formbook | 3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2023, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO610008532.exe
Size

2.0MB
MD5

b7dc4b65e6239c0d20bcb4b59f5c644c
SHA1

e166cebfa0fb6e9e04f64f2f61dca71b49ef9e44
SHA256

3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0
SHA512

851b73419737a32ce06701e1d5ecbc32be6a5777709460a81afdc92d2b8ca322ae3fd93650610959f7921b41ae5ef99d2859a9949918f94fe4a673b759ed2607
SSDEEP

12288:D/cOS13ZjYXegrTuXXlC+pEXdOMnmfVWWd8wWDOZQgOxwr:afPWDOZQ

Score

10^/10

formbook wm23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wm23

Decoy

ntjhe.com

180yq.com

bcxlb.com

haefelinger.net

bkwbroadcasting.com

kastraestates.co.uk

ayasca.com

89spa.com

denizmobile-com-tr.net

5nrb3v.site

dewi.africa

darnacme.online

satovsky.rsvp

deluxhomefurnishings.com

igminitruckersolingen.com

celtictransportie.com

deltakrian.com

bassettsrestauranttogo.com

digitalcharts.xyz

glassbong.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2336-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4680-155-0x0000000000980000-0x00000000009AF000-memory.dmp	formbook
behavioral2/memory/4680-157-0x0000000000980000-0x00000000009AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 2336	8	PO610008532.exe	84
PID 2336 set thread context of 2616	2336	PO610008532.exe	19
PID 4680 set thread context of 2616	4680	netsh.exe	19

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe
8	PO610008532.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2336	PO610008532.exe
2336	PO610008532.exe
2336	PO610008532.exe
4680	netsh.exe
4680	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	PO610008532.exe
Token: SeDebugPrivilege	2336	PO610008532.exe
Token: SeDebugPrivilege	4680	netsh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 8 wrote to memory of 2336	8	PO610008532.exe	84
PID 2616 wrote to memory of 4680	2616	Explorer.EXE	92
PID 2616 wrote to memory of 4680	2616	Explorer.EXE	92
PID 2616 wrote to memory of 4680	2616	Explorer.EXE	92
PID 4680 wrote to memory of 2268	4680	netsh.exe	93
PID 4680 wrote to memory of 2268	4680	netsh.exe	93
PID 4680 wrote to memory of 2268	4680	netsh.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\PO610008532.exe
  "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\PO610008532.exe
    "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
    3⤵
    PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-145-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-142-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-135-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/8-136-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/8-137-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-138-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-139-0x0000000005DB0000-0x0000000005DBA000-memory.dmp

Filesize
40KB

Download
memory/8-140-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-141-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-133-0x00000000008C0000-0x0000000000ABC000-memory.dmp

Filesize
2.0MB

Download
memory/8-143-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-144-0x0000000005F30000-0x0000000005F40000-memory.dmp

Filesize
64KB

Download
memory/8-134-0x00000000053C0000-0x0000000005964000-memory.dmp

Filesize
5.6MB

Download
memory/2336-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-150-0x0000000001460000-0x0000000001474000-memory.dmp

Filesize
80KB

Download
memory/2336-149-0x0000000001780000-0x0000000001ACA000-memory.dmp

Filesize
3.3MB

Download
memory/2616-163-0x0000000008840000-0x0000000008933000-memory.dmp

Filesize
972KB

Download
memory/2616-151-0x0000000002EB0000-0x0000000002FF2000-memory.dmp

Filesize
1.3MB

Download
memory/2616-161-0x0000000008840000-0x0000000008933000-memory.dmp

Filesize
972KB

Download
memory/2616-160-0x0000000008840000-0x0000000008933000-memory.dmp

Filesize
972KB

Download
memory/4680-159-0x0000000001A00000-0x0000000001A93000-memory.dmp

Filesize
588KB

Download
memory/4680-157-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/4680-156-0x0000000001610000-0x000000000195A000-memory.dmp

Filesize
3.3MB

Download
memory/4680-155-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/4680-152-0x0000000001190000-0x00000000011AE000-memory.dmp

Filesize
120KB

Download
memory/4680-154-0x0000000001190000-0x00000000011AE000-memory.dmp

Filesize
120KB

Download