formbook | 1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2023, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a44404aac23672009dc1d835f223d35b.exe
Size

293KB
MD5

a44404aac23672009dc1d835f223d35b
SHA1

31aee1e8489ef5b6033f24050ff309941f8f38b0
SHA256

1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
SHA512

2a70e223ca53759418bb42caa5d90dee2629f18815035f4cb92296eddac284f8a4074cfc9efada30ab9c27305e14249d5cb3731ec18fc41fc87695a6ef04357b
SSDEEP

6144:0Ya6qfeaNVq78yPmAR6PAqqQ1hPP23xulTtZ3X3fCA:0YMmaS78yP3g4qxYeZ3XvCA

Score

10^/10

formbook nes8 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nes8

Decoy

simantsfamily.com

ninobrowndelivery.net

y94x.info

huibi01.vip

davidspanu.com

swegon.tech

moapulsa.com

coveredseguros.com

owltoon.site

loyalguardianop.com

banca-particulares.icu

innovativanimal.com

girlschools.top

smartbed-gb-tok.life

vhail.store

bluffdalecitizens.info

asmcpn.us

wordybag.online

smmfsa.com

jinglunqhd.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4768-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4768-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4696-148-0x00000000006F0000-0x000000000071F000-memory.dmp	formbook
behavioral2/memory/4696-150-0x00000000006F0000-0x000000000071F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3084	yoznhk.exe
4768	yoznhk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3084 set thread context of 4768	3084	yoznhk.exe	82
PID 4768 set thread context of 676	4768	yoznhk.exe	54
PID 4696 set thread context of 676	4696	help.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4768	yoznhk.exe
4768	yoznhk.exe
4768	yoznhk.exe
4768	yoznhk.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe
4696	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
676	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3084	yoznhk.exe
4768	yoznhk.exe
4768	yoznhk.exe
4768	yoznhk.exe
4696	help.exe
4696	help.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	yoznhk.exe
Token: SeDebugPrivilege	4696	help.exe
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE
Token: SeShutdownPrivilege	676	Explorer.EXE
Token: SeCreatePagefilePrivilege	676	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3084	1952	a44404aac23672009dc1d835f223d35b.exe	81
PID 1952 wrote to memory of 3084	1952	a44404aac23672009dc1d835f223d35b.exe	81
PID 1952 wrote to memory of 3084	1952	a44404aac23672009dc1d835f223d35b.exe	81
PID 3084 wrote to memory of 4768	3084	yoznhk.exe	82
PID 3084 wrote to memory of 4768	3084	yoznhk.exe	82
PID 3084 wrote to memory of 4768	3084	yoznhk.exe	82
PID 3084 wrote to memory of 4768	3084	yoznhk.exe	82
PID 676 wrote to memory of 4696	676	Explorer.EXE	84
PID 676 wrote to memory of 4696	676	Explorer.EXE	84
PID 676 wrote to memory of 4696	676	Explorer.EXE	84
PID 4696 wrote to memory of 3816	4696	help.exe	85
PID 4696 wrote to memory of 3816	4696	help.exe	85
PID 4696 wrote to memory of 3816	4696	help.exe	85

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe
  "C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\yoznhk.exe
    "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe" C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\yoznhk.exe
      "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4192
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"
    3⤵
    PID:3816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qanka.d

Filesize
205KB

MD5
f1ea13fa35de3f09b96364341d87d125

SHA1
8de2b74f3a5bbcb1ba8ced276904c7a47266a1a1

SHA256
b21c98a92b9bbbf684de96fb96adbcd534368df3fdd7b615bc59e0b1685a8434

SHA512
7e91642293d03ad05941ab5e1c464bc08197900001b61ddbd9d3f3445b5e1559d1e82ba1630634ec78701b2d508822585bb5cbfab80e07c33052401f7cff442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a

Filesize
5KB

MD5
54b71333295fca6cf02f2b33fd820c76

SHA1
1b918d25d644d6aae65324fb77e50a3a2ee50147

SHA256
5d44da7c885fc6d6a5f454a2e73c7409a5d5f434ea9984f39221750b75840442

SHA512
095ebd5cac031872c9cb2328070c127ea7862140e9bc89421c4ce8ff17804dde88ccc330b79e709c17c61179bc7c8146420e734c8e512b5e82eede690fa5629b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
memory/676-176-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-201-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-222-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-221-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-220-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-219-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/676-218-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-217-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-216-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-181-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-215-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-214-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-213-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-151-0x0000000003540000-0x000000000360F000-memory.dmp

Filesize
828KB

Download
memory/676-212-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-152-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-153-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-154-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-155-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-156-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-157-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-158-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-179-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-160-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-161-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-162-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-163-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-164-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-165-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-166-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-167-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-168-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-169-0x00000000031F0000-0x0000000003200000-memory.dmp

Filesize
64KB

Download
memory/676-170-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-171-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-172-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-173-0x0000000003540000-0x000000000360F000-memory.dmp

Filesize
828KB

Download
memory/676-174-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-175-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/676-142-0x0000000003230000-0x0000000003368000-memory.dmp

Filesize
1.2MB

Download
memory/676-177-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-178-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-159-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-211-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-210-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-182-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-183-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-184-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-185-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-186-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-187-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-188-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-189-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-190-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-191-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-192-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-193-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-194-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/676-195-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-196-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-197-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-198-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/676-199-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-200-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/676-180-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-202-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-203-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-204-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-205-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-206-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-207-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-208-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/676-209-0x00000000031E0000-0x00000000031F0000-memory.dmp

Filesize
64KB

Download
memory/4696-149-0x0000000000C50000-0x0000000000CE3000-memory.dmp

Filesize
588KB

Download
memory/4696-148-0x00000000006F0000-0x000000000071F000-memory.dmp

Filesize
188KB

Download
memory/4696-146-0x0000000000890000-0x0000000000897000-memory.dmp

Filesize
28KB

Download
memory/4696-147-0x0000000000EB0000-0x00000000011FA000-memory.dmp

Filesize
3.3MB

Download
memory/4696-150-0x00000000006F0000-0x000000000071F000-memory.dmp

Filesize
188KB

Download
memory/4768-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-141-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download
memory/4768-140-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download