formbook | 3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995

Analysis

max time kernel
152s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe
Size

296KB
MD5

1d920aa56457a163c9ede013081ae820
SHA1

9e9ed8cf1341aaba3c6e32609a3780dff407a2ce
SHA256

3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995
SHA512

f2e25d3656575e418a89642d4828ae15f04bb74e310c562cd3190bebf7dcf5b4104a4b81b20ba1825d4a3097234dafb1c1276c2cbee5ed00da69e4feaab8cbc2
SSDEEP

6144:/Ya60IJrcLmPyG1twMNr1GX1Iius7CCeEhMNUPLegtfSdtyQ:/YaIeOyG/slB7CCPQULid0Q

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/4012-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4012-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4596-147-0x0000000000570000-0x000000000059F000-memory.dmp	formbook
behavioral1/memory/4596-151-0x0000000000570000-0x000000000059F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1520	hpsfqj.exe
4012	hpsfqj.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 4012	1520	hpsfqj.exe	80
PID 4012 set thread context of 3052	4012	hpsfqj.exe	43
PID 4596 set thread context of 3052	4596	cmstp.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
4012	hpsfqj.exe
4012	hpsfqj.exe
4012	hpsfqj.exe
4012	hpsfqj.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe
4596	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1520	hpsfqj.exe
4012	hpsfqj.exe
4012	hpsfqj.exe
4012	hpsfqj.exe
4596	cmstp.exe
4596	cmstp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	hpsfqj.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeDebugPrivilege	4596	cmstp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1520	1096	3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe	79
PID 1096 wrote to memory of 1520	1096	3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe	79
PID 1096 wrote to memory of 1520	1096	3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe	79
PID 1520 wrote to memory of 4012	1520	hpsfqj.exe	80
PID 1520 wrote to memory of 4012	1520	hpsfqj.exe	80
PID 1520 wrote to memory of 4012	1520	hpsfqj.exe	80
PID 1520 wrote to memory of 4012	1520	hpsfqj.exe	80
PID 3052 wrote to memory of 4596	3052	Explorer.EXE	81
PID 3052 wrote to memory of 4596	3052	Explorer.EXE	81
PID 3052 wrote to memory of 4596	3052	Explorer.EXE	81
PID 4596 wrote to memory of 3232	4596	cmstp.exe	84
PID 4596 wrote to memory of 3232	4596	cmstp.exe	84
PID 4596 wrote to memory of 3232	4596	cmstp.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe
  "C:\Users\Admin\AppData\Local\Temp\3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe
    "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe" C:\Users\Admin\AppData\Local\Temp\sfbna.k
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe
      "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4012
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe"
    3⤵
    PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eonfwp.i

Filesize
205KB

MD5
01dd5c4fca252266ee57fb2965293047

SHA1
59ce6810eccb161987d47c7c4dbef9e7b8f66550

SHA256
e504b465c746ac3e2cfb89997a240640661793eb17ead6ee5be0dbc6d46f73ea

SHA512
66c64db05b60c4a3540d0638beedb93cc9e6e3a6386ad01589db69d1ee466b75190112ee9b66c02f11e7e72cbf93e4b7fd645c3a919578e8f2b8e63ff169837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfbna.k

Filesize
5KB

MD5
ecd2f82ab8efe8913525e7cedb988c68

SHA1
0b1454a38fbe985bb6d45504b9c16f423abc7d74

SHA256
729aa075fa7bd0cc5cce972490f1a6cbc301151d5279b7f152a9eeea0bb44950

SHA512
43ec8a95030781c289c6649247bee837dc9558451a7a2b5e8d5034e7ab9f93a8b4db8fffcc7873d8c5451d7bf87b27c881040ff7d6f269f8011f6919eb551466

Download Submit
memory/3052-142-0x0000000007EF0000-0x0000000007FA9000-memory.dmp

Filesize
740KB

Download
memory/3052-152-0x0000000007FB0000-0x0000000008097000-memory.dmp

Filesize
924KB

Download
memory/3052-150-0x0000000007FB0000-0x0000000008097000-memory.dmp

Filesize
924KB

Download
memory/4012-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4012-141-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/4012-140-0x0000000001730000-0x0000000001A7A000-memory.dmp

Filesize
3.3MB

Download
memory/4012-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-147-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/4596-146-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/4596-148-0x00000000027A0000-0x0000000002AEA000-memory.dmp

Filesize
3.3MB

Download
memory/4596-149-0x00000000024D0000-0x0000000002563000-memory.dmp

Filesize
588KB

Download
memory/4596-151-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download