formbook | f46b4ae770d908ac9d9eb047d7fc79609f6f33981f9b98e4544f7e65fd62a4c9

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rock997.exe
Size

281KB
MD5

770b0aa37f47b6bda2c4aa82b686afaf
SHA1

a7f4627372d3277b5456f2b4ff9f40aceb7db68c
SHA256

c02565873b8fe1fe3a19ee5bca4d03a861d4768f48f8816311792b7632c63107
SHA512

1839733c9d37692852f3c5e604e5f16c12313f0f937d1f3a055eecc787e6c1ed9037b16f7df1735e9a04a983b1ac05505dd48f36dff203a0765d08fdef02e0da
SSDEEP

6144:/Ya6Nfn8Qna97f4k9uCH1+TmXbXPT0hpDMfWhj7U7Pitx1uK54IR0ycAJPI:/Yv/8Qna97A4nVOCT04v7atLuKmIR0UO

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1168-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1168-148-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2624-152-0x0000000000530000-0x000000000055F000-memory.dmp	formbook
behavioral2/memory/2624-154-0x0000000000530000-0x000000000055F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
992	krzbxu.exe
1168	krzbxu.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 1168	992	krzbxu.exe	86
PID 1168 set thread context of 2780	1168	krzbxu.exe	51
PID 2624 set thread context of 2780	2624	control.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1168	krzbxu.exe
1168	krzbxu.exe
1168	krzbxu.exe
1168	krzbxu.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe
2624	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2780	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
992	krzbxu.exe
1168	krzbxu.exe
1168	krzbxu.exe
1168	krzbxu.exe
2624	control.exe
2624	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	krzbxu.exe
Token: SeDebugPrivilege	2624	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 992	1916	rock997.exe	84
PID 1916 wrote to memory of 992	1916	rock997.exe	84
PID 1916 wrote to memory of 992	1916	rock997.exe	84
PID 992 wrote to memory of 1168	992	krzbxu.exe	86
PID 992 wrote to memory of 1168	992	krzbxu.exe	86
PID 992 wrote to memory of 1168	992	krzbxu.exe	86
PID 992 wrote to memory of 1168	992	krzbxu.exe	86
PID 2780 wrote to memory of 2624	2780	Explorer.EXE	87
PID 2780 wrote to memory of 2624	2780	Explorer.EXE	87
PID 2780 wrote to memory of 2624	2780	Explorer.EXE	87
PID 2624 wrote to memory of 1540	2624	control.exe	88
PID 2624 wrote to memory of 1540	2624	control.exe	88
PID 2624 wrote to memory of 1540	2624	control.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\rock997.exe
  "C:\Users\Admin\AppData\Local\Temp\rock997.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\krzbxu.exe
    "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe" C:\Users\Admin\AppData\Local\Temp\lgpjpyltwb.xsh
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Users\Admin\AppData\Local\Temp\krzbxu.exe
      "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1168
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\krzbxu.exe"
    3⤵
    PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\krzbxu.exe

Filesize
93KB

MD5
7793dd06bf27114affbfddc7e43776f0

SHA1
2aefa98cf10eca923a83d5e12cf58e59ed57e8ff

SHA256
3d5b7def708577d215cba4dd3d8583e850ff06841ffe9ae951df7ec777f5c82c

SHA512
d76e5de604dda386e21000e208f2518c090d2155dfb9668d1c9db00c71d0edb0ee7cd137b22f9d82256a2364cbf84d803c3b215db54f9edeac715ab251558888

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgpjpyltwb.xsh

Filesize
5KB

MD5
e90cdc2f987e0fb1f880635a2444a376

SHA1
5c0ad72f848c73c40c34a8e36cce08a046ba41a2

SHA256
04bffe239f42f4d64df22daaf1ea0c9803e4c0aa094b30fd95dd6b675d5392c7

SHA512
df607591e78345f85c89a99accf9e5c0d55331eb8701fc4b0c6e2a8cb34381daa456fc52acc39a60bd9679ea6f47c246d8de3db951986adba5c74e1e2ef37ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\stoeqa.z

Filesize
205KB

MD5
5087adea0b5f152af8763de0dd77ae61

SHA1
b18f566dd8fd1a8fd616b16b087092566e2e2229

SHA256
d79eaf52aa4cae85609cac0070b15596a88f05cc46a1581ddbaff6bbfd50d7b8

SHA512
ee13310cd18e71bdf5f4b58221a531eae1fc4489644cbf4055ca0e9f96d39a1bd4b62811d62071f13e56a7cf06b300bbf6ad747f3a22ea1d5339ef0441788df8

Download Submit
memory/1168-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-145-0x00000000009C0000-0x0000000000D0A000-memory.dmp

Filesize
3.3MB

Download
memory/1168-146-0x00000000009A0000-0x00000000009B4000-memory.dmp

Filesize
80KB

Download
memory/2624-152-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/2624-150-0x0000000000CD0000-0x0000000000CF7000-memory.dmp

Filesize
156KB

Download
memory/2624-151-0x0000000000CD0000-0x0000000000CF7000-memory.dmp

Filesize
156KB

Download
memory/2624-153-0x0000000002830000-0x0000000002B7A000-memory.dmp

Filesize
3.3MB

Download
memory/2624-154-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/2624-156-0x00000000024D0000-0x0000000002563000-memory.dmp

Filesize
588KB

Download
memory/2780-147-0x0000000008540000-0x0000000008631000-memory.dmp

Filesize
964KB

Download
memory/2780-157-0x0000000008D60000-0x0000000008EC5000-memory.dmp

Filesize
1.4MB

Download
memory/2780-158-0x0000000008D60000-0x0000000008EC5000-memory.dmp

Filesize
1.4MB

Download
memory/2780-160-0x0000000008D60000-0x0000000008EC5000-memory.dmp

Filesize
1.4MB

Download