formbook | f46b4ae770d908ac9d9eb047d7fc79609f6f33981f9b98e4544f7e65fd62a4c9

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rock997.exe
Size

281KB
MD5

770b0aa37f47b6bda2c4aa82b686afaf
SHA1

a7f4627372d3277b5456f2b4ff9f40aceb7db68c
SHA256

c02565873b8fe1fe3a19ee5bca4d03a861d4768f48f8816311792b7632c63107
SHA512

1839733c9d37692852f3c5e604e5f16c12313f0f937d1f3a055eecc787e6c1ed9037b16f7df1735e9a04a983b1ac05505dd48f36dff203a0765d08fdef02e0da
SSDEEP

6144:/Ya6Nfn8Qna97f4k9uCH1+TmXbXPT0hpDMfWhj7U7Pitx1uK54IR0ycAJPI:/Yv/8Qna97A4nVOCT04v7atLuKmIR0UO

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1104-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1104-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1104-81-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1856-86-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/1856-88-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
912	krzbxu.exe
1104	krzbxu.exe

Loads dropped DLL 3 IoCs

pid	Process
1696	rock997.exe
1696	rock997.exe
912	krzbxu.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 1104	912	krzbxu.exe	30
PID 1104 set thread context of 1248	1104	krzbxu.exe	15
PID 1104 set thread context of 1248	1104	krzbxu.exe	15
PID 1856 set thread context of 1248	1856	wscript.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1104	krzbxu.exe
1104	krzbxu.exe
1104	krzbxu.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe
1856	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
912	krzbxu.exe
1104	krzbxu.exe
1104	krzbxu.exe
1104	krzbxu.exe
1104	krzbxu.exe
1856	wscript.exe
1856	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	krzbxu.exe
Token: SeDebugPrivilege	1856	wscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 912	1696	rock997.exe	28
PID 1696 wrote to memory of 912	1696	rock997.exe	28
PID 1696 wrote to memory of 912	1696	rock997.exe	28
PID 1696 wrote to memory of 912	1696	rock997.exe	28
PID 912 wrote to memory of 1104	912	krzbxu.exe	30
PID 912 wrote to memory of 1104	912	krzbxu.exe	30
PID 912 wrote to memory of 1104	912	krzbxu.exe	30
PID 912 wrote to memory of 1104	912	krzbxu.exe	30
PID 912 wrote to memory of 1104	912	krzbxu.exe	30
PID 1104 wrote to memory of 1856	1104	krzbxu.exe	31
PID 1104 wrote to memory of 1856	1104	krzbxu.exe	31
PID 1104 wrote to memory of 1856	1104	krzbxu.exe	31
PID 1104 wrote to memory of 1856	1104	krzbxu.exe	31
PID 1856 wrote to memory of 1516	1856	wscript.exe	32
PID 1856 wrote to memory of 1516	1856	wscript.exe	32
PID 1856 wrote to memory of 1516	1856	wscript.exe	32
PID 1856 wrote to memory of 1516	1856	wscript.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
- C:\Users\Admin\AppData\Local\Temp\rock997.exe
  "C:\Users\Admin\AppData\Local\Temp\rock997.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\krzbxu.exe
    "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe" C:\Users\Admin\AppData\Local\Temp\lgpjpyltwb.xsh
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\krzbxu.exe
      "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\SysWOW64\wscript.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"
        6⤵
        
        PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgpjpyltwb.xsh

Filesize
5KB

MD5
e90cdc2f987e0fb1f880635a2444a376

SHA1
5c0ad72f848c73c40c34a8e36cce08a046ba41a2

SHA256
04bffe239f42f4d64df22daaf1ea0c9803e4c0aa094b30fd95dd6b675d5392c7

SHA512
df607591e78345f85c89a99accf9e5c0d55331eb8701fc4b0c6e2a8cb34381daa456fc52acc39a60bd9679ea6f47c246d8de3db951986adba5c74e1e2ef37ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\stoeqa.z

Filesize
205KB

MD5
5087adea0b5f152af8763de0dd77ae61

SHA1
b18f566dd8fd1a8fd616b16b087092566e2e2229

SHA256
d79eaf52aa4cae85609cac0070b15596a88f05cc46a1581ddbaff6bbfd50d7b8

SHA512
ee13310cd18e71bdf5f4b58221a531eae1fc4489644cbf4055ca0e9f96d39a1bd4b62811d62071f13e56a7cf06b300bbf6ad747f3a22ea1d5339ef0441788df8

Download Submit
\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
memory/912-66-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1104-76-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1104-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-75-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1104-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-79-0x00000000022C0000-0x00000000022D4000-memory.dmp

Filesize
80KB

Download
memory/1104-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-91-0x0000000006A20000-0x0000000006B3E000-memory.dmp

Filesize
1.1MB

Download
memory/1248-77-0x0000000006550000-0x00000000066DD000-memory.dmp

Filesize
1.6MB

Download
memory/1248-80-0x00000000043C0000-0x00000000044EF000-memory.dmp

Filesize
1.2MB

Download
memory/1248-73-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1248-94-0x0000000006A20000-0x0000000006B3E000-memory.dmp

Filesize
1.1MB

Download
memory/1248-92-0x0000000006A20000-0x0000000006B3E000-memory.dmp

Filesize
1.1MB

Download
memory/1856-83-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download
memory/1856-88-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1856-89-0x0000000001E20000-0x0000000001EB3000-memory.dmp

Filesize
588KB

Download
memory/1856-87-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/1856-86-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/1856-85-0x0000000000130000-0x0000000000156000-memory.dmp

Filesize
152KB

Download