formbook | 9472d7a4e6028ef04c5b1a1a57844a3198229bd209b68c1d3534123e4fad8fb2

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTCN TELLER RECEIPT.exe
Size

237KB
MD5

f9726a7a881f7182123ee36679c4d09b
SHA1

53b28856a51b66195ff4a3b799642b8d1f7025db
SHA256

9472d7a4e6028ef04c5b1a1a57844a3198229bd209b68c1d3534123e4fad8fb2
SHA512

1ea087c3d7311dbd07eeb03c4ca9ef37236fac517f11a305849ab022b8645baffd947d9e794f0418b6050a25f4a3b8f35137ad5f76591cb10e526df04050ac02
SSDEEP

6144:/Ya6i74F0L4ddME6oV38O0+yn9utn3HND:/YUcmL4X6oB8O0+Nt3HND

Score

10^/10

formbook ke03 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ke03

Decoy

fastartcustom.com

ikanggabus.xyz

aevum.ru

lacarretapps.com

arcaneacquisitions.net

fuulyshop.com

bloodbahis278.com

bullardrvpark.com

cowboy-hostel.xyz

empireoba.com

the-windsor-h.africa

help-desk-td.com

dofirosols.life

efefarmy.buzz

kewwrf.top

autoran.co.uk

moodysanalytics.boo

kulturemarket.com

ffwpu-kenya.com

heykon.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/680-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/680-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1872-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1872-82-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1460	otmflulrvh.exe
680	otmflulrvh.exe

Loads dropped DLL 3 IoCs

pid	Process
1212	MTCN TELLER RECEIPT.exe
1212	MTCN TELLER RECEIPT.exe
1460	otmflulrvh.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 680	1460	otmflulrvh.exe	29
PID 680 set thread context of 1260	680	otmflulrvh.exe	16
PID 1872 set thread context of 1260	1872	NAPSTAT.EXE	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
680	otmflulrvh.exe
680	otmflulrvh.exe
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1460	otmflulrvh.exe
680	otmflulrvh.exe
680	otmflulrvh.exe
680	otmflulrvh.exe
1872	NAPSTAT.EXE
1872	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	otmflulrvh.exe
Token: SeDebugPrivilege	1872	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1460	1212	MTCN TELLER RECEIPT.exe	28
PID 1212 wrote to memory of 1460	1212	MTCN TELLER RECEIPT.exe	28
PID 1212 wrote to memory of 1460	1212	MTCN TELLER RECEIPT.exe	28
PID 1212 wrote to memory of 1460	1212	MTCN TELLER RECEIPT.exe	28
PID 1460 wrote to memory of 680	1460	otmflulrvh.exe	29
PID 1460 wrote to memory of 680	1460	otmflulrvh.exe	29
PID 1460 wrote to memory of 680	1460	otmflulrvh.exe	29
PID 1460 wrote to memory of 680	1460	otmflulrvh.exe	29
PID 1460 wrote to memory of 680	1460	otmflulrvh.exe	29
PID 1260 wrote to memory of 1872	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1872	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1872	1260	Explorer.EXE	30
PID 1260 wrote to memory of 1872	1260	Explorer.EXE	30
PID 1872 wrote to memory of 1936	1872	NAPSTAT.EXE	31
PID 1872 wrote to memory of 1936	1872	NAPSTAT.EXE	31
PID 1872 wrote to memory of 1936	1872	NAPSTAT.EXE	31
PID 1872 wrote to memory of 1936	1872	NAPSTAT.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe
  "C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
    "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe" C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
      "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:680
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"
    3⤵
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oiaib.rm

Filesize
205KB

MD5
6c642712d39637fc8ced74cb3dcc7903

SHA1
ff0ddab33f478889515a061e7763f235450cb8f9

SHA256
3349be17dc030f34b0d2a9067897b91b45d87d585531fc108463be9174aab3c8

SHA512
290e24095925a6ce7c48e523f8fbccd22e8aab4481bd437850d411dd79f7f8cefa015aff0838b1d565c07a6623f4045aa904093a889b7d0a0b7fd7cf4baaa9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk

Filesize
5KB

MD5
bc7836f77f8028836397e690f4e998ed

SHA1
dedfbfcb4399bf6e90a2005ae6911b602ff2fef1

SHA256
fd133ec88368b5125c6e886efc0f30e345eec49a887169a904601fb3c5e50dcf

SHA512
167e5f00b11409cade03214794bb146ff7db3ab62fd44620fddd98b64c81049ae5de4ccc57320a205554e957e6ce6b306a4525fec0d954b7629c819ce478c8af

Download Submit
\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
\Users\Admin\AppData\Local\Temp\otmflulrvh.exe

Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
memory/680-75-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/680-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/680-76-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1260-86-0x0000000006AF0000-0x0000000006C66000-memory.dmp

Filesize
1.5MB

Download
memory/1260-77-0x00000000041E0000-0x0000000004294000-memory.dmp

Filesize
720KB

Download
memory/1260-89-0x0000000006AF0000-0x0000000006C66000-memory.dmp

Filesize
1.5MB

Download
memory/1260-73-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1260-87-0x0000000006AF0000-0x0000000006C66000-memory.dmp

Filesize
1.5MB

Download
memory/1872-79-0x0000000000AC0000-0x0000000000B06000-memory.dmp

Filesize
280KB

Download
memory/1872-82-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1872-85-0x00000000008E0000-0x0000000000973000-memory.dmp

Filesize
588KB

Download
memory/1872-81-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/1872-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1872-78-0x0000000000AC0000-0x0000000000B06000-memory.dmp

Filesize
280KB

Download