formbook | 4529e2ab64ac12ac15d2f662938a68c49dd7707c9f5f9a11c2cd0b775fc9168c

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rocee6632.exe
Size

264KB
MD5

49490781256eb385d2331df5a69dc140
SHA1

8d4c961f6c10bda804b5d29923f937848f0c6915
SHA256

541e5e1932882d5833cbc39c7ab81d4faeba4a9fe4b915530be3533d0269cc99
SHA512

8bccf328813842e72688295438b38e080ffc2a8b39ac2349c29611616398f2aa2e3832ce7ca6368bea5b2d5890f5d598906bcf1e95d8dc89e3dd48fee3d69c6a
SSDEEP

6144:/Ya6+/+2b3/J5PMIId8xUCpdlHcrm4WqmxHppCXk:/YonnW8ye7HOm3qmxJpCXk

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/560-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/560-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1156-82-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1536	mifiql.exe
560	mifiql.exe

Loads dropped DLL 3 IoCs

pid	Process
1560	rocee6632.exe
1560	rocee6632.exe
1536	mifiql.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 560	1536	mifiql.exe	29
PID 560 set thread context of 1208	560	mifiql.exe	14
PID 1156 set thread context of 1208	1156	msiexec.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
560	mifiql.exe
560	mifiql.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1536	mifiql.exe
560	mifiql.exe
560	mifiql.exe
560	mifiql.exe
1156	msiexec.exe
1156	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	mifiql.exe
Token: SeDebugPrivilege	1156	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1536	1560	rocee6632.exe	28
PID 1560 wrote to memory of 1536	1560	rocee6632.exe	28
PID 1560 wrote to memory of 1536	1560	rocee6632.exe	28
PID 1560 wrote to memory of 1536	1560	rocee6632.exe	28
PID 1536 wrote to memory of 560	1536	mifiql.exe	29
PID 1536 wrote to memory of 560	1536	mifiql.exe	29
PID 1536 wrote to memory of 560	1536	mifiql.exe	29
PID 1536 wrote to memory of 560	1536	mifiql.exe	29
PID 1536 wrote to memory of 560	1536	mifiql.exe	29
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1208 wrote to memory of 1156	1208	Explorer.EXE	30
PID 1156 wrote to memory of 1992	1156	msiexec.exe	31
PID 1156 wrote to memory of 1992	1156	msiexec.exe	31
PID 1156 wrote to memory of 1992	1156	msiexec.exe	31
PID 1156 wrote to memory of 1992	1156	msiexec.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\rocee6632.exe
  "C:\Users\Admin\AppData\Local\Temp\rocee6632.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\mifiql.exe
    "C:\Users\Admin\AppData\Local\Temp\mifiql.exe" C:\Users\Admin\AppData\Local\Temp\uusyrwwz.m
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\mifiql.exe
      "C:\Users\Admin\AppData\Local\Temp\mifiql.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:560
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\mifiql.exe"
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uusyrwwz.m

Filesize
5KB

MD5
28e70e4e9a0b65459845b57f5befbdc3

SHA1
0a8a7797a508957d23d3bfab930f0958ceae9805

SHA256
f9610af7a7b54bf034e9bf87ed40e60cfef654dddbb2bc5adef7fb8488e90b6f

SHA512
d220ca2d5992d97d82c746316c81909f7219cff6fff60953ba0e38e166daf659b41de53d42748b56bf11431b29baa02060164f2a60f43938866bb8a5fd616df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqkgagm.dfv

Filesize
205KB

MD5
509941e9ba2b34496a5b4f233fb71cf5

SHA1
e41d10dd73daeb059c4cbc8d83b719c9cdf35b86

SHA256
253eef731b318281e1927411ed4bee189df63c94ba3e44241ef777bad47ca28a

SHA512
aaad84393dbbd6397fd85b928c3c2cc20878f5b95395a4d1192f280fbf69146c4e4b09bc81fa099038a117a674c29a484e851875ae3017ad0008d72a89cbb05f

Download Submit
\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
memory/560-75-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/560-76-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/560-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/560-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-79-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1156-78-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1156-81-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1156-82-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1156-83-0x0000000002190000-0x0000000002493000-memory.dmp

Filesize
3.0MB

Download
memory/1156-86-0x0000000001F60000-0x0000000001FF3000-memory.dmp

Filesize
588KB

Download
memory/1208-77-0x00000000042E0000-0x000000000440D000-memory.dmp

Filesize
1.2MB

Download
memory/1208-73-0x0000000002C20000-0x0000000002D20000-memory.dmp

Filesize
1024KB

Download
memory/1208-87-0x0000000004DB0000-0x0000000004ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1208-88-0x0000000004DB0000-0x0000000004ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1208-90-0x0000000004DB0000-0x0000000004ED0000-memory.dmp

Filesize
1.1MB

Download