formbook | 70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c25c9877c55e1c43283910d400d91e2c.exe
Size

398KB
MD5

c25c9877c55e1c43283910d400d91e2c
SHA1

e75a014931488473a0f220a81e83742f3afc66b7
SHA256

70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
SHA512

77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
SSDEEP

3072:bEhKzShSycJWiUTh0Mu3F1dMppyaoJWUytFznR/OlAuxY7PWWYa/K4bKKUDFtv09:bBnyFu10YWbFznRWGDFKnKUDFtv0koH

Score

10^/10

formbook wh23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4996-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4996-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4936-146-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook
behavioral2/memory/4936-151-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

qaiuyqqkou.exeqaiuyqqkou.exe

pid process

2708 qaiuyqqkou.exe
4996 qaiuyqqkou.exe

pid	process
2708	qaiuyqqkou.exe
4996	qaiuyqqkou.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

qaiuyqqkou.exeqaiuyqqkou.exesystray.exe

description	pid	process	target process
PID 2708 set thread context of 4996	2708	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 4996 set thread context of 2416	4996	qaiuyqqkou.exe	Explorer.EXE
PID 4936 set thread context of 2416	4936	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

qaiuyqqkou.exesystray.exe

pid	process
4996	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe
4936	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

qaiuyqqkou.exeqaiuyqqkou.exesystray.exe

pid process

2708 qaiuyqqkou.exe
4996 qaiuyqqkou.exe
4996 qaiuyqqkou.exe
4996 qaiuyqqkou.exe
4936 systray.exe
4936 systray.exe

pid	process
2416	Explorer.EXE

pid	process
2708	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4996	qaiuyqqkou.exe
4936	systray.exe
4936	systray.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

qaiuyqqkou.exesystray.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4996	qaiuyqqkou.exe
Token: SeDebugPrivilege	4936	systray.exe
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

c25c9877c55e1c43283910d400d91e2c.exeqaiuyqqkou.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2824 wrote to memory of 2708	2824	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2824 wrote to memory of 2708	2824	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2824 wrote to memory of 2708	2824	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2708 wrote to memory of 4996	2708	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2708 wrote to memory of 4996	2708	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2708 wrote to memory of 4996	2708	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2708 wrote to memory of 4996	2708	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2416 wrote to memory of 4936	2416	Explorer.EXE	systray.exe
PID 2416 wrote to memory of 4936	2416	Explorer.EXE	systray.exe
PID 2416 wrote to memory of 4936	2416	Explorer.EXE	systray.exe
PID 4936 wrote to memory of 2096	4936	systray.exe	cmd.exe
PID 4936 wrote to memory of 2096	4936	systray.exe	cmd.exe
PID 4936 wrote to memory of 2096	4936	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\c25c9877c55e1c43283910d400d91e2c.exe
"C:\Users\Admin\AppData\Local\Temp\c25c9877c55e1c43283910d400d91e2c.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
3⤵
PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
Filesize
5KB

MD5
5cd14824d28319bfcac1b2e3cd8b532d

SHA1
49ed57453b9612e0ece3540b9740f613298a8644

SHA256
ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf

SHA512
84bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\srumdm.hcb
Filesize
185KB

MD5
e923ffb3d4001485b028c1db73a2ad7d

SHA1
3974f858666c8ca752a93296a299e15e1c8228c8

SHA256
60240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31

SHA512
0ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f

Download Submit
memory/2096-148-0x0000000000000000-mapping.dmp

Download
memory/2416-176-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-168-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-221-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-220-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-219-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-180-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-218-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-217-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-216-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-215-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-214-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-213-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-150-0x0000000007C00000-0x0000000007D04000-memory.dmp

Filesize
1.0MB

Download
memory/2416-212-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-152-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-162-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-163-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-164-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-165-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-166-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-167-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-169-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/2416-170-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-171-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-172-0x0000000007C00000-0x0000000007D04000-memory.dmp

Filesize
1.0MB

Download
memory/2416-173-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-174-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000002960000-0x0000000002A18000-memory.dmp

Filesize
736KB

Download
memory/2416-177-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-195-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-211-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-210-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-181-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-185-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-187-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-189-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-191-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-190-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-188-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-192-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-193-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-194-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-178-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-196-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-197-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-198-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-199-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-200-0x0000000002A50000-0x0000000002A60000-memory.dmp

Filesize
64KB

Download
memory/2416-201-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-202-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-203-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-204-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2416-205-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-206-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-207-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-208-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2416-209-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2708-132-0x0000000000000000-mapping.dmp

Download
memory/4936-143-0x0000000000000000-mapping.dmp

Download
memory/4936-151-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/4936-149-0x0000000002960000-0x00000000029F3000-memory.dmp

Filesize
588KB

Download
memory/4936-147-0x0000000002B10000-0x0000000002E5A000-memory.dmp

Filesize
3.3MB

Download
memory/4936-146-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/4936-145-0x0000000000070000-0x0000000000076000-memory.dmp

Filesize
24KB

Download
memory/4996-141-0x0000000001190000-0x00000000011A4000-memory.dmp

Filesize
80KB

Download
memory/4996-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-140-0x0000000001230000-0x000000000157A000-memory.dmp

Filesize
3.3MB

Download
memory/4996-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-137-0x0000000000000000-mapping.dmp

Download