formbook | 4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/01/2023, 12:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe
Size

851KB
MD5

0d40d12e558369cb5f5181e15578a1fe
SHA1

4672ae6d49334d3bb80f1fc45816648241ae6cd2
SHA256

4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf
SHA512

db11dd7ead7d19455aae9af803815d48a7e2ffe405e185a93340ed4c1d3eb1fcbd8a76100ab63a96e27cf5bf2b6e15daa1dafa7ae455358ec4fb62167b83c551
SSDEEP

12288:NdX2iNju3x2cHss/S+PPaHENNxExSYdKyjRa19UY085aNmqq:Nx1Vu3x2cHs6Sq++czdRjo5Fk

Score

10^/10

formbook d0a7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d0a7

Decoy

ngpjqd.top

provider1.net

themetaverseloyalties.com

tylpp.com

pmjewels.com

87napxxgz8x86a.com

djolobal.com

fmbmaiamelo.com

naijabam.online

networkingbits.com

beesweet.live

sexarab.homes

promptcompete.com

midsouthradio.com

23mk.top

bnhkit.xyz

2ozp56.bond

vehiclesgroups.com

healthycommunitynow.com

cwzmesr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/696-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/696-68-0x000000000041F040-mapping.dmp	formbook
behavioral1/memory/696-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1620-79-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1620-84-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 696 set thread context of 1368	696	RegSvcs.exe	4
PID 1620 set thread context of 1368	1620	msiexec.exe	4

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1880	powershell.exe
696	RegSvcs.exe
696	RegSvcs.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe
1620	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1368	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
696	RegSvcs.exe
696	RegSvcs.exe
696	RegSvcs.exe
1620	msiexec.exe
1620	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	696	RegSvcs.exe
Token: SeDebugPrivilege	1620	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1368	Explorer.EXE
1368	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1880	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	27
PID 2024 wrote to memory of 1880	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	27
PID 2024 wrote to memory of 1880	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	27
PID 2024 wrote to memory of 1880	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	27
PID 2024 wrote to memory of 456	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	29
PID 2024 wrote to memory of 456	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	29
PID 2024 wrote to memory of 456	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	29
PID 2024 wrote to memory of 456	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	29
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 2024 wrote to memory of 696	2024	4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe	31
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1368 wrote to memory of 1620	1368	Explorer.EXE	32
PID 1620 wrote to memory of 1040	1620	msiexec.exe	33
PID 1620 wrote to memory of 1040	1620	msiexec.exe	33
PID 1620 wrote to memory of 1040	1620	msiexec.exe	33
PID 1620 wrote to memory of 1040	1620	msiexec.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe
  "C:\Users\Admin\AppData\Local\Temp\4d6aed04de942b7577c3accd91e7b2e822f3e9ae3f44bb2c62d3f8332e7bb9bf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dHBJRZCI.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dHBJRZCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3EE.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA3EE.tmp

Filesize
1KB

MD5
6396528220bca955eb63845de4fbb2df

SHA1
9a92b2493106971951b320c8fbc8fcd550af7694

SHA256
f9bd0bebca10dc0ebc367544310ac88e96ad730315b162745559304608691f29

SHA512
e05f96c4471a4663ba1775556efea3c63a35faec03aca6ce761dac07fa0c0c252238513934f15a81c0d083e1708f3b7c248167810e3ec6c28b67af4571c78faa

Download Submit
memory/696-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-72-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/696-73-0x0000000000140000-0x0000000000155000-memory.dmp

Filesize
84KB

Download
memory/696-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1368-83-0x0000000006FA0000-0x000000000712C000-memory.dmp

Filesize
1.5MB

Download
memory/1368-74-0x0000000006570000-0x0000000006687000-memory.dmp

Filesize
1.1MB

Download
memory/1368-87-0x000007FE83520000-0x000007FE8352A000-memory.dmp

Filesize
40KB

Download
memory/1368-86-0x000007FEFB570000-0x000007FEFB6B3000-memory.dmp

Filesize
1.3MB

Download
memory/1368-85-0x0000000006FA0000-0x000000000712C000-memory.dmp

Filesize
1.5MB

Download
memory/1620-81-0x00000000022B0000-0x00000000025B3000-memory.dmp

Filesize
3.0MB

Download
memory/1620-79-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1620-84-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1620-82-0x0000000000830000-0x00000000008C4000-memory.dmp

Filesize
592KB

Download
memory/1620-78-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/1880-75-0x000000006F060000-0x000000006F60B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-70-0x000000006F060000-0x000000006F60B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-56-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2024-63-0x0000000004330000-0x0000000004364000-memory.dmp

Filesize
208KB

Download
memory/2024-58-0x0000000005C20000-0x0000000005C8E000-memory.dmp

Filesize
440KB

Download
memory/2024-54-0x0000000000E00000-0x0000000000EDC000-memory.dmp

Filesize
880KB

Download
memory/2024-57-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2024-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download