formbook | 4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
Size

1018KB
MD5

8f25fe4c31de1a795ca154d7dacad298
SHA1

754e42ede6c7d66fee0c161538ba7f274b09c613
SHA256

4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14
SHA512

cf9dd4d770a70def7865431cb697e8b6b2ecd39bb73fd0835d72b16d5980c4fa802f2653587952c3d4e2426b55e4302b5f1611dd1f06f8c00bc132b0c45aa7d2
SSDEEP

24576:ePLjh9E6G3VibpHIdebodR6jlKFtQVUv+iP8o79bO+:2jh3G32poHRS2tQuWikK9j

Score

10^/10

formbook be03 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

be03

Decoy

caritahu.xyz

myranksoldier.com

belanjakaleng.shop

happytalentatwork.com

miscdot.net

k007i.fun

btq8.com

ae888te.top

pp81870.com

fitness-instructor.asia

gigamoonai.com

rajabt.online

wearerdio.store

kolapsgretel.cfd

pgp912.com

greenbayrfl.com

ledscroller.net

geposmet.xyz

w77738.com

dillgemme.cfd

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/4776-140-0x0000000000400000-0x0000000001654000-memory.dmp	formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Loads dropped DLL 1 IoCs

pid	Process
2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4776	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
4776	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 4776	2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4776	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
4776	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4776	2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe	88
PID 2128 wrote to memory of 4776	2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe	88
PID 2128 wrote to memory of 4776	2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe	88
PID 2128 wrote to memory of 4776	2128	4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe	88

C:\Users\Admin\AppData\Local\Temp\4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
"C:\Users\Admin\AppData\Local\Temp\4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe
  "C:\Users\Admin\AppData\Local\Temp\4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nse7A27.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/4776-139-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4776-140-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/4776-141-0x0000000001660000-0x0000000006ACE000-memory.dmp

Filesize
84.4MB

Download
memory/4776-142-0x0000000001660000-0x0000000006ACE000-memory.dmp

Filesize
84.4MB

Download
memory/4776-144-0x0000000036F20000-0x000000003726A000-memory.dmp

Filesize
3.3MB

Download