formbook | fcc333cc2afdf31c58e273f1ffe429fa7a765479582f9508867517c23d51a9f4

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2023, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d5b181be63ce08ec89eb7db52735a626.exe
Size

841KB
MD5

d5b181be63ce08ec89eb7db52735a626
SHA1

c33df2f9fcd1e2b961f990bbbd819fff218c0a20
SHA256

fcc333cc2afdf31c58e273f1ffe429fa7a765479582f9508867517c23d51a9f4
SHA512

1cb6bb49cf683f66c7a631131797b7c6ebe9d041dd9285368ec8817c8725e88d63d6a095cc915f3dc84bf63858e73ec44318ee25d452ece5ef7759cd448071ff
SSDEEP

12288:werZScSZpW3BcOfqg1EM50Pbkttml53kbXJ2zl:woUZpW3S2gKIsbZ2h

Score

10^/10

formbook modiloader ges9 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ges9

Decoy

lolofestival.store

amzin.info

pulsahokii.xyz

bahiszirve.com

animekoe.com

kansastaxaccountant.net

howgoodisgod.online

medakaravan.xyz

pesmagazine.net

americanpopulist.info

nepalihandicraft.com

mariabakermodeling.com

cavify.top

onlinewoonboulevard.com

furniture-22830.com

ophthalmicpersonneltraining.us

yz1204.com

extrawhite.site

tomo.store

martfind.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/948-140-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/4016-145-0x0000000010410000-0x000000001043F000-memory.dmp	formbook
behavioral2/memory/3092-151-0x0000000000800000-0x000000000082F000-memory.dmp	formbook
behavioral2/memory/3092-153-0x0000000000800000-0x000000000082F000-memory.dmp	formbook

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/948-133-0x00000000023C0000-0x00000000023F1000-memory.dmp	modiloader_stage2

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foioxsua = "C:\\Users\\Public\\Libraries\\ausxoioF.url"	d5b181be63ce08ec89eb7db52735a626.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 3144	4016	logagent.exe	55
PID 3092 set thread context of 3144	3092	cmstp.exe	55

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4016	logagent.exe
4016	logagent.exe
4016	logagent.exe
4016	logagent.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe
3092	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4016	logagent.exe
4016	logagent.exe
4016	logagent.exe
3092	cmstp.exe
3092	cmstp.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	logagent.exe
Token: SeDebugPrivilege	3092	cmstp.exe
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE
Token: SeShutdownPrivilege	3144	Explorer.EXE
Token: SeCreatePagefilePrivilege	3144	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 948 wrote to memory of 4016	948	d5b181be63ce08ec89eb7db52735a626.exe	90
PID 3144 wrote to memory of 3092	3144	Explorer.EXE	91
PID 3144 wrote to memory of 3092	3144	Explorer.EXE	91
PID 3144 wrote to memory of 3092	3144	Explorer.EXE	91
PID 3092 wrote to memory of 2012	3092	cmstp.exe	92
PID 3092 wrote to memory of 2012	3092	cmstp.exe	92
PID 3092 wrote to memory of 2012	3092	cmstp.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\d5b181be63ce08ec89eb7db52735a626.exe
  "C:\Users\Admin\AppData\Local\Temp\d5b181be63ce08ec89eb7db52735a626.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\logagent.exe
    "C:\Windows\System32\logagent.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\logagent.exe"
    3⤵
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-134-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/948-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/948-139-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/948-140-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/948-133-0x00000000023C0000-0x00000000023F1000-memory.dmp

Filesize
196KB

Download
memory/3092-155-0x0000000002500000-0x0000000002594000-memory.dmp

Filesize
592KB

Download
memory/3092-148-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/3092-150-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/3092-151-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/3092-152-0x00000000026C0000-0x0000000002A0A000-memory.dmp

Filesize
3.3MB

Download
memory/3092-153-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/3144-172-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-184-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-157-0x0000000008520000-0x00000000085FA000-memory.dmp

Filesize
872KB

Download
memory/3144-159-0x0000000008520000-0x00000000085FA000-memory.dmp

Filesize
872KB

Download
memory/3144-161-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-162-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-163-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-164-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-165-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-166-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-167-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-168-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-169-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-170-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-171-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-147-0x0000000002C10000-0x0000000002D2A000-memory.dmp

Filesize
1.1MB

Download
memory/3144-173-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-174-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-175-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/3144-176-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-177-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-156-0x0000000008520000-0x00000000085FA000-memory.dmp

Filesize
872KB

Download
memory/3144-185-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-186-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/3144-187-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-188-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-189-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-190-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-191-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-192-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-193-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-194-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-195-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-196-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-197-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-198-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-199-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-200-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/3144-201-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/4016-141-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4016-144-0x0000000002360000-0x00000000026AA000-memory.dmp

Filesize
3.3MB

Download
memory/4016-145-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/4016-146-0x0000000000820000-0x0000000000835000-memory.dmp

Filesize
84KB

Download