formbook | fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
Size

297KB
MD5

af2b8f5ab74b832d8afdeb31bbbedf7a
SHA1

843c977f2763e00215798252df9d72e705be2049
SHA256

fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef
SHA512

d01f8c2d03e4ea2db7e4c308e45e99cdabddae25a4260d685d00c57fd515b6a011683cdb6ef9beb7ab3c5997d2aead36dbff0d0cda1dec141e95b12b0b345ce1
SSDEEP

6144:nYa6cjfjA7IUkIDhzdQoz9FDJuWYtfX5Nyu6YtSXiOJF:nYYfSxkDcuWwHdsn

Score

10^/10

formbook rs11 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rs11

Decoy

brigtsidefinancial.com

kotteri-mannish.com

black-iron-fences-bros.com

fnixo.com

gondes.net

cutleryknives-store.com

cabledahmercadillacvip.com

redstaing.com

cateri.africa

cgadminservices.com

wilwin.net

moteru40.net

floraandfate.com

aram-eyes.com

bcrazy55.com

courierpay.buzz

discovervielven.com

mymansshirt.com

junglesmp.online

classic-workshop.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1496-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/872-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

atoeyybuc.exeatoeyybuc.exe

pid process

976 atoeyybuc.exe
1496 atoeyybuc.exe
Loads dropped DLL 2 IoCs

Processes:

fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exeatoeyybuc.exe

pid process

2036 fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
976 atoeyybuc.exe

pid	process
976	atoeyybuc.exe
1496	atoeyybuc.exe

pid	process
2036	fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
976	atoeyybuc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

atoeyybuc.exeatoeyybuc.exechkdsk.exe

description	pid	process	target process
PID 976 set thread context of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 1496 set thread context of 1244	1496	atoeyybuc.exe	Explorer.EXE
PID 872 set thread context of 1244	872	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

atoeyybuc.exechkdsk.exe

pid	process
1496	atoeyybuc.exe
1496	atoeyybuc.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

atoeyybuc.exeatoeyybuc.exechkdsk.exe

pid process

976 atoeyybuc.exe
1496 atoeyybuc.exe
1496 atoeyybuc.exe
1496 atoeyybuc.exe
872 chkdsk.exe
872 chkdsk.exe
872 chkdsk.exe
872 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

atoeyybuc.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1496 atoeyybuc.exe
Token: SeDebugPrivilege 872 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

pid	process
1244	Explorer.EXE

pid	process
976	atoeyybuc.exe
1496	atoeyybuc.exe
1496	atoeyybuc.exe
1496	atoeyybuc.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe
872	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	1496	atoeyybuc.exe
Token: SeDebugPrivilege	872	chkdsk.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exeatoeyybuc.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 2036 wrote to memory of 976	2036	fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe	atoeyybuc.exe
PID 2036 wrote to memory of 976	2036	fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe	atoeyybuc.exe
PID 2036 wrote to memory of 976	2036	fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe	atoeyybuc.exe
PID 2036 wrote to memory of 976	2036	fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe	atoeyybuc.exe
PID 976 wrote to memory of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 976 wrote to memory of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 976 wrote to memory of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 976 wrote to memory of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 976 wrote to memory of 1496	976	atoeyybuc.exe	atoeyybuc.exe
PID 1244 wrote to memory of 872	1244	Explorer.EXE	chkdsk.exe
PID 1244 wrote to memory of 872	1244	Explorer.EXE	chkdsk.exe
PID 1244 wrote to memory of 872	1244	Explorer.EXE	chkdsk.exe
PID 1244 wrote to memory of 872	1244	Explorer.EXE	chkdsk.exe
PID 872 wrote to memory of 336	872	chkdsk.exe	Firefox.exe
PID 872 wrote to memory of 336	872	chkdsk.exe	Firefox.exe
PID 872 wrote to memory of 336	872	chkdsk.exe	Firefox.exe
PID 872 wrote to memory of 336	872	chkdsk.exe	Firefox.exe
PID 872 wrote to memory of 336	872	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe
  "C:\Users\Admin\AppData\Local\Temp\fde11e6f4e911647593850de2ddc4b747eee070999f8031101d02bf4cb2364ef.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
    "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe" C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe
      "C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:644
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe

Filesize
112KB

MD5
7ede9a999ded9de662e54cbfd90680d8

SHA1
ad00efdf39b85309b1fde0ec304f3fcd15c5f927

SHA256
d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

SHA512
01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe

Filesize
112KB

MD5
7ede9a999ded9de662e54cbfd90680d8

SHA1
ad00efdf39b85309b1fde0ec304f3fcd15c5f927

SHA256
d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

SHA512
01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\atoeyybuc.exe

Filesize
112KB

MD5
7ede9a999ded9de662e54cbfd90680d8

SHA1
ad00efdf39b85309b1fde0ec304f3fcd15c5f927

SHA256
d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

SHA512
01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbfotrqmze.ug

Filesize
205KB

MD5
3656da71ef457ff4aa9628cf15739006

SHA1
d252fea8ae881f4bc02807e32da34fe1e8c84155

SHA256
2f74419a2cc131c46271d0f19c2235d42e08c101be938a381edda3af46aeb003

SHA512
090495799c91cbea31ab70779d61f08be4902f015f05accf91551e1901962b502bc3c53ec4a0871b69cf6d553c70f7e747aa3416d7146c3395be274d3ca56ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xepdzguyi.zpq

Filesize
5KB

MD5
2a18b621f690f6724e332ba8dc46d39e

SHA1
b079a6cee56e6d46953b7a3fa558c96a76c98954

SHA256
ad1b6b65ae61388f101d313e46c232cdfa5e4b4c278b1d966681c2540ad67018

SHA512
fc06a8bc96135125ffd26617dafd6d893f23eb5519f6e4a266ca671921efdab86e5aab1fd573ddef0fb6013df87be351cc42b12f07c40dfc156e3974fe2c5fa2

Download Submit
C:\Users\Admin\AppData\Roaming\96709-4S\967logim.jpeg

Filesize
60KB

MD5
2dbaf74f7d220628e7590d6b0ae2399f

SHA1
30ef87cad91da69106ea63a60b5efc43d7c3d2f7

SHA256
cd9d82e53b87173f4af5e3b8c97a5bcf665ec8a47e11b9d989cd5211df3bae4a

SHA512
002b4a6d96f7de468e5bb8b4538fccfa7d38628e80194f446ebf009c64afed70128926d7bcc16dd5e527064bdfa3c66f0eb921da921ec01a50bd0a4bbf88b17c

Download Submit
C:\Users\Admin\AppData\Roaming\96709-4S\967logrf.ini

Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\96709-4S\967logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\96709-4S\967logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\atoeyybuc.exe

Filesize
112KB

MD5
7ede9a999ded9de662e54cbfd90680d8

SHA1
ad00efdf39b85309b1fde0ec304f3fcd15c5f927

SHA256
d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

SHA512
01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

Download Submit
\Users\Admin\AppData\Local\Temp\atoeyybuc.exe

Filesize
112KB

MD5
7ede9a999ded9de662e54cbfd90680d8

SHA1
ad00efdf39b85309b1fde0ec304f3fcd15c5f927

SHA256
d51b4fbb78f31eff83c619334cd5e1a7cb8b503a1f61d3b191007fe7062a69cb

SHA512
01a7bb1f2e81dec04cfe037b68914cecc911fde8b1a62379b6bf28cd32f9e23dcdc77ca49f7924dae33b27d42575cef3bf2dded85d2c2fcfec626a5ffbddeb6a

Download Submit
memory/872-74-0x0000000000970000-0x0000000000A03000-memory.dmp

Filesize
588KB

Download
memory/872-76-0x0000000000970000-0x0000000000A03000-memory.dmp

Filesize
588KB

Download
memory/872-69-0x0000000000000000-mapping.dmp

Download
memory/872-70-0x0000000000A60000-0x0000000000A67000-memory.dmp

Filesize
28KB

Download
memory/872-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/872-72-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/976-56-0x0000000000000000-mapping.dmp

Download
memory/1244-77-0x0000000006CD0000-0x0000000006DD4000-memory.dmp

Filesize
1.0MB

Download
memory/1244-75-0x0000000006CD0000-0x0000000006DD4000-memory.dmp

Filesize
1.0MB

Download
memory/1244-68-0x0000000004DD0000-0x0000000004EFA000-memory.dmp

Filesize
1.2MB

Download
memory/1496-66-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1496-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-63-0x000000000041F160-mapping.dmp

Download
memory/1496-67-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/2036-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download