formbook | 5da13468ddb4481a5057669fec1f3c469132af6e2ad0963524e3751b359e69cd

Analysis

max time kernel
299s
max time network
303s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12/04/2023, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LEAK.exe
Size

262KB
MD5

6b85dbb12585f5120e70e0cad7521654
SHA1

93107e9c48785d4ff393478c32249a43d1b3c055
SHA256

d4b23673edbc5a28526a91b7e10003c82449971f594a066941b2d8217fbf2ab3
SHA512

a4c085779a17d9820b4f72a7ef5ba219cfe6e15a93c3599841ebb23c84908a0cbeab11f85f3d1846615d8869bf365ed45764ef1476c6a41f6d37d1e6392ad9fd
SSDEEP

6144:PYa6jjX34cmYMHSBCQU8yEg4Quz02vXET3I3:PYxUPZV8BvQ4UTs

Score

10^/10

formbook c02s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c02s

Decoy

51ysp.net

digitalmarketsecrets.com

bringbackroyal.com

mitepty.online

famousastrologyspecialist.com

789betket.pro

cailinlane.com

lab-grown-diamonds-44403.com

nascodirect.africa

healthpedia.life

780ty.com

brokerdefensewall.info

storagetopgun.net

almanea.xyz

debbieaffordablewears.com

digitalrightsmarch.com

shengxianmeishi.com

duoguang.top

belpages.com

hiegu7mj6.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2688-129-0x0000000000150000-0x000000000017F000-memory.dmp	formbook
behavioral1/memory/3968-144-0x0000000002C00000-0x0000000002C2F000-memory.dmp	formbook
behavioral1/memory/3968-146-0x0000000002C00000-0x0000000002C2F000-memory.dmp	formbook

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	3968	rundll32.exe
33	3968	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
3488	jxwcdyb.exe
2688	jxwcdyb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 2688	3488	jxwcdyb.exe	67
PID 2688 set thread context of 3164	2688	jxwcdyb.exe	26
PID 3968 set thread context of 3164	3968	rundll32.exe	26

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	jxwcdyb.exe
2688	jxwcdyb.exe
2688	jxwcdyb.exe
2688	jxwcdyb.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe
3968	rundll32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3488	jxwcdyb.exe
3488	jxwcdyb.exe
2688	jxwcdyb.exe
2688	jxwcdyb.exe
2688	jxwcdyb.exe
3968	rundll32.exe
3968	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	jxwcdyb.exe
Token: SeDebugPrivilege	3968	rundll32.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3488	1012	LEAK.exe	66
PID 1012 wrote to memory of 3488	1012	LEAK.exe	66
PID 1012 wrote to memory of 3488	1012	LEAK.exe	66
PID 3488 wrote to memory of 2688	3488	jxwcdyb.exe	67
PID 3488 wrote to memory of 2688	3488	jxwcdyb.exe	67
PID 3488 wrote to memory of 2688	3488	jxwcdyb.exe	67
PID 3488 wrote to memory of 2688	3488	jxwcdyb.exe	67
PID 3164 wrote to memory of 3968	3164	Explorer.EXE	68
PID 3164 wrote to memory of 3968	3164	Explorer.EXE	68
PID 3164 wrote to memory of 3968	3164	Explorer.EXE	68
PID 3968 wrote to memory of 2060	3968	rundll32.exe	69
PID 3968 wrote to memory of 2060	3968	rundll32.exe	69
PID 3968 wrote to memory of 2060	3968	rundll32.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\LEAK.exe
  "C:\Users\Admin\AppData\Local\Temp\LEAK.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe
    "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe" C:\Users\Admin\AppData\Local\Temp\bfptr.ev
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe
      "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2688
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe"
    3⤵
    PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfptr.ev

Filesize
5KB

MD5
bd03105891b41f7b24ed1199fe99c276

SHA1
efade9f4cf1f6fe46a28f3bff681a2481b41f7ce

SHA256
5651075eb59501e1f816a2b838fea2b3d71fa3bc1bf2f55de6f1bbfd555aaf06

SHA512
1feff40eb35fb63c2b2a7768371cb1dfab136521d94ac3cbf9f35becab506dc76bcbeaeedcf98aadc71cd51161391b481d5033d17e92de3952992a32dfb0e3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\najpmrl.wj

Filesize
205KB

MD5
783d52d14296f272c9ea168d5aeed08f

SHA1
121f62fb3bcd4c890e9b363f1ddcbd6a8c2e47b7

SHA256
1f2e6f9e25f6fbd07104fb7245c6c069cc1004d3c8164f851cdb0e28dc95af08

SHA512
c1d59354bb7509b1b197dd11e47464f6b1efa0d0b837eb7518cf3b36bada82a1776cb7787a2fe03fb837c95c2000de81551f2ca970df0e8d1e3eeb43c013c473

Download Submit
memory/2688-136-0x0000000000B90000-0x0000000000EB0000-memory.dmp

Filesize
3.1MB

Download
memory/2688-129-0x0000000000150000-0x000000000017F000-memory.dmp

Filesize
188KB

Download
memory/2688-137-0x0000000000660000-0x0000000000674000-memory.dmp

Filesize
80KB

Download
memory/3164-138-0x0000000003240000-0x0000000003379000-memory.dmp

Filesize
1.2MB

Download
memory/3164-148-0x0000000003240000-0x0000000003379000-memory.dmp

Filesize
1.2MB

Download
memory/3164-154-0x0000000005890000-0x00000000059A8000-memory.dmp

Filesize
1.1MB

Download
memory/3164-153-0x0000000005890000-0x00000000059A8000-memory.dmp

Filesize
1.1MB

Download
memory/3164-151-0x0000000005890000-0x00000000059A8000-memory.dmp

Filesize
1.1MB

Download
memory/3488-133-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/3968-139-0x0000000000800000-0x0000000000813000-memory.dmp

Filesize
76KB

Download
memory/3968-146-0x0000000002C00000-0x0000000002C2F000-memory.dmp

Filesize
188KB

Download
memory/3968-145-0x0000000004250000-0x0000000004570000-memory.dmp

Filesize
3.1MB

Download
memory/3968-149-0x0000000004180000-0x0000000004213000-memory.dmp

Filesize
588KB

Download
memory/3968-144-0x0000000002C00000-0x0000000002C2F000-memory.dmp

Filesize
188KB

Download
memory/3968-143-0x0000000000800000-0x0000000000813000-memory.dmp

Filesize
76KB

Download
memory/3968-141-0x0000000000800000-0x0000000000813000-memory.dmp

Filesize
76KB

Download