formbook | 063a9ad1e9e34e5f7321abc616bc9f41de518335e85f0e71534c4af0b706e0a9

Analysis

max time kernel
148s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rockr9905.exe
Size

238KB
MD5

d16f5edec7de7c9b263ab7ff62a60459
SHA1

e82c3dc90322e46a8fbe6f29648394869246f5ca
SHA256

e407a4227243f0b4c73216becb3bd2b94648ef85dd52568d12e5ced2f5b9dc2d
SHA512

088fdb92d75316b4f40a057f7fa9fe01683b7373176f610cd70ec3ade3932ce69b395c2a206ae46b8d020db9ad94d7762ed0196f6f4136f80dd9d4290861efae
SSDEEP

6144:PYa6Hq+BjzHgjeJFLx+TVlYYhSYo+dSSq1/j:PY1ljzHyef+VyYhSY/d5qZ

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/516-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/516-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/268-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/268-82-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1708	xcailndjfv.exe
516	xcailndjfv.exe

Loads dropped DLL 3 IoCs

pid	Process
928	rockr9905.exe
928	rockr9905.exe
1708	xcailndjfv.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 516	1708	xcailndjfv.exe	28
PID 516 set thread context of 1280	516	xcailndjfv.exe	15
PID 268 set thread context of 1280	268	colorcpl.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
516	xcailndjfv.exe
516	xcailndjfv.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe
268	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1708	xcailndjfv.exe
516	xcailndjfv.exe
516	xcailndjfv.exe
516	xcailndjfv.exe
268	colorcpl.exe
268	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	xcailndjfv.exe
Token: SeDebugPrivilege	268	colorcpl.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 1708	928	rockr9905.exe	27
PID 928 wrote to memory of 1708	928	rockr9905.exe	27
PID 928 wrote to memory of 1708	928	rockr9905.exe	27
PID 928 wrote to memory of 1708	928	rockr9905.exe	27
PID 1708 wrote to memory of 516	1708	xcailndjfv.exe	28
PID 1708 wrote to memory of 516	1708	xcailndjfv.exe	28
PID 1708 wrote to memory of 516	1708	xcailndjfv.exe	28
PID 1708 wrote to memory of 516	1708	xcailndjfv.exe	28
PID 1708 wrote to memory of 516	1708	xcailndjfv.exe	28
PID 1280 wrote to memory of 268	1280	Explorer.EXE	29
PID 1280 wrote to memory of 268	1280	Explorer.EXE	29
PID 1280 wrote to memory of 268	1280	Explorer.EXE	29
PID 1280 wrote to memory of 268	1280	Explorer.EXE	29
PID 268 wrote to memory of 1472	268	colorcpl.exe	30
PID 268 wrote to memory of 1472	268	colorcpl.exe	30
PID 268 wrote to memory of 1472	268	colorcpl.exe	30
PID 268 wrote to memory of 1472	268	colorcpl.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\rockr9905.exe
  "C:\Users\Admin\AppData\Local\Temp\rockr9905.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe
    "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe" C:\Users\Admin\AppData\Local\Temp\udbuedtjk.un
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe
      "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:516
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"
    3⤵
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oxspgqcs.sf

Filesize
205KB

MD5
747b1baad89d3287ac4a57bf30f7a195

SHA1
c37e37762f2a210374294eb479660baf2842f616

SHA256
b3347f2e8e9c4e8666f64b7c51c02459b7880dfa9e0dd75518771a60a5b43bde

SHA512
f4dfc34724dbf0bbe3cd5e1fbeb3bc970d71bb05cee21ae3de54756561666f5d87a9e64f259ab35a186bd9cc722ef9924c716b3937ba4c25d9572979249a495a

Download Submit
C:\Users\Admin\AppData\Local\Temp\udbuedtjk.un

Filesize
5KB

MD5
ba23e6ece187ccfdcbae69b8cbfd2da2

SHA1
a1fcbb868cebc8dba1ff11b26efa30301c5d588b

SHA256
72764ff96462a24d3763a6b90b7843fe07f715dbddc80c6df5feca41456718b7

SHA512
9bd6eeecfe6443336c48086d02cd46a765f93669fccd95ec962fa4fbed162c59a0529b9d99ba28b7c4171c38f99a6c0eaefbf4936bde66ec2daf8abe99814b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
memory/268-81-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/268-82-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/268-85-0x0000000001D70000-0x0000000001E03000-memory.dmp

Filesize
588KB

Download
memory/268-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/268-79-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/268-78-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/516-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-75-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/516-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-74-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1280-76-0x00000000065E0000-0x00000000066E5000-memory.dmp

Filesize
1.0MB

Download
memory/1280-73-0x0000000003710000-0x0000000003810000-memory.dmp

Filesize
1024KB

Download
memory/1280-84-0x0000000003710000-0x0000000003810000-memory.dmp

Filesize
1024KB

Download
memory/1280-86-0x00000000048C0000-0x0000000004998000-memory.dmp

Filesize
864KB

Download
memory/1280-87-0x00000000048C0000-0x0000000004998000-memory.dmp

Filesize
864KB

Download
memory/1280-89-0x00000000048C0000-0x0000000004998000-memory.dmp

Filesize
864KB

Download