formbook | bde148cc492b003001b57f554c21cc8fea9cf4be56e25150b810a4b040a4e842

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

swift.exe
Size

341KB
MD5

e8a3330c073fdf9c823f23eeb066e194
SHA1

ca809e57a8caf8cebb47fac3a645f4983947e73b
SHA256

bde148cc492b003001b57f554c21cc8fea9cf4be56e25150b810a4b040a4e842
SHA512

4b49b60f94dbc04a4b429ea7bf5f03324f8929132b16138284d694e606d96b835e33645420f2f0540b48c5fe829019775489a5719b704558d3f245392a4063b2
SSDEEP

6144:TYa6Usu/Db1Ymej6fLXf0B0Mk2/9eTnWiVCiEkm6sj0SCID+E2DGen:TYasu/Db1YmScfzMk2/sTnWCCdkm9j0x

Score

10^/10

formbook k04s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k04s

Decoy

draanabellrojas.com

in03.one

kyraloves.co.uk

laluma.store

londoncell.com

kanurikibueadvocates.com

buyeasynow.net

escapefromtarkov-wiki.com

crewint.net

f-b.boats

beautyaidstudio.com

ashfieldconsultancy.uk

dlogsadood.com

ftgam.xyz

constantinopanama.com

yellowpocket.africa

konyil.com

easomobility.com

1135wickloecourt.com

indexb2b.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2100-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2100-150-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/540-154-0x0000000000CC0000-0x0000000000CEF000-memory.dmp	formbook
behavioral2/memory/540-156-0x0000000000CC0000-0x0000000000CEF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4748	phxsq.exe
2100	phxsq.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4748 set thread context of 2100	4748	phxsq.exe	87
PID 2100 set thread context of 3124	2100	phxsq.exe	42
PID 540 set thread context of 3124	540	raserver.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2100	phxsq.exe
2100	phxsq.exe
2100	phxsq.exe
2100	phxsq.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe
540	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3124	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4748	phxsq.exe
2100	phxsq.exe
2100	phxsq.exe
2100	phxsq.exe
540	raserver.exe
540	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	phxsq.exe
Token: SeDebugPrivilege	540	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 4748	2584	swift.exe	85
PID 2584 wrote to memory of 4748	2584	swift.exe	85
PID 2584 wrote to memory of 4748	2584	swift.exe	85
PID 4748 wrote to memory of 2100	4748	phxsq.exe	87
PID 4748 wrote to memory of 2100	4748	phxsq.exe	87
PID 4748 wrote to memory of 2100	4748	phxsq.exe	87
PID 4748 wrote to memory of 2100	4748	phxsq.exe	87
PID 3124 wrote to memory of 540	3124	Explorer.EXE	88
PID 3124 wrote to memory of 540	3124	Explorer.EXE	88
PID 3124 wrote to memory of 540	3124	Explorer.EXE	88
PID 540 wrote to memory of 4552	540	raserver.exe	92
PID 540 wrote to memory of 4552	540	raserver.exe	92
PID 540 wrote to memory of 4552	540	raserver.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\swift.exe
  "C:\Users\Admin\AppData\Local\Temp\swift.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\phxsq.exe
    "C:\Users\Admin\AppData\Local\Temp\phxsq.exe" C:\Users\Admin\AppData\Local\Temp\nhsovldsw.lff
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\phxsq.exe
      "C:\Users\Admin\AppData\Local\Temp\phxsq.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\phxsq.exe"
    3⤵
    PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dkxsculhnjn.w

Filesize
205KB

MD5
0e56850f533289789c9a474a70e11d6a

SHA1
14cd0ec888e4a88c40e86f715be20a6a0878308a

SHA256
b2c07e77646449937b65013a97354804fdc9d3daad672407cdf7b4a83d612e7a

SHA512
f96684d2798d186e7f7a7d11cd5bb1864881dabb2ab0a78c3d1d5e33650e22e1073964a501d4da50bd178e6df154903411b1fb1b65475da6c5e514a40528eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nhsovldsw.lff

Filesize
5KB

MD5
561b45eca3cab3ae0c8e56cca74ac9a0

SHA1
6d86588eec57db38d3f9543ae27291b29c06794e

SHA256
01801c094c8cde97bf09a57ef17b31a2903fc04863f9d2589d76d7e8af04ca09

SHA512
1fb864ffd0861ede0aa33f90a84f65066812395c19dc9485d31279d8a8daab6afae3a282a9a18a052c4bcb56cb00208ec8737e8491c6306fbf50f649f9d9d7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\phxsq.exe

Filesize
254KB

MD5
98e4b4da7173f14451a1916a7c1083cf

SHA1
1e62b0c46bdb5b9c1892e2414953b1737e67b3fb

SHA256
acb6be916929ce852d9126e06488269ec86eaa6c12dcf93e977fce1b72b87f51

SHA512
e24949e01430a56a193243d7132c45291d045f3b2d1a6c93bb03e70c9850765cd19023d0c3c5270305e9baa7158759be1c759624b4d6859120c426c953b3cb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\phxsq.exe

Filesize
254KB

MD5
98e4b4da7173f14451a1916a7c1083cf

SHA1
1e62b0c46bdb5b9c1892e2414953b1737e67b3fb

SHA256
acb6be916929ce852d9126e06488269ec86eaa6c12dcf93e977fce1b72b87f51

SHA512
e24949e01430a56a193243d7132c45291d045f3b2d1a6c93bb03e70c9850765cd19023d0c3c5270305e9baa7158759be1c759624b4d6859120c426c953b3cb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\phxsq.exe

Filesize
254KB

MD5
98e4b4da7173f14451a1916a7c1083cf

SHA1
1e62b0c46bdb5b9c1892e2414953b1737e67b3fb

SHA256
acb6be916929ce852d9126e06488269ec86eaa6c12dcf93e977fce1b72b87f51

SHA512
e24949e01430a56a193243d7132c45291d045f3b2d1a6c93bb03e70c9850765cd19023d0c3c5270305e9baa7158759be1c759624b4d6859120c426c953b3cb46

Download Submit
memory/540-156-0x0000000000CC0000-0x0000000000CEF000-memory.dmp

Filesize
188KB

Download
memory/540-158-0x0000000002AC0000-0x0000000002B53000-memory.dmp

Filesize
588KB

Download
memory/540-149-0x00000000006E0000-0x00000000006FF000-memory.dmp

Filesize
124KB

Download
memory/540-153-0x00000000006E0000-0x00000000006FF000-memory.dmp

Filesize
124KB

Download
memory/540-155-0x0000000002C80000-0x0000000002FCA000-memory.dmp

Filesize
3.3MB

Download
memory/540-154-0x0000000000CC0000-0x0000000000CEF000-memory.dmp

Filesize
188KB

Download
memory/2100-146-0x0000000000AC0000-0x0000000000E0A000-memory.dmp

Filesize
3.3MB

Download
memory/2100-147-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2100-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2100-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-148-0x0000000009010000-0x000000000916D000-memory.dmp

Filesize
1.4MB

Download
memory/3124-159-0x0000000009320000-0x0000000009435000-memory.dmp

Filesize
1.1MB

Download
memory/3124-160-0x0000000009320000-0x0000000009435000-memory.dmp

Filesize
1.1MB

Download
memory/3124-162-0x0000000009320000-0x0000000009435000-memory.dmp

Filesize
1.1MB

Download
memory/4748-140-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download