formbook | 6c3654d20a676bf9b7f77546e23bfb3a7d2d23f1d535d0feced966a22ece5d60

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2023, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa05023887117e6f52dce6ae40dcab9d.exe
Size

272KB
MD5

aa05023887117e6f52dce6ae40dcab9d
SHA1

3f6c3e8cc656a436be4ddbc248432e48dcd8aa0d
SHA256

6c3654d20a676bf9b7f77546e23bfb3a7d2d23f1d535d0feced966a22ece5d60
SHA512

329d06ab016a9413e5320170d1ede46dc50d3a4aea13efc600919858e8100ff3b56b8934f0815a4f3cfed45e7641488f9768b6635c03504ba958194287584362
SSDEEP

6144:BYa6q6/iwjO/07RXNHT0uZ0w+5IoujNbjcgTAgqZ6VOmA+:BYcKji079BV0/IVNbQgMkw+

Score

10^/10

formbook sk29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk29

Decoy

adobeholidaylego.com

labassecourdecaro.com

whhlbz.net

aikxian.net

myimmigration.net

etribe.info

fercosgru.com

everbrighthouse.com

finepizzavegesack.info

mesuretonradon.com

escopic.art

mapzle.com

panachesports.net

alabamasbesthvac.com

esghf.com

usrisik.com

activseal.com

eventplanningpros.africa

adufyuwefjdfuiwefl.site

kornilt.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2528-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2528-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4828-150-0x0000000000930000-0x000000000095F000-memory.dmp	formbook
behavioral2/memory/4828-153-0x0000000000930000-0x000000000095F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3848	dfglvpsjkp.exe
2528	dfglvpsjkp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3848 set thread context of 2528	3848	dfglvpsjkp.exe	82
PID 2528 set thread context of 2692	2528	dfglvpsjkp.exe	46
PID 2528 set thread context of 2692	2528	dfglvpsjkp.exe	46
PID 4828 set thread context of 2692	4828	systray.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe
4828	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3848	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
2528	dfglvpsjkp.exe
4828	systray.exe
4828	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	dfglvpsjkp.exe
Token: SeDebugPrivilege	4828	systray.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3848	632	aa05023887117e6f52dce6ae40dcab9d.exe	81
PID 632 wrote to memory of 3848	632	aa05023887117e6f52dce6ae40dcab9d.exe	81
PID 632 wrote to memory of 3848	632	aa05023887117e6f52dce6ae40dcab9d.exe	81
PID 3848 wrote to memory of 2528	3848	dfglvpsjkp.exe	82
PID 3848 wrote to memory of 2528	3848	dfglvpsjkp.exe	82
PID 3848 wrote to memory of 2528	3848	dfglvpsjkp.exe	82
PID 3848 wrote to memory of 2528	3848	dfglvpsjkp.exe	82
PID 2692 wrote to memory of 4828	2692	Explorer.EXE	83
PID 2692 wrote to memory of 4828	2692	Explorer.EXE	83
PID 2692 wrote to memory of 4828	2692	Explorer.EXE	83
PID 4828 wrote to memory of 2280	4828	systray.exe	84
PID 4828 wrote to memory of 2280	4828	systray.exe	84
PID 4828 wrote to memory of 2280	4828	systray.exe	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\aa05023887117e6f52dce6ae40dcab9d.exe
  "C:\Users\Admin\AppData\Local\Temp\aa05023887117e6f52dce6ae40dcab9d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe
    "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe" C:\Users\Admin\AppData\Local\Temp\ibelj.we
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe
      "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2528
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe"
    3⤵
    PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibelj.we

Filesize
6KB

MD5
eaa4627852ed5e2557a6afecf12d0282

SHA1
a8c6aa5457d447cb58663a221201ad67d9cb943a

SHA256
0eedb930b6db484b860aa47779ba6b2b58e6cb32753911ed4876d3c5259fdb84

SHA512
afdd6802387e1af9e877c7db7b3bad3944a2720afa29fdceb19f7149ce2c4650aa665a6a6a16ce2f043faf6a683f66c9938e05365040a9cecfc71608c4cfaebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzvcn.zz

Filesize
205KB

MD5
191ae9b68fae3bcb487d6d1da3b96cad

SHA1
4d6ae0a7d3ea88b34c9a468fb37bcfdc7a29c32d

SHA256
74c2ad5bd62c43b8ceecf3d2efc8196189682234041a6e92e53a2aa7f59d4e50

SHA512
61fe2e85382d927ad5e637c5bc92ee00f4ee7c65b3c7585cb230fb9b9bcf9459cda4bb08bee6790df767bf886fb3ca8b93ba0db4f331cea79054bb0dd5be18ae

Download Submit
memory/2528-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2528-141-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2528-143-0x0000000000A30000-0x0000000000A44000-memory.dmp

Filesize
80KB

Download
memory/2528-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-152-0x0000000008CA0000-0x0000000008DC2000-memory.dmp

Filesize
1.1MB

Download
memory/2692-142-0x0000000008700000-0x0000000008848000-memory.dmp

Filesize
1.3MB

Download
memory/2692-144-0x0000000009180000-0x00000000092CB000-memory.dmp

Filesize
1.3MB

Download
memory/2692-154-0x0000000008CA0000-0x0000000008DC2000-memory.dmp

Filesize
1.1MB

Download
memory/4828-150-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download
memory/4828-148-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/4828-151-0x0000000002830000-0x00000000028C3000-memory.dmp

Filesize
588KB

Download
memory/4828-149-0x0000000002A90000-0x0000000002DDA000-memory.dmp

Filesize
3.3MB

Download
memory/4828-153-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download