formbook | 4529e2ab64ac12ac15d2f662938a68c49dd7707c9f5f9a11c2cd0b775fc9168c

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rocee6632.exe
Size

264KB
MD5

49490781256eb385d2331df5a69dc140
SHA1

8d4c961f6c10bda804b5d29923f937848f0c6915
SHA256

541e5e1932882d5833cbc39c7ab81d4faeba4a9fe4b915530be3533d0269cc99
SHA512

8bccf328813842e72688295438b38e080ffc2a8b39ac2349c29611616398f2aa2e3832ce7ca6368bea5b2d5890f5d598906bcf1e95d8dc89e3dd48fee3d69c6a
SSDEEP

6144:/Ya6+/+2b3/J5PMIId8xUCpdlHcrm4WqmxHppCXk:/YonnW8ye7HOm3qmxJpCXk

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1652-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1652-150-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3508-153-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook
behavioral2/memory/3508-155-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
5088	mifiql.exe
1652	mifiql.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 1652	5088	mifiql.exe	86
PID 1652 set thread context of 3176	1652	mifiql.exe	38
PID 3508 set thread context of 3176	3508	explorer.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1652	mifiql.exe
1652	mifiql.exe
1652	mifiql.exe
1652	mifiql.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe
3508	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
5088	mifiql.exe
1652	mifiql.exe
1652	mifiql.exe
1652	mifiql.exe
3508	explorer.exe
3508	explorer.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	mifiql.exe
Token: SeDebugPrivilege	3508	explorer.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 5088	3700	rocee6632.exe	85
PID 3700 wrote to memory of 5088	3700	rocee6632.exe	85
PID 3700 wrote to memory of 5088	3700	rocee6632.exe	85
PID 5088 wrote to memory of 1652	5088	mifiql.exe	86
PID 5088 wrote to memory of 1652	5088	mifiql.exe	86
PID 5088 wrote to memory of 1652	5088	mifiql.exe	86
PID 5088 wrote to memory of 1652	5088	mifiql.exe	86
PID 3176 wrote to memory of 3508	3176	Explorer.EXE	87
PID 3176 wrote to memory of 3508	3176	Explorer.EXE	87
PID 3176 wrote to memory of 3508	3176	Explorer.EXE	87
PID 3508 wrote to memory of 3436	3508	explorer.exe	88
PID 3508 wrote to memory of 3436	3508	explorer.exe	88
PID 3508 wrote to memory of 3436	3508	explorer.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\rocee6632.exe
  "C:\Users\Admin\AppData\Local\Temp\rocee6632.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\mifiql.exe
    "C:\Users\Admin\AppData\Local\Temp\mifiql.exe" C:\Users\Admin\AppData\Local\Temp\uusyrwwz.m
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\mifiql.exe
      "C:\Users\Admin\AppData\Local\Temp\mifiql.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\mifiql.exe"
    3⤵
    PID:3436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mifiql.exe

Filesize
58KB

MD5
c80b76a6454ea2f6cdb3cf3222203fd6

SHA1
79451e95ed94e93da85101aa7e827aed56550c5f

SHA256
f73b99f99d23baab51f2d1d818ed33e756713676e58c72c1cd84b041a995cdf6

SHA512
6b58d73be1c9d82ffeb4b2dbbd513fc494305258c9361c94b963ba660ad2d4c2d6ffd03ee0ecb530e93ae6ab0ec326ccbcdce844e33f86a89171e00f74b20a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uusyrwwz.m

Filesize
5KB

MD5
28e70e4e9a0b65459845b57f5befbdc3

SHA1
0a8a7797a508957d23d3bfab930f0958ceae9805

SHA256
f9610af7a7b54bf034e9bf87ed40e60cfef654dddbb2bc5adef7fb8488e90b6f

SHA512
d220ca2d5992d97d82c746316c81909f7219cff6fff60953ba0e38e166daf659b41de53d42748b56bf11431b29baa02060164f2a60f43938866bb8a5fd616df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqkgagm.dfv

Filesize
205KB

MD5
509941e9ba2b34496a5b4f233fb71cf5

SHA1
e41d10dd73daeb059c4cbc8d83b719c9cdf35b86

SHA256
253eef731b318281e1927411ed4bee189df63c94ba3e44241ef777bad47ca28a

SHA512
aaad84393dbbd6397fd85b928c3c2cc20878f5b95395a4d1192f280fbf69146c4e4b09bc81fa099038a117a674c29a484e851875ae3017ad0008d72a89cbb05f

Download Submit
memory/1652-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-146-0x0000000001730000-0x0000000001A7A000-memory.dmp

Filesize
3.3MB

Download
memory/1652-147-0x0000000001710000-0x0000000001724000-memory.dmp

Filesize
80KB

Download
memory/1652-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-183-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-187-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-159-0x00000000081D0000-0x0000000008356000-memory.dmp

Filesize
1.5MB

Download
memory/3176-162-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3176-259-0x0000000002B00000-0x0000000002B02000-memory.dmp

Filesize
8KB

Download
memory/3176-238-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/3176-219-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-217-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/3176-163-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-161-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-164-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-165-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-167-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-166-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-168-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-169-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-170-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-171-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-172-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-173-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-174-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-175-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-176-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-177-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-178-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/3176-179-0x00000000081D0000-0x0000000008356000-memory.dmp

Filesize
1.5MB

Download
memory/3176-182-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-148-0x00000000080B0000-0x000000000818C000-memory.dmp

Filesize
880KB

Download
memory/3176-184-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-185-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-186-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-158-0x00000000081D0000-0x0000000008356000-memory.dmp

Filesize
1.5MB

Download
memory/3176-188-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-189-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-190-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-191-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-192-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-193-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-194-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-195-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-196-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-197-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-202-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-203-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-204-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-205-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-207-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-206-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-208-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-209-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-210-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-211-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-212-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-213-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-214-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-215-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3176-216-0x0000000002490000-0x0000000002492000-memory.dmp

Filesize
8KB

Download
memory/3176-218-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3508-153-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/3508-154-0x0000000002C40000-0x0000000002F8A000-memory.dmp

Filesize
3.3MB

Download
memory/3508-152-0x0000000000320000-0x0000000000753000-memory.dmp

Filesize
4.2MB

Download
memory/3508-149-0x0000000000320000-0x0000000000753000-memory.dmp

Filesize
4.2MB

Download
memory/3508-155-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/3508-157-0x00000000027D0000-0x0000000002863000-memory.dmp

Filesize
588KB

Download