formbook | 2df9699c284bbd4241206481258a4c7e0a21eec0b4a88ab41cfd58de8d65154a

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rroror9983.exe
Size

260KB
MD5

8f974c18e52474d38b4eed8a7dfe8490
SHA1

4375371f00c0e2121a6b6902ad6ddd6f13836c23
SHA256

2df9699c284bbd4241206481258a4c7e0a21eec0b4a88ab41cfd58de8d65154a
SHA512

6b8739c43f2bc91de08990565fba3056fc8a881bdacd5d72df23ef2b8f9aff2854437cc0f439c91d868ae47b39248b791ae78cc293823eda345768c2872ccded
SSDEEP

6144:PYa6W4IR3lE+7kCU7iUsrVSHs+Q8SpuccoPQuGKDTpIha:PY44I9d7kCbSHsWSpu3wHTSha

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2336-142-0x0000000000130000-0x000000000015F000-memory.dmp	formbook
behavioral2/memory/1276-152-0x0000000001100000-0x000000000112F000-memory.dmp	formbook
behavioral2/memory/1276-154-0x0000000001100000-0x000000000112F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1220	mlbwddtyb.exe
2336	mlbwddtyb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 2336	1220	mlbwddtyb.exe	87
PID 2336 set thread context of 3152	2336	mlbwddtyb.exe	48
PID 1276 set thread context of 3152	1276	cmmon32.exe	48

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2336	mlbwddtyb.exe
2336	mlbwddtyb.exe
2336	mlbwddtyb.exe
2336	mlbwddtyb.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe
1276	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3152	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1220	mlbwddtyb.exe
1220	mlbwddtyb.exe
2336	mlbwddtyb.exe
2336	mlbwddtyb.exe
2336	mlbwddtyb.exe
1276	cmmon32.exe
1276	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	mlbwddtyb.exe
Token: SeDebugPrivilege	1276	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1220	1340	rroror9983.exe	86
PID 1340 wrote to memory of 1220	1340	rroror9983.exe	86
PID 1340 wrote to memory of 1220	1340	rroror9983.exe	86
PID 1220 wrote to memory of 2336	1220	mlbwddtyb.exe	87
PID 1220 wrote to memory of 2336	1220	mlbwddtyb.exe	87
PID 1220 wrote to memory of 2336	1220	mlbwddtyb.exe	87
PID 1220 wrote to memory of 2336	1220	mlbwddtyb.exe	87
PID 3152 wrote to memory of 1276	3152	Explorer.EXE	88
PID 3152 wrote to memory of 1276	3152	Explorer.EXE	88
PID 3152 wrote to memory of 1276	3152	Explorer.EXE	88
PID 1276 wrote to memory of 4476	1276	cmmon32.exe	91
PID 1276 wrote to memory of 4476	1276	cmmon32.exe	91
PID 1276 wrote to memory of 4476	1276	cmmon32.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\rroror9983.exe
  "C:\Users\Admin\AppData\Local\Temp\rroror9983.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
    "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe" C:\Users\Admin\AppData\Local\Temp\gxtunhjm.u
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe
      "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2336
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe"
    3⤵
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gxtunhjm.u

Filesize
5KB

MD5
9c6bd0bb30c225029b33b9a622676edf

SHA1
a620616fcf43069ee9e20b3b0238dfea46418562

SHA256
7c0546fa875f83435511e59b7b4ea542aa1c5e52b7f19690096b44870d80c85d

SHA512
e955ec6842ffad66c1f06264acc6bc66f32ba7e1e885a91679874e732ec07941fdd27189a5ca2d552f43a662158c5a571a908777e6aed321ab6af2685ae5899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe

Filesize
53KB

MD5
558d56d5c47921642a7a268c43f9c98f

SHA1
454006005090f57886a4a4cba6e5473bfc5b16b3

SHA256
55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

SHA512
e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe

Filesize
53KB

MD5
558d56d5c47921642a7a268c43f9c98f

SHA1
454006005090f57886a4a4cba6e5473bfc5b16b3

SHA256
55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

SHA512
e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlbwddtyb.exe

Filesize
53KB

MD5
558d56d5c47921642a7a268c43f9c98f

SHA1
454006005090f57886a4a4cba6e5473bfc5b16b3

SHA256
55dbcca3e82e51a7697b94a25f6502bb8eb556276800634a2ada357b323fd06f

SHA512
e248a202287b65c4825e3c4699ef3eda46602e9796bc068cc47ef3193a24834dc3a75055453730e1644eba674454e7c4319274982e6d0905e91f13bc5231f1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmxdaktwrjk.c

Filesize
205KB

MD5
6a9c839430bc4a8ecab76552ad0870b8

SHA1
13e246d8142b26d8da57b38eeab511ff21eb2413

SHA256
d24ede35fca57acde825da02bdfb3181ddb454f487e727a853650892ac58fe21

SHA512
449f4033c67602d717e443bc290860bca97ead17ab3d141728ed4891c6f7b4715edd390ab9d917cb6e847ba7a51d48ff6c69e9fe624814ac67a50d4a5648983a

Download Submit
memory/1276-152-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/1276-156-0x0000000002ED0000-0x0000000002F63000-memory.dmp

Filesize
588KB

Download
memory/1276-154-0x0000000001100000-0x000000000112F000-memory.dmp

Filesize
188KB

Download
memory/1276-153-0x0000000003190000-0x00000000034DA000-memory.dmp

Filesize
3.3MB

Download
memory/1276-150-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/1276-151-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2336-142-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/2336-148-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/2336-147-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/3152-149-0x0000000006E10000-0x0000000006EFD000-memory.dmp

Filesize
948KB

Download
memory/3152-157-0x00000000028C0000-0x00000000029C3000-memory.dmp

Filesize
1.0MB

Download
memory/3152-158-0x00000000028C0000-0x00000000029C3000-memory.dmp

Filesize
1.0MB

Download
memory/3152-160-0x00000000028C0000-0x00000000029C3000-memory.dmp

Filesize
1.0MB

Download