formbook | 9d6cbe10eb774bdafa9f34a374b224198b82cba5516412d5463cd84da979307b

Analysis

max time kernel
154s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2023, 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Original Documents.exe
Size

1.7MB
MD5

13ec30f42d53faabbd8fb6e8b2330b20
SHA1

83b7d48d36322f65ce94860617a0ce5b2627e573
SHA256

9d6cbe10eb774bdafa9f34a374b224198b82cba5516412d5463cd84da979307b
SHA512

274ac1237c978a144c1c13796bcf07130b213a674b8d595b79a7474cc263ddf4ba20d0f709c40fa2d67ba4aecd6d2961bee8743de0bc63405bc5ab543018050d
SSDEEP

24576:PGAIUP/CgC8+YlJGuKiCfnQtxvezi6cnP32qejmhn4Q/1IZ1om5mog4MHqVMBie1:htzg1oumhP32qejm2AWHMKwWrIR

Score

10^/10

formbook rhadamanthys dv02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv02

Decoy

castellanostours.com

526048.com

amggdqf.com

konyaestetik.xyz

britainewstime-uk.online

inkpresionenlinea.com

eudvpk7s.store

linlong.cloud

globalinclusive.com

fluks.shop

greathillsgem.info

glitzyballoonsdfw.com

kswxdhnexzjdydd.click

krhssc.top

charlottedeschutter.com

getphotonic.com

rapidcomputers.uk

cabinetforever.com

importacioneskaleperu.com

shoppinginperth.co.uk

Signatures

Detect rhadamanthys stealer shellcode 3 IoCs

resource	yara_rule
behavioral2/memory/2832-162-0x0000000000A20000-0x0000000000A3C000-memory.dmp	family_rhadamanthys
behavioral2/memory/2832-166-0x0000000000A20000-0x0000000000A3C000-memory.dmp	family_rhadamanthys
behavioral2/memory/2832-170-0x0000000000A20000-0x0000000000A3C000-memory.dmp	family_rhadamanthys

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1664 created 2872	1664	DHL Original Documents.exe	28

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/2724-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2724-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2724-153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4748-155-0x0000000000530000-0x000000000055F000-memory.dmp	formbook
behavioral2/memory/4748-160-0x0000000000530000-0x000000000055F000-memory.dmp	formbook
behavioral2/memory/2832-164-0x00000000021B0000-0x00000000031B0000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
1664	DHL Original Documents.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2832	fontview.exe
2832	fontview.exe
2832	fontview.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2724	1664	DHL Original Documents.exe	81
PID 2724 set thread context of 676	2724	ngentask.exe	53
PID 2724 set thread context of 676	2724	ngentask.exe	53
PID 4748 set thread context of 676	4748	msiexec.exe	53

Program crash 2 IoCs

pid	pid_target	Process	procid_target
176	1664	WerFault.exe	79
3416	1664	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
1664	DHL Original Documents.exe
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe
4748	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
676	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
2724	ngentask.exe
4748	msiexec.exe
4748	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	ngentask.exe
Token: SeDebugPrivilege	4748	msiexec.exe
Token: SeShutdownPrivilege	2832	fontview.exe
Token: SeCreatePagefilePrivilege	2832	fontview.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2724	1664	DHL Original Documents.exe	81
PID 1664 wrote to memory of 2724	1664	DHL Original Documents.exe	81
PID 1664 wrote to memory of 2724	1664	DHL Original Documents.exe	81
PID 1664 wrote to memory of 2724	1664	DHL Original Documents.exe	81
PID 1664 wrote to memory of 2724	1664	DHL Original Documents.exe	81
PID 1664 wrote to memory of 2832	1664	DHL Original Documents.exe	82
PID 1664 wrote to memory of 2832	1664	DHL Original Documents.exe	82
PID 1664 wrote to memory of 2832	1664	DHL Original Documents.exe	82
PID 1664 wrote to memory of 2832	1664	DHL Original Documents.exe	82
PID 676 wrote to memory of 4748	676	Explorer.EXE	83
PID 676 wrote to memory of 4748	676	Explorer.EXE	83
PID 676 wrote to memory of 4748	676	Explorer.EXE	83
PID 4748 wrote to memory of 1140	4748	msiexec.exe	84
PID 4748 wrote to memory of 1140	4748	msiexec.exe	84
PID 4748 wrote to memory of 1140	4748	msiexec.exe	84

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2872
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\DHL Original Documents.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Original Documents.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 396
    3⤵
    - Program crash
    PID:176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 764
    3⤵
    - Program crash
    PID:3416
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1664 -ip 1664
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1664 -ip 1664
1⤵
PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240599312.dll

Filesize
334KB

MD5
93b708dc9901549287ceabdee71b9fdb

SHA1
9fcce6036fb5c851f43c5a725e23309d1b7b52bc

SHA256
4185ddc19bf56b9f18f7de96e82ce3e37f40dd960abfa5e80e50be0f952d1611

SHA512
c1e4fdfcea022ca64be093d159c0894834f388f80b1bcb6b5d1f11f4ba2a868f80d83bcf374ee95aa4a403be0c3146e1ef7c238796d948f14c8d7ea1700063bc

Download Submit
memory/676-165-0x0000000007AC0000-0x0000000007BC5000-memory.dmp

Filesize
1.0MB

Download
memory/676-161-0x0000000007AC0000-0x0000000007BC5000-memory.dmp

Filesize
1.0MB

Download
memory/676-150-0x0000000002880000-0x0000000002955000-memory.dmp

Filesize
852KB

Download
memory/676-146-0x0000000002790000-0x0000000002871000-memory.dmp

Filesize
900KB

Download
memory/1664-133-0x000000000FAF0000-0x000000000FD88000-memory.dmp

Filesize
2.6MB

Download
memory/1664-134-0x000000000FAF0000-0x000000000FD88000-memory.dmp

Filesize
2.6MB

Download
memory/1664-132-0x000000000104B000-0x00000000011BD000-memory.dmp

Filesize
1.4MB

Download
memory/1664-151-0x000000000FAF0000-0x000000000FD88000-memory.dmp

Filesize
2.6MB

Download
memory/1664-171-0x000000000104B000-0x00000000011BD000-memory.dmp

Filesize
1.4MB

Download
memory/1664-148-0x000000000104B000-0x00000000011BD000-memory.dmp

Filesize
1.4MB

Download
memory/2724-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-144-0x0000000000AE0000-0x0000000000AF4000-memory.dmp

Filesize
80KB

Download
memory/2724-143-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/2724-149-0x0000000000B50000-0x0000000000B64000-memory.dmp

Filesize
80KB

Download
memory/2724-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2832-170-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2832-145-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/2832-169-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/2832-157-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/2832-168-0x0000000000659000-0x0000000000672000-memory.dmp

Filesize
100KB

Download
memory/2832-166-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2832-167-0x0000000000659000-0x0000000000672000-memory.dmp

Filesize
100KB

Download
memory/2832-162-0x0000000000A20000-0x0000000000A3C000-memory.dmp

Filesize
112KB

Download
memory/2832-163-0x0000000000659000-0x0000000000672000-memory.dmp

Filesize
100KB

Download
memory/2832-164-0x00000000021B0000-0x00000000031B0000-memory.dmp

Filesize
16.0MB

Download
memory/2832-140-0x0000000000420000-0x0000000000453000-memory.dmp

Filesize
204KB

Download
memory/4748-160-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/4748-159-0x00000000024B0000-0x0000000002543000-memory.dmp

Filesize
588KB

Download
memory/4748-158-0x0000000002670000-0x00000000029BA000-memory.dmp

Filesize
3.3MB

Download
memory/4748-155-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/4748-154-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download