formbook | 9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe
Size

413KB
MD5

a2b43ba6d6a6af9f0fa07cab1a1ffd64
SHA1

0d63ee2545439dff61486e040fb8d921bee79ae3
SHA256

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f
SHA512

2a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb
SSDEEP

6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy

Score

10^/10

formbook 8rmt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

8rmt

Decoy

3472cc.com

takecareyourhair.com

kontolajigasd21.xyz

daihaitrinh.net

syncmostlatestinfo-file.info

lovesolutionsastrologist.info

angelapryan.com

rio727casino.com

jjsgagets.com

devyatkina.online

thegoldenbeautyqatar.com

czytaj-unas24live.monster

timepoachers.com

gayxxxporn.site

72308.xyz

kristanolivo.com

hijrahfwd.com

bmfighters.com

alfamx.website

handfulofbabesbows.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4892-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4892-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4976-147-0x00000000003C0000-0x00000000003EF000-memory.dmp	formbook
behavioral2/memory/4976-151-0x00000000003C0000-0x00000000003EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ycayuhnew.exeycayuhnew.exe

pid process

3064 ycayuhnew.exe
4892 ycayuhnew.exe

pid	process
3064	ycayuhnew.exe
4892	ycayuhnew.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ycayuhnew.exeycayuhnew.exeexplorer.exe

description	pid	process	target process
PID 3064 set thread context of 4892	3064	ycayuhnew.exe	ycayuhnew.exe
PID 4892 set thread context of 2056	4892	ycayuhnew.exe	Explorer.EXE
PID 4976 set thread context of 2056	4976	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

ycayuhnew.exeexplorer.exe

pid	process
4892	ycayuhnew.exe
4892	ycayuhnew.exe
4892	ycayuhnew.exe
4892	ycayuhnew.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe
4976	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2056 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ycayuhnew.exeycayuhnew.exeexplorer.exe

pid process

3064 ycayuhnew.exe
4892 ycayuhnew.exe
4892 ycayuhnew.exe
4892 ycayuhnew.exe
4976 explorer.exe
4976 explorer.exe

pid	process
2056	Explorer.EXE

pid	process
3064	ycayuhnew.exe
4892	ycayuhnew.exe
4892	ycayuhnew.exe
4892	ycayuhnew.exe
4976	explorer.exe
4976	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

ycayuhnew.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4892	ycayuhnew.exe
Token: SeDebugPrivilege	4976	explorer.exe
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exeycayuhnew.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 3548 wrote to memory of 3064	3548	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 3548 wrote to memory of 3064	3548	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 3548 wrote to memory of 3064	3548	9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe	ycayuhnew.exe
PID 3064 wrote to memory of 4892	3064	ycayuhnew.exe	ycayuhnew.exe
PID 3064 wrote to memory of 4892	3064	ycayuhnew.exe	ycayuhnew.exe
PID 3064 wrote to memory of 4892	3064	ycayuhnew.exe	ycayuhnew.exe
PID 3064 wrote to memory of 4892	3064	ycayuhnew.exe	ycayuhnew.exe
PID 2056 wrote to memory of 4976	2056	Explorer.EXE	explorer.exe
PID 2056 wrote to memory of 4976	2056	Explorer.EXE	explorer.exe
PID 2056 wrote to memory of 4976	2056	Explorer.EXE	explorer.exe
PID 4976 wrote to memory of 4360	4976	explorer.exe	cmd.exe
PID 4976 wrote to memory of 4360	4976	explorer.exe	cmd.exe
PID 4976 wrote to memory of 4360	4976	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe
  "C:\Users\Admin\AppData\Local\Temp\9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
    "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
      "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4892
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
    3⤵
    PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxlnbanzq.e

Filesize
185KB

MD5
f6710918e3ecdba55aa451fb1b08742d

SHA1
4ef0c29c55d0d532ceb1a5a324b62ff98d08dd70

SHA256
cc573825aba59339f11629b7fe1ed9adf098e5f12004f441948fe45fcc12a5a7

SHA512
fc35b518211c758cc7f00820a6dd8d5b8543b5e069cb3f837859b98c40027256c11459dfff85dde653a1137cd20c3e5a6bc1cfd3f7b82a094fe94e16d549a4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j

Filesize
5KB

MD5
45cbfd24b9943772008f524a20e0a56f

SHA1
b4b00712aa448298ed165890245d8c916d2d0f64

SHA256
afef884e713661b15d8639ac7268b667742ebe67b0e031e7d617f2dd2d5813ff

SHA512
4f01cb3c9eb01dcd9e359322605d88e1c0d4b1dde3ecabc594dcb7ab44b6e937880c13cf595cff506df317cb7c928c2d30ebfb3249548ff3832c19a802e07f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe

Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe

Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe

Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
memory/2056-176-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-165-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-221-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-220-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-219-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-218-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-217-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-216-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-215-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-214-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-213-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-210-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-212-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-150-0x00000000081B0000-0x00000000082FA000-memory.dmp

Filesize
1.3MB

Download
memory/2056-211-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x00000000081B0000-0x00000000082FA000-memory.dmp

Filesize
1.3MB

Download
memory/2056-153-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-156-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-157-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-158-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-159-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-160-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-161-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-162-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-181-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-179-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-180-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-170-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-171-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-173-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-175-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/2056-142-0x0000000002970000-0x0000000002A44000-memory.dmp

Filesize
848KB

Download
memory/2056-177-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-178-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-209-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-182-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-183-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-185-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-187-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-186-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-184-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-188-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-189-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-190-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-191-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-192-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-193-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-194-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-195-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-196-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-197-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-198-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-199-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-200-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-201-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-202-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-204-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-203-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/2056-205-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-206-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-207-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-208-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/3064-132-0x0000000000000000-mapping.dmp

Download
memory/4360-145-0x0000000000000000-mapping.dmp

Download
memory/4892-141-0x0000000001810000-0x0000000001825000-memory.dmp

Filesize
84KB

Download
memory/4892-137-0x0000000000000000-mapping.dmp

Download
memory/4892-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-140-0x0000000001880000-0x0000000001BCA000-memory.dmp

Filesize
3.3MB

Download
memory/4892-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-148-0x0000000002AA0000-0x0000000002DEA000-memory.dmp

Filesize
3.3MB

Download
memory/4976-143-0x0000000000000000-mapping.dmp

Download
memory/4976-146-0x0000000000D60000-0x0000000001193000-memory.dmp

Filesize
4.2MB

Download
memory/4976-147-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/4976-149-0x00000000027E0000-0x0000000002874000-memory.dmp

Filesize
592KB

Download
memory/4976-151-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download