formbook | 9528017e989109cae2591f60299ef84b42f1eba732c24549ca000171a1edac85

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NR_ZAMOW.exe
Size

561KB
MD5

abb44d8629dbbae4b307b638fa35c921
SHA1

91b9b648dfcc9261d3c0135eea5c4a9da4e87985
SHA256

55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643
SHA512

c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2
SSDEEP

12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh

Score

10^/10

formbook il23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1256-148-0x0000000000400000-0x0000000001654000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NR_ZAMOW.exeNR_ZAMOW.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	NR_ZAMOW.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	NR_ZAMOW.exe

Loads dropped DLL 1 IoCs

Processes:

NR_ZAMOW.exe

pid process

3960 NR_ZAMOW.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

NR_ZAMOW.exe

pid process

1256 NR_ZAMOW.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

NR_ZAMOW.exeNR_ZAMOW.exe

pid process

3960 NR_ZAMOW.exe
1256 NR_ZAMOW.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NR_ZAMOW.exe

description pid process target process

PID 3960 set thread context of 1256 3960 NR_ZAMOW.exe NR_ZAMOW.exe
Drops file in Windows directory 1 IoCs

Processes:

NR_ZAMOW.exe

description ioc process

File opened for modification C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini NR_ZAMOW.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NR_ZAMOW.exe

pid process

3960 NR_ZAMOW.exe

pid	process
3960	NR_ZAMOW.exe

pid	process
1256	NR_ZAMOW.exe

pid	process
3960	NR_ZAMOW.exe
1256	NR_ZAMOW.exe

description	pid	process	target process
PID 3960 set thread context of 1256	3960	NR_ZAMOW.exe	NR_ZAMOW.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Minatories\Araknofili\Expenditrix\Revalorization62.ini	NR_ZAMOW.exe

pid	process
3960	NR_ZAMOW.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

NR_ZAMOW.exe

description	pid	process	target process
PID 3960 wrote to memory of 1256	3960	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 3960 wrote to memory of 1256	3960	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 3960 wrote to memory of 1256	3960	NR_ZAMOW.exe	NR_ZAMOW.exe
PID 3960 wrote to memory of 1256	3960	NR_ZAMOW.exe	NR_ZAMOW.exe

C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe
"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe
"C:\Users\Admin\AppData\Local\Temp\NR_ZAMOW.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsgCAE7.tmp\System.dll
Filesize
12KB

MD5
a1da6788aeaf78ca4ae1dece8019e49d

SHA1
d770155e6e9aa69223be198c44a8da26a1756d89

SHA256
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

SHA512
eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18

Download Submit
C:\Users\Admin\Music\krammets.lnk
Filesize
1KB

MD5
5bfe44e78f22a91d89c9a8e1f6ee927c

SHA1
8cda084aa7d4542cdfa217ef01d689463b7062ca

SHA256
52adb10ab1aaa3cb6c0b3ce2786ddde54f29080413d6f68294bb3d06296ab657

SHA512
3dee88e9ce71cacd5689e33d3880656fd2b2c5851a1c1f535b45b2ef4049944f0b3495668f3825f3985e4a09308f594280d3c34812b95dbb91a670490f793a14

Download Submit
memory/1256-147-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1256-148-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download