formbook | 75cad3b006c75ab9361842884a4937580a3e3cbcbb8e583843e55f934a4ea6d8

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
Size

241KB
MD5

02eefca081505168a313a927977e02e5
SHA1

4ff60a4b15d4ed1cc3733676a25b929962d64d4b
SHA256

d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5
SHA512

0f8a33342682c1e8a4c3b096c91e26cf9b18d48a28e0eaae2af450e637b3e6a00a075a6fd315ef7737e88a132005877e7af5959240452642ddadefee65ac537e
SSDEEP

6144:NYa6Juz8BMG9jCpNLw3ODiHVmyfvYUeEu0UIE:NYf5RiNymryfvYUi0UT

Score

10^/10

formbook gt48 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gt48

Decoy

flusskiesel.studio

txweiqi.com

bestsnowboardingincolorado.com

aceroyrodio.com

antoniafredrik.se

iskugo.club

lifehightech.com

emotionalsupporthedgehogs.com

911527.com

familyblinn.online

family-doctor-90847.com

importadosjl.shop

arobaz-solutions.com

ibobetgogo.com

trippincreative.com

funnyjokeday.com

doktorhizmeti.xyz

contentteam.co.uk

iyaarirealestate.com

atomikoldschools.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1208-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1208-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1208-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1460-82-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1460-84-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1444	jclbq.exe
1208	jclbq.exe

Loads dropped DLL 3 IoCs

pid	Process
1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
1444	jclbq.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1208	1444	jclbq.exe	27
PID 1208 set thread context of 1356	1208	jclbq.exe	16
PID 1208 set thread context of 1356	1208	jclbq.exe	16
PID 1460 set thread context of 1356	1460	netsh.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1208	jclbq.exe
1208	jclbq.exe
1208	jclbq.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe
1460	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1356	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1444	jclbq.exe
1208	jclbq.exe
1208	jclbq.exe
1208	jclbq.exe
1208	jclbq.exe
1460	netsh.exe
1460	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	jclbq.exe
Token: SeDebugPrivilege	1460	netsh.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1444	1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	26
PID 1560 wrote to memory of 1444	1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	26
PID 1560 wrote to memory of 1444	1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	26
PID 1560 wrote to memory of 1444	1560	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	26
PID 1444 wrote to memory of 1208	1444	jclbq.exe	27
PID 1444 wrote to memory of 1208	1444	jclbq.exe	27
PID 1444 wrote to memory of 1208	1444	jclbq.exe	27
PID 1444 wrote to memory of 1208	1444	jclbq.exe	27
PID 1444 wrote to memory of 1208	1444	jclbq.exe	27
PID 1356 wrote to memory of 1460	1356	Explorer.EXE	28
PID 1356 wrote to memory of 1460	1356	Explorer.EXE	28
PID 1356 wrote to memory of 1460	1356	Explorer.EXE	28
PID 1356 wrote to memory of 1460	1356	Explorer.EXE	28
PID 1460 wrote to memory of 1752	1460	netsh.exe	29
PID 1460 wrote to memory of 1752	1460	netsh.exe	29
PID 1460 wrote to memory of 1752	1460	netsh.exe	29
PID 1460 wrote to memory of 1752	1460	netsh.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
  "C:\Users\Admin\AppData\Local\Temp\d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\jclbq.exe
    "C:\Users\Admin\AppData\Local\Temp\jclbq.exe" C:\Users\Admin\AppData\Local\Temp\ejjzna.c
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\jclbq.exe
      "C:\Users\Admin\AppData\Local\Temp\jclbq.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jclbq.exe"
    3⤵
    PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ejjzna.c

Filesize
5KB

MD5
56c8c7c799f71bdc89f7b5461aff5018

SHA1
7d43fc76f38bf06c329d76e5e1d7c55f5274c30e

SHA256
347ce10f202d8b74459e9f20bca828374f7b6e2ff8f02b09d1b6661f12468c1f

SHA512
d3e93413bb4e9d3ec0298e49316464ea403799061a770d736c92124c70f4de5cda778116fe52fd3cae001a9c60e366419da42bc34d8cfedae182f00cef82e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jihmsoovaz.vy

Filesize
205KB

MD5
cf37a36f916cd28fe01a4171bdd9cb45

SHA1
74cb49a570a1e3f774d269966018eb7d9faaa52c

SHA256
d3163724fa7b29418fb87d302d25c04a8ba1084df9f592bdfefc65e4e183d462

SHA512
7f30b3d059190fd114528f7d28002c6472a5c2731e3ee7a09f2d3dc2646b493e28ac02365588f09eccfdaaa1b0a549917449643ca2221c579ef7345d849774e6

Download Submit
\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
memory/1208-74-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1208-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-73-0x0000000000960000-0x0000000000C63000-memory.dmp

Filesize
3.0MB

Download
memory/1208-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-77-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1356-86-0x0000000003790000-0x0000000003890000-memory.dmp

Filesize
1024KB

Download
memory/1356-78-0x0000000006BF0000-0x0000000006D5A000-memory.dmp

Filesize
1.4MB

Download
memory/1356-75-0x0000000004CE0000-0x0000000004DDC000-memory.dmp

Filesize
1008KB

Download
memory/1356-88-0x0000000006D60000-0x0000000006EDD000-memory.dmp

Filesize
1.5MB

Download
memory/1356-89-0x0000000006D60000-0x0000000006EDD000-memory.dmp

Filesize
1.5MB

Download
memory/1356-91-0x0000000006D60000-0x0000000006EDD000-memory.dmp

Filesize
1.5MB

Download
memory/1460-80-0x0000000001190000-0x00000000011AB000-memory.dmp

Filesize
108KB

Download
memory/1460-81-0x0000000001190000-0x00000000011AB000-memory.dmp

Filesize
108KB

Download
memory/1460-82-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1460-83-0x0000000000BC0000-0x0000000000EC3000-memory.dmp

Filesize
3.0MB

Download
memory/1460-84-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1460-87-0x00000000004A0000-0x0000000000533000-memory.dmp

Filesize
588KB

Download