formbook | 2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe
Size

660KB
MD5

2903e272feed18bbc602d4f6ebce4d82
SHA1

da4d65e759fcaf675ccc060252354ebf89828bd5
SHA256

2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1
SHA512

642a4765d5b043835fa683d897d82ae433aaf980b3450330a4dbd94d3053f1e96f8de638466342840360887649b3eb5465b573ff093365cbe770d1dbe6e23804
SSDEEP

6144:4Ya6scqZqqq2Yl3x74zx7bWNHHHISYaH2fvkIgsOYAnY5nfK8BKoAeIdRoIAcCfU:4YLxMBWNHHHiRgdg9K1onqRxf4E6rAD

Score

10^/10

formbook vr84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/4768-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3332-146-0x0000000000AB0000-0x0000000000ADF000-memory.dmp	formbook
behavioral1/memory/3332-150-0x0000000000AB0000-0x0000000000ADF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4568	ubymjih.exe
4768	ubymjih.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 4768	4568	ubymjih.exe	82
PID 4768 set thread context of 2152	4768	ubymjih.exe	19
PID 3332 set thread context of 2152	3332	explorer.exe	19

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4768	ubymjih.exe
4768	ubymjih.exe
4768	ubymjih.exe
4768	ubymjih.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe
3332	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2152	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4568	ubymjih.exe
4768	ubymjih.exe
4768	ubymjih.exe
4768	ubymjih.exe
3332	explorer.exe
3332	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	ubymjih.exe
Token: SeDebugPrivilege	3332	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4568	4864	2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe	80
PID 4864 wrote to memory of 4568	4864	2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe	80
PID 4864 wrote to memory of 4568	4864	2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe	80
PID 4568 wrote to memory of 4768	4568	ubymjih.exe	82
PID 4568 wrote to memory of 4768	4568	ubymjih.exe	82
PID 4568 wrote to memory of 4768	4568	ubymjih.exe	82
PID 4568 wrote to memory of 4768	4568	ubymjih.exe	82
PID 2152 wrote to memory of 3332	2152	Explorer.EXE	83
PID 2152 wrote to memory of 3332	2152	Explorer.EXE	83
PID 2152 wrote to memory of 3332	2152	Explorer.EXE	83
PID 3332 wrote to memory of 4936	3332	explorer.exe	84
PID 3332 wrote to memory of 4936	3332	explorer.exe	84
PID 3332 wrote to memory of 4936	3332	explorer.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe
  "C:\Users\Admin\AppData\Local\Temp\2889978f4abcf96d44331904f7d7b865253872c5cad23a7ed9dc8bb61eb3e8f1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\ubymjih.exe
    "C:\Users\Admin\AppData\Local\Temp\ubymjih.exe" C:\Users\Admin\AppData\Local\Temp\fzggqw.e
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\ubymjih.exe
      "C:\Users\Admin\AppData\Local\Temp\ubymjih.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ubymjih.exe"
    3⤵
    PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwksg.gb

Filesize
205KB

MD5
2c20952d08844efeb74d3827c8c59246

SHA1
fc71814e316fa60583eeec19b249bca218b743d5

SHA256
33900bc4605ffe93c4a6c78737b16f01e5620ad13dfa413c8a32199e3f93a149

SHA512
1c5647e1410466a3b99d4745e3eb21393d16bfee2ec275df8d1ca9a508cd360c6e6e9658fa7851ee9b89089ccf304ad44a669ec677b884c565f7e3dad6d48a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzggqw.e

Filesize
5KB

MD5
8b1e928ae46cb168ed3f7d0e082f3c2c

SHA1
d211e23e1d20d6f4f153991a4c5246e2940c618a

SHA256
e8a9b5be794775e74553718566d672a078ebb71abc1e252830458a0f3c358e04

SHA512
3a4e626dc8934c7946c9d220cde29f3adf0f616ec8741748d8505309a09ff72ca507d665e8130df6252701371e8aad8bfc3ae21d3c6a6c63b09772c7c686780b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubymjih.exe

Filesize
8KB

MD5
4059ebc8e7d9f8142bb19144eb5fa50f

SHA1
fed8aaaaa34ee81a2b03c96abdc9fe242a1086af

SHA256
abd5e991f3436a1604d0220bb23e61ef92a6b83a9e4c0a6689410d23bac41c14

SHA512
319eedc02ea8ba2a4afdb050458190379ceb8c304106271c9907ac5a39a71ea073c54942b862a1cd4101370440953b237e5b70be68e04016c47cdac54518504d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubymjih.exe

Filesize
8KB

MD5
4059ebc8e7d9f8142bb19144eb5fa50f

SHA1
fed8aaaaa34ee81a2b03c96abdc9fe242a1086af

SHA256
abd5e991f3436a1604d0220bb23e61ef92a6b83a9e4c0a6689410d23bac41c14

SHA512
319eedc02ea8ba2a4afdb050458190379ceb8c304106271c9907ac5a39a71ea073c54942b862a1cd4101370440953b237e5b70be68e04016c47cdac54518504d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubymjih.exe

Filesize
8KB

MD5
4059ebc8e7d9f8142bb19144eb5fa50f

SHA1
fed8aaaaa34ee81a2b03c96abdc9fe242a1086af

SHA256
abd5e991f3436a1604d0220bb23e61ef92a6b83a9e4c0a6689410d23bac41c14

SHA512
319eedc02ea8ba2a4afdb050458190379ceb8c304106271c9907ac5a39a71ea073c54942b862a1cd4101370440953b237e5b70be68e04016c47cdac54518504d

Download Submit
memory/2152-151-0x0000000007D30000-0x0000000007E0C000-memory.dmp

Filesize
880KB

Download
memory/2152-142-0x0000000007B30000-0x0000000007BE8000-memory.dmp

Filesize
736KB

Download
memory/2152-149-0x0000000007D30000-0x0000000007E0C000-memory.dmp

Filesize
880KB

Download
memory/3332-147-0x0000000002F20000-0x000000000326A000-memory.dmp

Filesize
3.3MB

Download
memory/3332-150-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

Filesize
188KB

Download
memory/3332-148-0x0000000002D60000-0x0000000002DF4000-memory.dmp

Filesize
592KB

Download
memory/3332-145-0x0000000000D20000-0x0000000001153000-memory.dmp

Filesize
4.2MB

Download
memory/3332-146-0x0000000000AB0000-0x0000000000ADF000-memory.dmp

Filesize
188KB

Download
memory/4768-141-0x0000000000DF0000-0x0000000000E05000-memory.dmp

Filesize
84KB

Download
memory/4768-140-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download
memory/4768-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download