formbook | 063a9ad1e9e34e5f7321abc616bc9f41de518335e85f0e71534c4af0b706e0a9

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2023 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rockr9905.exe
Size

238KB
MD5

d16f5edec7de7c9b263ab7ff62a60459
SHA1

e82c3dc90322e46a8fbe6f29648394869246f5ca
SHA256

e407a4227243f0b4c73216becb3bd2b94648ef85dd52568d12e5ced2f5b9dc2d
SHA512

088fdb92d75316b4f40a057f7fa9fe01683b7373176f610cd70ec3ade3932ce69b395c2a206ae46b8d020db9ad94d7762ed0196f6f4136f80dd9d4290861efae
SSDEEP

6144:PYa6Hq+BjzHgjeJFLx+TVlYYhSYo+dSSq1/j:PY1ljzHyef+VyYhSY/d5qZ

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4792-142-0x0000000000360000-0x000000000038F000-memory.dmp	formbook
behavioral2/memory/764-152-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook
behavioral2/memory/764-154-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4904	xcailndjfv.exe
4792	xcailndjfv.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4904 set thread context of 4792	4904	xcailndjfv.exe	84
PID 4792 set thread context of 3196	4792	xcailndjfv.exe	25
PID 764 set thread context of 3196	764	ipconfig.exe	25

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
764	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4792	xcailndjfv.exe
4792	xcailndjfv.exe
4792	xcailndjfv.exe
4792	xcailndjfv.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe
764	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3196	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4904	xcailndjfv.exe
4904	xcailndjfv.exe
4792	xcailndjfv.exe
4792	xcailndjfv.exe
4792	xcailndjfv.exe
764	ipconfig.exe
764	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	xcailndjfv.exe
Token: SeDebugPrivilege	764	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4904	5044	rockr9905.exe	83
PID 5044 wrote to memory of 4904	5044	rockr9905.exe	83
PID 5044 wrote to memory of 4904	5044	rockr9905.exe	83
PID 4904 wrote to memory of 4792	4904	xcailndjfv.exe	84
PID 4904 wrote to memory of 4792	4904	xcailndjfv.exe	84
PID 4904 wrote to memory of 4792	4904	xcailndjfv.exe	84
PID 4904 wrote to memory of 4792	4904	xcailndjfv.exe	84
PID 3196 wrote to memory of 764	3196	Explorer.EXE	85
PID 3196 wrote to memory of 764	3196	Explorer.EXE	85
PID 3196 wrote to memory of 764	3196	Explorer.EXE	85
PID 764 wrote to memory of 4776	764	ipconfig.exe	86
PID 764 wrote to memory of 4776	764	ipconfig.exe	86
PID 764 wrote to memory of 4776	764	ipconfig.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\rockr9905.exe
  "C:\Users\Admin\AppData\Local\Temp\rockr9905.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe
    "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe" C:\Users\Admin\AppData\Local\Temp\udbuedtjk.un
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe
      "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4792
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe"
    3⤵
    PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oxspgqcs.sf

Filesize
205KB

MD5
747b1baad89d3287ac4a57bf30f7a195

SHA1
c37e37762f2a210374294eb479660baf2842f616

SHA256
b3347f2e8e9c4e8666f64b7c51c02459b7880dfa9e0dd75518771a60a5b43bde

SHA512
f4dfc34724dbf0bbe3cd5e1fbeb3bc970d71bb05cee21ae3de54756561666f5d87a9e64f259ab35a186bd9cc722ef9924c716b3937ba4c25d9572979249a495a

Download Submit
C:\Users\Admin\AppData\Local\Temp\udbuedtjk.un

Filesize
5KB

MD5
ba23e6ece187ccfdcbae69b8cbfd2da2

SHA1
a1fcbb868cebc8dba1ff11b26efa30301c5d588b

SHA256
72764ff96462a24d3763a6b90b7843fe07f715dbddc80c6df5feca41456718b7

SHA512
9bd6eeecfe6443336c48086d02cd46a765f93669fccd95ec962fa4fbed162c59a0529b9d99ba28b7c4171c38f99a6c0eaefbf4936bde66ec2daf8abe99814b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcailndjfv.exe

Filesize
6KB

MD5
38001df3bab402d2ac9c61d1ddb43c6f

SHA1
822e3e9deae1871e144fdf54b50770e7e2ab4aac

SHA256
8be2ee84e9553f611cb316d85a595a311b18d6bc22b8952562148a4cc353b3b0

SHA512
e76a6b03236e04110c93297e53e9867d089d06a3c7b21b2e0b18841bdb6f492395cb87b33e3b561558307368684d67da613174b9c532beffb53e70aa2da5a579

Download Submit
memory/764-152-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/764-157-0x0000000000BD0000-0x0000000000C63000-memory.dmp

Filesize
588KB

Download
memory/764-154-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/764-153-0x0000000000D80000-0x00000000010CA000-memory.dmp

Filesize
3.3MB

Download
memory/764-150-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download
memory/764-151-0x0000000000330000-0x000000000033B000-memory.dmp

Filesize
44KB

Download
memory/3196-149-0x0000000007E00000-0x0000000007EC0000-memory.dmp

Filesize
768KB

Download
memory/3196-156-0x0000000007E00000-0x0000000007EC0000-memory.dmp

Filesize
768KB

Download
memory/3196-158-0x0000000007EC0000-0x0000000007F87000-memory.dmp

Filesize
796KB

Download
memory/3196-159-0x0000000007EC0000-0x0000000007F87000-memory.dmp

Filesize
796KB

Download
memory/3196-161-0x0000000007EC0000-0x0000000007F87000-memory.dmp

Filesize
796KB

Download
memory/4792-148-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/4792-147-0x0000000000CF0000-0x000000000103A000-memory.dmp

Filesize
3.3MB

Download
memory/4792-142-0x0000000000360000-0x000000000038F000-memory.dmp

Filesize
188KB

Download