formbook | 19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2023, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b231e7d8369f13df570e824dd65c5e44.exe
Size

431KB
MD5

b231e7d8369f13df570e824dd65c5e44
SHA1

5fa2fd0746bce832c00c72a8a75d864ad1793b19
SHA256

19907e5318d4427729e86994feffe2418e2d6aa0c2a97b123bf553f80f0b89af
SHA512

9daf9c63b00782ff2f9676d6bef5d4694ea1a4480e6a3f8e2dbdd93d5a7ea506c1e222a563c196ddbd74e7b75193f5b67cf93bb26dc16d285dba7b189eb5dde8
SSDEEP

3072:+fY/TU9fE9PEtuSbQAdM95pqs0eNntYHE2mEYgP90Wcmytku63N1fc7FYjjomLMm:oYa6S9m/KlmEL5gszc76C4uAC6WtlxM

Score

10^/10

formbook pe63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pe63

Decoy

iparkshonan.com

cahoonset.com

chuliji.com

judiangka.boats

casadecanyonlane.com

hukaol.xyz

websiteclonescripts.com

jjlpoi.com

e-insurance.africa

buketubalonu.com

foruminati.se

12rivalo.xyz

bblifebizsolutions.com

larimarfitness.com

conectado.xyz

511271.com

shpte-energy.net

thewayit.net

jpdentistry.co.uk

aisini5201314.love

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4760-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1032-145-0x0000000000DA0000-0x0000000000DCF000-memory.dmp	formbook
behavioral2/memory/1032-150-0x0000000000DA0000-0x0000000000DCF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3964	eimznp.exe
4760	eimznp.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3964 set thread context of 4760	3964	eimznp.exe	82
PID 4760 set thread context of 3064	4760	eimznp.exe	55
PID 1032 set thread context of 3064	1032	systray.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4760	eimznp.exe
4760	eimznp.exe
4760	eimznp.exe
4760	eimznp.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe
1032	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3964	eimznp.exe
4760	eimznp.exe
4760	eimznp.exe
4760	eimznp.exe
1032	systray.exe
1032	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	eimznp.exe
Token: SeDebugPrivilege	1032	systray.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3964	3376	b231e7d8369f13df570e824dd65c5e44.exe	81
PID 3376 wrote to memory of 3964	3376	b231e7d8369f13df570e824dd65c5e44.exe	81
PID 3376 wrote to memory of 3964	3376	b231e7d8369f13df570e824dd65c5e44.exe	81
PID 3964 wrote to memory of 4760	3964	eimznp.exe	82
PID 3964 wrote to memory of 4760	3964	eimznp.exe	82
PID 3964 wrote to memory of 4760	3964	eimznp.exe	82
PID 3964 wrote to memory of 4760	3964	eimznp.exe	82
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	83
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	83
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	83
PID 1032 wrote to memory of 4656	1032	systray.exe	84
PID 1032 wrote to memory of 4656	1032	systray.exe	84
PID 1032 wrote to memory of 4656	1032	systray.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\b231e7d8369f13df570e824dd65c5e44.exe
  "C:\Users\Admin\AppData\Local\Temp\b231e7d8369f13df570e824dd65c5e44.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\eimznp.exe
    "C:\Users\Admin\AppData\Local\Temp\eimznp.exe" C:\Users\Admin\AppData\Local\Temp\qskbfjk.aiw
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\eimznp.exe
      "C:\Users\Admin\AppData\Local\Temp\eimznp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4760
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\eimznp.exe"
    3⤵
    PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\eimznp.exe

Filesize
83KB

MD5
3dfe391ab73d100a939502e28c279ee9

SHA1
c8d7124f3a0ab8166e784eb33e467ea6d40d6869

SHA256
8310e43e80a2c513f000db5551b1bbcef7cf34a59d092a52a8e7cba6164e0a1b

SHA512
319ec71459efe7a9d729f9e107afab40f9bb37efe384456d6d73ae8a595802c9ba4b88a7eafccfbe52fc43070cea8147439f27aece22dc6d88503ff3dd80a062

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhcujxqfmbq.o

Filesize
205KB

MD5
acd78c4caec99e6b79905b54e54a25b9

SHA1
534f7b65471fa70b580c5906fb381e2031fc0a3f

SHA256
21b3b0fbc81a91524a3546efd76b8f9e7087611e14bc86af33e179782fc78232

SHA512
4de557b5009630ededcb413a9fdd73d7e1b39132472cca719bb3c97c7958832e44bfbd7998ac4dfc65b7609c86214534886a34e499f2ea4b8d3e40b6903b54c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qskbfjk.aiw

Filesize
5KB

MD5
198031ea6f9a56d93d0215c764de6d2a

SHA1
b8fcfafb8f0ac83e4d2fd8cb58dcb9d5826a23d7

SHA256
8c23ebf16ad3877bc0698f8f7eecc7939dfc070747062270c42df5d03bb3bcd9

SHA512
6d22d878fde3a63c42053924c52595e0a3b6ce93c0685275b5d5e1859779aca655b1558495b0404070794c1b29fbf13395cdb9221c6ed4ac159d28ff00535a32

Download Submit
memory/1032-150-0x0000000000DA0000-0x0000000000DCF000-memory.dmp

Filesize
188KB

Download
memory/1032-148-0x0000000002CC0000-0x0000000002D54000-memory.dmp

Filesize
592KB

Download
memory/1032-147-0x0000000002F50000-0x000000000329A000-memory.dmp

Filesize
3.3MB

Download
memory/1032-145-0x0000000000DA0000-0x0000000000DCF000-memory.dmp

Filesize
188KB

Download
memory/1032-144-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/3064-142-0x00000000026A0000-0x00000000027A4000-memory.dmp

Filesize
1.0MB

Download
memory/3064-149-0x00000000078E0000-0x00000000079C5000-memory.dmp

Filesize
916KB

Download
memory/3064-151-0x00000000078E0000-0x00000000079C5000-memory.dmp

Filesize
916KB

Download
memory/4760-141-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/4760-140-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download
memory/4760-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download