formbook | 53f90e80ee75a05b9560187248b14f80e82e6d413ee14243bb53672b1444ad93

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe
Size

294KB
MD5

9a28fed41f2ac3aff59ffdde4a752434
SHA1

08c829e972d92ff9d6386c25014dcda629165ecf
SHA256

29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8
SHA512

b602bc23d493432093d80a75812d41543f77aea591ee68472bdc7f5e9f4a867989ab09b8cd775ddae2e73585bf776c1358c70fb6aca78388c6729b56ce9e8b40
SSDEEP

6144:/Ya6uP3tS22mHJp2HJpuK9dw4ax7C+nfZu5tCt4J4p5yXc/DOaK:/YY/tS2xUqKc4al3ns5ktS44YqaK

Score

10^/10

formbook ke03 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ke03

Decoy

fastartcustom.com

ikanggabus.xyz

aevum.ru

lacarretapps.com

arcaneacquisitions.net

fuulyshop.com

bloodbahis278.com

bullardrvpark.com

cowboy-hostel.xyz

empireoba.com

the-windsor-h.africa

help-desk-td.com

dofirosols.life

efefarmy.buzz

kewwrf.top

autoran.co.uk

moodysanalytics.boo

kulturemarket.com

ffwpu-kenya.com

heykon.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1448-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1448-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1148-155-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook
behavioral2/memory/1148-156-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2384	mytnrk.exe
1448	mytnrk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1448	2384	mytnrk.exe	86
PID 1448 set thread context of 2704	1448	mytnrk.exe	32
PID 1148 set thread context of 2704	1148	cmstp.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1448	mytnrk.exe
1448	mytnrk.exe
1448	mytnrk.exe
1448	mytnrk.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe
1148	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2384	mytnrk.exe
1448	mytnrk.exe
1448	mytnrk.exe
1448	mytnrk.exe
1148	cmstp.exe
1148	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	mytnrk.exe
Token: SeDebugPrivilege	1148	cmstp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2384	1796	29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe	84
PID 1796 wrote to memory of 2384	1796	29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe	84
PID 1796 wrote to memory of 2384	1796	29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe	84
PID 2384 wrote to memory of 1448	2384	mytnrk.exe	86
PID 2384 wrote to memory of 1448	2384	mytnrk.exe	86
PID 2384 wrote to memory of 1448	2384	mytnrk.exe	86
PID 2384 wrote to memory of 1448	2384	mytnrk.exe	86
PID 2704 wrote to memory of 1148	2704	Explorer.EXE	87
PID 2704 wrote to memory of 1148	2704	Explorer.EXE	87
PID 2704 wrote to memory of 1148	2704	Explorer.EXE	87
PID 1148 wrote to memory of 224	1148	cmstp.exe	91
PID 1148 wrote to memory of 224	1148	cmstp.exe	91
PID 1148 wrote to memory of 224	1148	cmstp.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe
  "C:\Users\Admin\AppData\Local\Temp\29cabc4d11ff9dc55301ff8d60eb06d1e1ec9c2509910ceda522e84ab4e240f8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\mytnrk.exe
    "C:\Users\Admin\AppData\Local\Temp\mytnrk.exe" C:\Users\Admin\AppData\Local\Temp\glfpuulw.z
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\mytnrk.exe
      "C:\Users\Admin\AppData\Local\Temp\mytnrk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1448
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\mytnrk.exe"
    3⤵
    PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glfpuulw.z

Filesize
5KB

MD5
2ee419dc53f08be430810aaa0510ea8e

SHA1
54bcf8ea219d741e4121bfca103c6ae5060c228c

SHA256
12db54564a97c4b88d5ca583f472892b964e8ac8db7b23de39425e8752693fe3

SHA512
00ac999faae8edcfe9a1ed0c4fb6a7fdb13ac243e37f6ebc6a747344d410625f506006783ba6bcb90e1232f17fccfb1847588bc14c012c5f26edd59249da2767

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhnopgnyiu.bp

Filesize
205KB

MD5
da6e42ef3c53e014f423714ad8062380

SHA1
2a4f9831e2263548cbc98c47246d39a58c090bf1

SHA256
0dfe99276cb678876076233c14e3379591680439933df1173c44be632c8beb4a

SHA512
d7ebefbd80d20d7a7a1d3841b1be025b3dc0e0ebcbee29cb3cc76c5024d116f2f435eb89f54dd40f27340c270a8f83fb51246cf7313a151d05d555b7b045513a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mytnrk.exe

Filesize
147KB

MD5
b545eeb0fc5312fa44c44656405c4650

SHA1
b4d549feb61e5584f304ec0c80c07de240824663

SHA256
2b31311b62da5ef612b3c8060456914fb0e23e095a79ad21b0c9e05569016910

SHA512
f5682d6c5aca028d12765680d9ef0d0579d69b87ff3dbd16d6c50e4a04d696d65db6073c3c51b5212c0c67ec2903fbcb47f52f6dd51841a89015da4350ef11d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mytnrk.exe

Filesize
147KB

MD5
b545eeb0fc5312fa44c44656405c4650

SHA1
b4d549feb61e5584f304ec0c80c07de240824663

SHA256
2b31311b62da5ef612b3c8060456914fb0e23e095a79ad21b0c9e05569016910

SHA512
f5682d6c5aca028d12765680d9ef0d0579d69b87ff3dbd16d6c50e4a04d696d65db6073c3c51b5212c0c67ec2903fbcb47f52f6dd51841a89015da4350ef11d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mytnrk.exe

Filesize
147KB

MD5
b545eeb0fc5312fa44c44656405c4650

SHA1
b4d549feb61e5584f304ec0c80c07de240824663

SHA256
2b31311b62da5ef612b3c8060456914fb0e23e095a79ad21b0c9e05569016910

SHA512
f5682d6c5aca028d12765680d9ef0d0579d69b87ff3dbd16d6c50e4a04d696d65db6073c3c51b5212c0c67ec2903fbcb47f52f6dd51841a89015da4350ef11d8

Download Submit
memory/1148-151-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/1148-158-0x0000000002920000-0x00000000029B3000-memory.dmp

Filesize
588KB

Download
memory/1148-156-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/1148-154-0x0000000002AB0000-0x0000000002DFA000-memory.dmp

Filesize
3.3MB

Download
memory/1148-155-0x0000000000C10000-0x0000000000C3F000-memory.dmp

Filesize
188KB

Download
memory/1148-153-0x0000000000420000-0x0000000000436000-memory.dmp

Filesize
88KB

Download
memory/1448-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-148-0x0000000000BA0000-0x0000000000BB4000-memory.dmp

Filesize
80KB

Download
memory/1448-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-146-0x0000000000C40000-0x0000000000F8A000-memory.dmp

Filesize
3.3MB

Download
memory/2384-141-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2704-149-0x0000000008A70000-0x0000000008C1B000-memory.dmp

Filesize
1.7MB

Download
memory/2704-159-0x0000000006C20000-0x0000000006D8E000-memory.dmp

Filesize
1.4MB

Download
memory/2704-160-0x0000000006C20000-0x0000000006D8E000-memory.dmp

Filesize
1.4MB

Download
memory/2704-162-0x0000000006C20000-0x0000000006D8E000-memory.dmp

Filesize
1.4MB

Download