formbook | a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba

Analysis

max time kernel
118s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/06/2023, 11:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
Size

803KB
MD5

4c9d490c41c872311332c0cbc2a999e5
SHA1

8e5e136ccb4865f6c66fb596b0fb10338e77d04b
SHA256

a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba
SHA512

c960f2c3101c50e30a270ff4e18a96cef9e2b31f5c75f327a1873d97a85c8937965092229b4aad96bbb3ef53b07af7a82a9fa194d35ca3f6551921586310e71e
SSDEEP

24576:dhrWy28X0DhRPKGmZaSfIjWwCyHdgtVjBv0I+:nWy2Y01NKG0aE+CyGvjBv

Score

10^/10

formbook s90a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s90a

Decoy

0vgf22.shop

eyewearstories.com

hotvibes.africa

cgseon.com

ibx-keys.com

3ruuefka.com

bliss-blissful.com

ccwt.vip

dswb2b.com

globaltigerventure.com

akinbenjamin.africa

healingforbodyandsoul.com

bermudadunesmovers.com

iconiclondontours.com

houseofbeauti.com

aaghneyafoodsproducts.com

bewertungsanwalt.com

74567.site

cabinet-mak.com

midnighthelp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1304-73-0x000000001A860000-0x000000001A88F000-memory.dmp	formbook
behavioral1/memory/1304-74-0x000000001B440000-0x000000001B4C0000-memory.dmp	formbook

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
1932	powershell.exe
1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1932	1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe	27
PID 1304 wrote to memory of 1932	1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe	27
PID 1304 wrote to memory of 1932	1304	a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe	27

C:\Users\Admin\AppData\Local\Temp\a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe
"C:\Users\Admin\AppData\Local\Temp\a1f8e5efca3676dae1b403d30644419c8a737028327a97f0adcbb09d18cc21ba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-54-0x00000000008E0000-0x00000000009B0000-memory.dmp

Filesize
832KB

Download
memory/1304-55-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/1304-56-0x000000001AE50000-0x000000001AF1E000-memory.dmp

Filesize
824KB

Download
memory/1304-57-0x0000000001FE0000-0x0000000002008000-memory.dmp

Filesize
160KB

Download
memory/1304-58-0x000000001AC90000-0x000000001AD22000-memory.dmp

Filesize
584KB

Download
memory/1304-74-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/1304-73-0x000000001A860000-0x000000001A88F000-memory.dmp

Filesize
188KB

Download
memory/1304-68-0x000000001B440000-0x000000001B4C0000-memory.dmp

Filesize
512KB

Download
memory/1932-66-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-67-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-65-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-69-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-70-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-71-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-72-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1932-64-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1932-63-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download