

4932 ycayuhnew.exe
2204 ycayuhnew.exe

pid	process
4932	ycayuhnew.exe
2204	ycayuhnew.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ycayuhnew.exeycayuhnew.execolorcpl.exe

description	pid	process	target process
PID 4932 set thread context of 2204	4932	ycayuhnew.exe	ycayuhnew.exe
PID 2204 set thread context of 2076	2204	ycayuhnew.exe	Explorer.EXE
PID 2204 set thread context of 2076	2204	ycayuhnew.exe	Explorer.EXE
PID 5028 set thread context of 2076	5028	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

ycayuhnew.execolorcpl.exe

pid	process
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe
5028	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2076 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ycayuhnew.exeycayuhnew.execolorcpl.exe

pid process

4932 ycayuhnew.exe
2204 ycayuhnew.exe
2204 ycayuhnew.exe
2204 ycayuhnew.exe
2204 ycayuhnew.exe
5028 colorcpl.exe
5028 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ycayuhnew.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 2204 ycayuhnew.exe
Token: SeDebugPrivilege 5028 colorcpl.exe

pid	process
2076	Explorer.EXE

pid	process
4932	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
2204	ycayuhnew.exe
5028	colorcpl.exe
5028	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	2204	ycayuhnew.exe
Token: SeDebugPrivilege	5028	colorcpl.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exeycayuhnew.exeExplorer.EXEycayuhnew.execolorcpl.exe

description	pid	process	target process
PID 3732 wrote to memory of 4932	3732	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 3732 wrote to memory of 4932	3732	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 3732 wrote to memory of 4932	3732	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 4932 wrote to memory of 2204	4932	ycayuhnew.exe	ycayuhnew.exe
PID 4932 wrote to memory of 2204	4932	ycayuhnew.exe	ycayuhnew.exe
PID 4932 wrote to memory of 2204	4932	ycayuhnew.exe	ycayuhnew.exe
PID 4932 wrote to memory of 2204	4932	ycayuhnew.exe	ycayuhnew.exe
PID 2076 wrote to memory of 5060	2076	Explorer.EXE	cmmon32.exe
PID 2076 wrote to memory of 5060	2076	Explorer.EXE	cmmon32.exe
PID 2076 wrote to memory of 5060	2076	Explorer.EXE	cmmon32.exe
PID 2204 wrote to memory of 5028	2204	ycayuhnew.exe	colorcpl.exe
PID 2204 wrote to memory of 5028	2204	ycayuhnew.exe	colorcpl.exe
PID 2204 wrote to memory of 5028	2204	ycayuhnew.exe	colorcpl.exe
PID 5028 wrote to memory of 4092	5028	colorcpl.exe	cmd.exe
PID 5028 wrote to memory of 4092	5028	colorcpl.exe	cmd.exe
PID 5028 wrote to memory of 4092	5028	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe
"C:\Users\Admin\AppData\Local\Temp\9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
5⤵
PID:5048

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
6⤵
PID:4092

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxlnbanzq.e
Filesize
185KB

MD5
f6710918e3ecdba55aa451fb1b08742d

SHA1
4ef0c29c55d0d532ceb1a5a324b62ff98d08dd70

SHA256
cc573825aba59339f11629b7fe1ed9adf098e5f12004f441948fe45fcc12a5a7

SHA512
fc35b518211c758cc7f00820a6dd8d5b8543b5e069cb3f837859b98c40027256c11459dfff85dde653a1137cd20c3e5a6bc1cfd3f7b82a094fe94e16d549a4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
Filesize
5KB

MD5
45cbfd24b9943772008f524a20e0a56f

SHA1
b4b00712aa448298ed165890245d8c916d2d0f64

SHA256
afef884e713661b15d8639ac7268b667742ebe67b0e031e7d617f2dd2d5813ff

SHA512
4f01cb3c9eb01dcd9e359322605d88e1c0d4b1dde3ecabc594dcb7ab44b6e937880c13cf595cff506df317cb7c928c2d30ebfb3249548ff3832c19a802e07f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
memory/2076-294-0x0000000004C60000-0x0000000004DA2000-memory.dmp

Filesize
1.3MB

Download
memory/2076-291-0x0000000005E70000-0x0000000005F4D000-memory.dmp

Filesize
884KB

Download
memory/2076-239-0x0000000002640000-0x0000000002717000-memory.dmp

Filesize
860KB

Download
memory/2076-297-0x0000000004C60000-0x0000000004DA2000-memory.dmp

Filesize
1.3MB

Download
memory/2076-241-0x0000000005E70000-0x0000000005F4D000-memory.dmp

Filesize
884KB

Download
memory/2204-240-0x00000000015F0000-0x0000000001783000-memory.dmp

Filesize
1.6MB

Download
memory/2204-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-243-0x00000000015F0000-0x0000000001783000-memory.dmp

Filesize
1.6MB

Download
memory/2204-238-0x00000000015F0000-0x0000000001783000-memory.dmp

Filesize
1.6MB

Download
memory/2204-222-0x0000000001790000-0x0000000001AB0000-memory.dmp

Filesize
3.1MB

Download
memory/2204-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-214-0x000000000041F080-mapping.dmp

Download
memory/3732-130-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-154-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-136-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-137-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-138-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-139-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-140-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-142-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-141-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-143-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-144-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-134-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-145-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-146-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-147-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-148-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-150-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-151-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-152-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-153-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-149-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-135-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-155-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-156-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-133-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-132-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-131-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-116-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-129-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-117-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-128-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-127-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-126-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-125-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-124-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-123-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-122-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-121-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-120-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-119-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-118-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4092-282-0x0000000000000000-mapping.dmp

Download
memory/4932-160-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-169-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-173-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-178-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-179-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-180-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-182-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-181-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-176-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-175-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-174-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-164-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-172-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-171-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-170-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-177-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-168-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-167-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-166-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-163-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-157-0x0000000000000000-mapping.dmp

Download
memory/4932-161-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-159-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/4932-162-0x0000000077C90000-0x0000000077E1E000-memory.dmp

Filesize
1.6MB

Download
memory/5028-290-0x00000000047D0000-0x0000000004AF0000-memory.dmp

Filesize
3.1MB

Download
memory/5028-288-0x0000000000A10000-0x0000000000A29000-memory.dmp

Filesize
100KB

Download
memory/5028-293-0x0000000004630000-0x00000000047C9000-memory.dmp

Filesize
1.6MB

Download
memory/5028-289-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/5028-295-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/5028-296-0x0000000004630000-0x00000000047C9000-memory.dmp

Filesize
1.6MB

Download
memory/5028-244-0x0000000000000000-mapping.dmp

Download