formbook | 843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2023 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980c09040af5ab467b0e902c8097cb83.exe
Size

420KB
MD5

980c09040af5ab467b0e902c8097cb83
SHA1

efbd7fcfc5bac7aee07b2715c492ff71df54ce48
SHA256

843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1
SHA512

d1524131c82bac5e4fc6232963694d5c2944fd1ad52d7c394fac449c44f498f474d130217ec94a84514897cba02060207b564c640e056c85536356896f1e14c8
SSDEEP

6144:oYa6eYODUglfIPtpIGAmRCXODtbOy0FD5GHfE7pV5gK8noo:oYdpIGAmMe5SyYtGHiuK81

Score

10^/10

formbook vr84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4972-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4972-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4752-149-0x00000000007B0000-0x00000000007DF000-memory.dmp	formbook
behavioral2/memory/4752-153-0x00000000007B0000-0x00000000007DF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4180	filpx.exe
4972	filpx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 4972	4180	filpx.exe	84
PID 4972 set thread context of 3092	4972	filpx.exe	45
PID 4972 set thread context of 3092	4972	filpx.exe	45
PID 4752 set thread context of 3092	4752	netsh.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe
4752	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4180	filpx.exe
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4972	filpx.exe
4752	netsh.exe
4752	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	filpx.exe
Token: SeDebugPrivilege	4752	netsh.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4180	5036	980c09040af5ab467b0e902c8097cb83.exe	82
PID 5036 wrote to memory of 4180	5036	980c09040af5ab467b0e902c8097cb83.exe	82
PID 5036 wrote to memory of 4180	5036	980c09040af5ab467b0e902c8097cb83.exe	82
PID 4180 wrote to memory of 4972	4180	filpx.exe	84
PID 4180 wrote to memory of 4972	4180	filpx.exe	84
PID 4180 wrote to memory of 4972	4180	filpx.exe	84
PID 4180 wrote to memory of 4972	4180	filpx.exe	84
PID 4972 wrote to memory of 4752	4972	filpx.exe	89
PID 4972 wrote to memory of 4752	4972	filpx.exe	89
PID 4972 wrote to memory of 4752	4972	filpx.exe	89
PID 4752 wrote to memory of 2484	4752	netsh.exe	92
PID 4752 wrote to memory of 2484	4752	netsh.exe	92
PID 4752 wrote to memory of 2484	4752	netsh.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3092
- C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe
  "C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\filpx.exe
    "C:\Users\Admin\AppData\Local\Temp\filpx.exe" C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\filpx.exe
      "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\SysWOW64\netsh.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
        6⤵
        
        PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\filpx.exe

Filesize
56KB

MD5
98002afac40f6945e6b34108827505d0

SHA1
61fb8be150df2fa8f85b066d4050f8bb095905ae

SHA256
07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

SHA512
35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfsyom.m

Filesize
205KB

MD5
6e778839ad9b8e35c2ee219f6084749c

SHA1
0b2d15d794006e31c458875c3f452e25b687da83

SHA256
ce74cea5493334d94ee41b2f33c08daf5e7969f02c0f705e32bb5e47019114e3

SHA512
9e49e69389e5dc4a6d3ebb845396672ba897c207dbe4d7e4b75204f0c0a8d82788860082ad534605750da0faf89c74b6773336579f7c1a7572edd599c67df723

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j

Filesize
5KB

MD5
feb3241fec4320789d09238ee0a3806e

SHA1
8dade6e5708610a6959f1dd50d59d23c6341a9e3

SHA256
49ce3a686a989745ef53e27db48058376120918159d8c1855e9295d260da7f3d

SHA512
4c3cf4b9822f4785722e641525f00467d46dda78258b743844bfbe03c056ba5fd48d1418928417068742a0725d4b83e80f4f9ba9d4d36a3524437b3dd6a4b85b

Download Submit
memory/3092-142-0x00000000081D0000-0x00000000082A5000-memory.dmp

Filesize
852KB

Download
memory/3092-154-0x0000000008D10000-0x0000000008EA4000-memory.dmp

Filesize
1.6MB

Download
memory/3092-152-0x0000000008D10000-0x0000000008EA4000-memory.dmp

Filesize
1.6MB

Download
memory/3092-144-0x0000000008460000-0x00000000085C5000-memory.dmp

Filesize
1.4MB

Download
memory/4752-148-0x0000000000E50000-0x0000000000E6E000-memory.dmp

Filesize
120KB

Download
memory/4752-153-0x00000000007B0000-0x00000000007DF000-memory.dmp

Filesize
188KB

Download
memory/4752-151-0x0000000001210000-0x00000000012A4000-memory.dmp

Filesize
592KB

Download
memory/4752-150-0x00000000013D0000-0x000000000171A000-memory.dmp

Filesize
3.3MB

Download
memory/4752-149-0x00000000007B0000-0x00000000007DF000-memory.dmp

Filesize
188KB

Download
memory/4972-143-0x0000000000930000-0x0000000000945000-memory.dmp

Filesize
84KB

Download
memory/4972-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-141-0x00000000008C0000-0x00000000008D5000-memory.dmp

Filesize
84KB

Download
memory/4972-140-0x0000000000970000-0x0000000000CBA000-memory.dmp

Filesize
3.3MB

Download