formbook | fb9e9215deca3e197ebc03f3e84fd2c02fed5cb14ae31c5693dfd7a8727b9443

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2023, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation-pdf-.exe
Size

744KB
MD5

e7f1724ccbb35d49d7fe3adbeffd161f
SHA1

2fbe4e683985d358bddc51656fe6d67b35043d9d
SHA256

fb9e9215deca3e197ebc03f3e84fd2c02fed5cb14ae31c5693dfd7a8727b9443
SHA512

98150df7b086e75052a33b02cd497e5aa54243c9a86af4eb5c23ee8f70937e673ddbd94f39ae91df8ab688fc437e982b0ef0a912c56fec6486b951f7241ede2b
SSDEEP

12288:iRP2B0xTGlxNqvNu2hZ+nUEsn9ujSkPXjEINck2egMV4fDoR8s6f4GNZhi5yQ610:yPLaVUH999uTvck2egMHR8s6f4GNy5yW

Score

10^/10

formbook ae30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ae30

Decoy

lili116.ru

apatitum.ru

broadbandterbaik.com

flrfteb.ru

xysklhgf.xyz

thevelvetkit.africa

zwelethugh.africa

imassageandstretchdance.com

laser3dstudio.com

efefplantation.buzz

cyberwisely.com

hulihuli.net

electrosertecnologia.com

golanglearn.club

cee4agency.com

bedicustomgraphicapparel.com

aim2fitness.com

greenarrow-advisors.com

lotadan.com

kgaming.dev

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/1888-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1888-189-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1888-195-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4844-197-0x00000000001A0000-0x00000000001CF000-memory.dmp	formbook
behavioral2/memory/4844-199-0x00000000001A0000-0x00000000001CF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Quotation-pdf-.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 1888	2300	Quotation-pdf-.exe	95
PID 1888 set thread context of 3128	1888	Quotation-pdf-.exe	34
PID 1888 set thread context of 3128	1888	Quotation-pdf-.exe	34
PID 4844 set thread context of 3128	4844	ipconfig.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1948	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4844	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4972	powershell.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
4972	powershell.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
1888	Quotation-pdf-.exe
4844	ipconfig.exe
4844	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	1888	Quotation-pdf-.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeDebugPrivilege	4844	ipconfig.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4972	2300	Quotation-pdf-.exe	91
PID 2300 wrote to memory of 4972	2300	Quotation-pdf-.exe	91
PID 2300 wrote to memory of 4972	2300	Quotation-pdf-.exe	91
PID 2300 wrote to memory of 1948	2300	Quotation-pdf-.exe	93
PID 2300 wrote to memory of 1948	2300	Quotation-pdf-.exe	93
PID 2300 wrote to memory of 1948	2300	Quotation-pdf-.exe	93
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 2300 wrote to memory of 1888	2300	Quotation-pdf-.exe	95
PID 3128 wrote to memory of 4844	3128	Explorer.EXE	97
PID 3128 wrote to memory of 4844	3128	Explorer.EXE	97
PID 3128 wrote to memory of 4844	3128	Explorer.EXE	97
PID 4844 wrote to memory of 964	4844	ipconfig.exe	98
PID 4844 wrote to memory of 964	4844	ipconfig.exe	98
PID 4844 wrote to memory of 964	4844	ipconfig.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\Quotation-pdf-.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf-.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yYGjXdLxDvmJNE.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yYGjXdLxDvmJNE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3950.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Quotation-pdf-.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf-.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Quotation-pdf-.exe"
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzqnni2x.24z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3950.tmp

Filesize
1KB

MD5
f7bb40f072afc7bb0f9c231f9947ce41

SHA1
31eeb28b98f2ad5526df94d5eb6cfbc7517694d7

SHA256
984537c3aa6b1aa0a6d8f172a485af7918f133d595671c743031c2acc02861f4

SHA512
b4b8160b35f40cbe2c9a4e6a8f09905ea22b8c3378a62d7ab5ad2026cace69b9e3bf7790b54529b05522804b921ca716ffdfeaaf47586fd4ac55b76641f2d239

Download Submit
memory/1888-165-0x00000000016F0000-0x0000000001A3A000-memory.dmp

Filesize
3.3MB

Download
memory/1888-166-0x00000000014B0000-0x00000000014C4000-memory.dmp

Filesize
80KB

Download
memory/1888-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-192-0x0000000001500000-0x0000000001514000-memory.dmp

Filesize
80KB

Download
memory/1888-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-136-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/2300-139-0x00000000066B0000-0x000000000674C000-memory.dmp

Filesize
624KB

Download
memory/2300-138-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2300-137-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2300-133-0x0000000000280000-0x000000000033C000-memory.dmp

Filesize
752KB

Download
memory/2300-135-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/2300-134-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/3128-167-0x0000000008960000-0x0000000008ABC000-memory.dmp

Filesize
1.4MB

Download
memory/3128-212-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-218-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-220-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-221-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-202-0x0000000008D80000-0x0000000008E74000-memory.dmp

Filesize
976KB

Download
memory/3128-217-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-216-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-215-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-214-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-209-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-213-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-210-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-219-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-211-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-208-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-205-0x0000000008D80000-0x0000000008E74000-memory.dmp

Filesize
976KB

Download
memory/3128-203-0x0000000008D80000-0x0000000008E74000-memory.dmp

Filesize
976KB

Download
memory/3128-222-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-223-0x0000000001440000-0x0000000001450000-memory.dmp

Filesize
64KB

Download
memory/3128-193-0x00000000092C0000-0x0000000009429000-memory.dmp

Filesize
1.4MB

Download
memory/3128-224-0x0000000001460000-0x0000000001462000-memory.dmp

Filesize
8KB

Download
memory/4844-194-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/4844-196-0x0000000000980000-0x000000000098B000-memory.dmp

Filesize
44KB

Download
memory/4844-197-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/4844-198-0x0000000000B40000-0x0000000000E8A000-memory.dmp

Filesize
3.3MB

Download
memory/4844-199-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/4844-201-0x0000000000A30000-0x0000000000AC3000-memory.dmp

Filesize
588KB

Download
memory/4972-157-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4972-188-0x0000000007B10000-0x0000000007B18000-memory.dmp

Filesize
32KB

Download
memory/4972-187-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4972-186-0x0000000007A20000-0x0000000007A2E000-memory.dmp

Filesize
56KB

Download
memory/4972-185-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/4972-184-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/4972-183-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4972-182-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-180-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4972-181-0x000000007F430000-0x000000007F440000-memory.dmp

Filesize
64KB

Download
memory/4972-179-0x0000000006A80000-0x0000000006A9E000-memory.dmp

Filesize
120KB

Download
memory/4972-169-0x00000000712C0000-0x000000007130C000-memory.dmp

Filesize
304KB

Download
memory/4972-168-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/4972-164-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4972-158-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/4972-150-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/4972-151-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4972-149-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/4972-146-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/4972-144-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download