formbook | 5da13468ddb4481a5057669fec1f3c469132af6e2ad0963524e3751b359e69cd

Analysis

max time kernel
296s
max time network
288s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/04/2023, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LEAK.exe
Size

262KB
MD5

6b85dbb12585f5120e70e0cad7521654
SHA1

93107e9c48785d4ff393478c32249a43d1b3c055
SHA256

d4b23673edbc5a28526a91b7e10003c82449971f594a066941b2d8217fbf2ab3
SHA512

a4c085779a17d9820b4f72a7ef5ba219cfe6e15a93c3599841ebb23c84908a0cbeab11f85f3d1846615d8869bf365ed45764ef1476c6a41f6d37d1e6392ad9fd
SSDEEP

6144:PYa6jjX34cmYMHSBCQU8yEg4Quz02vXET3I3:PYxUPZV8BvQ4UTs

Score

10^/10

formbook c02s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c02s

Decoy

51ysp.net

digitalmarketsecrets.com

bringbackroyal.com

mitepty.online

famousastrologyspecialist.com

789betket.pro

cailinlane.com

lab-grown-diamonds-44403.com

nascodirect.africa

healthpedia.life

780ty.com

brokerdefensewall.info

storagetopgun.net

almanea.xyz

debbieaffordablewears.com

digitalrightsmarch.com

shengxianmeishi.com

duoguang.top

belpages.com

hiegu7mj6.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1828-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1828-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1488-80-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral2/memory/1488-82-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1992	jxwcdyb.exe
1828	jxwcdyb.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	LEAK.exe
2032	LEAK.exe
1992	jxwcdyb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1828	1992	jxwcdyb.exe	29
PID 1828 set thread context of 1196	1828	jxwcdyb.exe	16
PID 1488 set thread context of 1196	1488	rundll32.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1828	jxwcdyb.exe
1828	jxwcdyb.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1992	jxwcdyb.exe
1828	jxwcdyb.exe
1828	jxwcdyb.exe
1828	jxwcdyb.exe
1488	rundll32.exe
1488	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	jxwcdyb.exe
Token: SeDebugPrivilege	1488	rundll32.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1992	2032	LEAK.exe	28
PID 2032 wrote to memory of 1992	2032	LEAK.exe	28
PID 2032 wrote to memory of 1992	2032	LEAK.exe	28
PID 2032 wrote to memory of 1992	2032	LEAK.exe	28
PID 1992 wrote to memory of 1828	1992	jxwcdyb.exe	29
PID 1992 wrote to memory of 1828	1992	jxwcdyb.exe	29
PID 1992 wrote to memory of 1828	1992	jxwcdyb.exe	29
PID 1992 wrote to memory of 1828	1992	jxwcdyb.exe	29
PID 1992 wrote to memory of 1828	1992	jxwcdyb.exe	29
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1196 wrote to memory of 1488	1196	Explorer.EXE	30
PID 1488 wrote to memory of 1264	1488	rundll32.exe	31
PID 1488 wrote to memory of 1264	1488	rundll32.exe	31
PID 1488 wrote to memory of 1264	1488	rundll32.exe	31
PID 1488 wrote to memory of 1264	1488	rundll32.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\LEAK.exe
  "C:\Users\Admin\AppData\Local\Temp\LEAK.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe
    "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe" C:\Users\Admin\AppData\Local\Temp\bfptr.ev
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe
      "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1828
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe"
    3⤵
    PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfptr.ev

Filesize
5KB

MD5
bd03105891b41f7b24ed1199fe99c276

SHA1
efade9f4cf1f6fe46a28f3bff681a2481b41f7ce

SHA256
5651075eb59501e1f816a2b838fea2b3d71fa3bc1bf2f55de6f1bbfd555aaf06

SHA512
1feff40eb35fb63c2b2a7768371cb1dfab136521d94ac3cbf9f35becab506dc76bcbeaeedcf98aadc71cd51161391b481d5033d17e92de3952992a32dfb0e3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
C:\Users\Admin\AppData\Local\Temp\najpmrl.wj

Filesize
205KB

MD5
783d52d14296f272c9ea168d5aeed08f

SHA1
121f62fb3bcd4c890e9b363f1ddcbd6a8c2e47b7

SHA256
1f2e6f9e25f6fbd07104fb7245c6c069cc1004d3c8164f851cdb0e28dc95af08

SHA512
c1d59354bb7509b1b197dd11e47464f6b1efa0d0b837eb7518cf3b36bada82a1776cb7787a2fe03fb837c95c2000de81551f2ca970df0e8d1e3eeb43c013c473

Download Submit
\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
\Users\Admin\AppData\Local\Temp\jxwcdyb.exe

Filesize
59KB

MD5
0552a9de03ce623dbb5777f7f1904924

SHA1
13ae0f18378944c0875d209937b088dc3d6f7872

SHA256
da96da00a4239e6d781847066a2e23d257171f8b9e8b1b421b7838efc3e5f72c

SHA512
120736ff4b95905624401c99bafcb824354589338da17984cac7b665f289ef27b384050d46bcfa9da2c3b63a98853744d059b78ea5010a4b69fe882af1ab3326

Download Submit
memory/1196-74-0x0000000004C10000-0x0000000004DAD000-memory.dmp

Filesize
1.6MB

Download
memory/1196-86-0x0000000004E70000-0x0000000004F72000-memory.dmp

Filesize
1.0MB

Download
memory/1196-89-0x0000000004E70000-0x0000000004F72000-memory.dmp

Filesize
1.0MB

Download
memory/1196-87-0x0000000004E70000-0x0000000004F72000-memory.dmp

Filesize
1.0MB

Download
memory/1488-82-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1488-75-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/1488-77-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/1488-79-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/1488-80-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1488-81-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1488-85-0x0000000001F00000-0x0000000001F93000-memory.dmp

Filesize
588KB

Download
memory/1828-72-0x00000000009F0000-0x0000000000CF3000-memory.dmp

Filesize
3.0MB

Download
memory/1828-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-73-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download