formbook | dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30-03-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
Size

88KB
MD5

eebdd5b69b2fbe296a4e848b6ece83e7
SHA1

a416b80860c5810aa92c72382eb34c29a36ad34a
SHA256

dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6
SHA512

b3d4a1cde995d12e16367fd0437a0fcd2bf52081aba40eace547e79838d17de40bb5162112132d3d1c49f7baf9a4c1581a8c4f696df64b4321c6f7cd27245afa
SSDEEP

1536:LgBV6YZ3juIBFXJpk+CfZxtLOgiC2fjYYYYYYfpQpQpQpPd49N7H:UBV6KTBBFXJpk+CfZHLO1zfzpQpQpQp+

Score

10^/10

formbook purecrypter ar73 downloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

purecrypter

http://192.3.215.60/uo7/Cbqta.png

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1536-162-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1536-169-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1236-173-0x00000000004A0000-0x00000000004CF000-memory.dmp	formbook
behavioral1/memory/1236-175-0x00000000004A0000-0x00000000004CF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 1536 set thread context of 3188	1536	MSBuild.exe	24
PID 1236 set thread context of 3188	1236	ipconfig.exe	24

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1236	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe
2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
1536	MSBuild.exe
1536	MSBuild.exe
1536	MSBuild.exe
1536	MSBuild.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe
1236	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3188	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1536	MSBuild.exe
1536	MSBuild.exe
1536	MSBuild.exe
1236	ipconfig.exe
1236	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	1536	MSBuild.exe
Token: SeDebugPrivilege	1236	ipconfig.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4896	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	66
PID 2496 wrote to memory of 4896	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	66
PID 2496 wrote to memory of 4896	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	66
PID 2496 wrote to memory of 3944	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	68
PID 2496 wrote to memory of 3944	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	68
PID 2496 wrote to memory of 3944	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	68
PID 2496 wrote to memory of 1600	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	69
PID 2496 wrote to memory of 1600	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	69
PID 2496 wrote to memory of 1600	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	69
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 2496 wrote to memory of 1536	2496	dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe	70
PID 3188 wrote to memory of 1236	3188	Explorer.EXE	71
PID 3188 wrote to memory of 1236	3188	Explorer.EXE	71
PID 3188 wrote to memory of 1236	3188	Explorer.EXE	71
PID 1236 wrote to memory of 2676	1236	ipconfig.exe	72
PID 1236 wrote to memory of 2676	1236	ipconfig.exe	72
PID 1236 wrote to memory of 2676	1236	ipconfig.exe	72

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe
  "C:\Users\Admin\AppData\Local\Temp\dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:3944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:1600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ominzgon.eex.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1236-178-0x00000000008C0000-0x0000000000953000-memory.dmp

Filesize
588KB

Download
memory/1236-175-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/1236-174-0x0000000003000000-0x0000000003320000-memory.dmp

Filesize
3.1MB

Download
memory/1236-173-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/1236-172-0x0000000000FF0000-0x0000000000FFB000-memory.dmp

Filesize
44KB

Download
memory/1236-168-0x0000000000FF0000-0x0000000000FFB000-memory.dmp

Filesize
44KB

Download
memory/1236-170-0x0000000000FF0000-0x0000000000FFB000-memory.dmp

Filesize
44KB

Download
memory/1536-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-166-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/1536-164-0x0000000001170000-0x0000000001490000-memory.dmp

Filesize
3.1MB

Download
memory/1536-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2496-154-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2496-126-0x00000000065B0000-0x0000000006642000-memory.dmp

Filesize
584KB

Download
memory/2496-122-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/2496-123-0x0000000006000000-0x0000000006182000-memory.dmp

Filesize
1.5MB

Download
memory/2496-124-0x0000000006180000-0x00000000064D0000-memory.dmp

Filesize
3.3MB

Download
memory/2496-125-0x0000000004EB0000-0x0000000004EFB000-memory.dmp

Filesize
300KB

Download
memory/2496-121-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2496-127-0x0000000006690000-0x00000000066B2000-memory.dmp

Filesize
136KB

Download
memory/3188-167-0x0000000004620000-0x0000000004745000-memory.dmp

Filesize
1.1MB

Download
memory/3188-182-0x0000000006020000-0x00000000061B2000-memory.dmp

Filesize
1.6MB

Download
memory/3188-180-0x0000000006020000-0x00000000061B2000-memory.dmp

Filesize
1.6MB

Download
memory/3188-179-0x0000000006020000-0x00000000061B2000-memory.dmp

Filesize
1.6MB

Download
memory/4896-136-0x0000000007550000-0x000000000756C000-memory.dmp

Filesize
112KB

Download
memory/4896-131-0x0000000006D90000-0x00000000073B8000-memory.dmp

Filesize
6.2MB

Download
memory/4896-130-0x0000000004610000-0x0000000004646000-memory.dmp

Filesize
216KB

Download
memory/4896-155-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/4896-156-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/4896-153-0x0000000008DB0000-0x0000000008DCA000-memory.dmp

Filesize
104KB

Download
memory/4896-152-0x0000000009430000-0x0000000009AA8000-memory.dmp

Filesize
6.5MB

Download
memory/4896-135-0x0000000007720000-0x0000000007786000-memory.dmp

Filesize
408KB

Download
memory/4896-137-0x0000000007DD0000-0x0000000007E46000-memory.dmp

Filesize
472KB

Download
memory/4896-132-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/4896-133-0x00000000046E0000-0x00000000046F0000-memory.dmp

Filesize
64KB

Download
memory/4896-134-0x00000000075A0000-0x0000000007606000-memory.dmp

Filesize
408KB

Download