formbook | d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

THREE quotations.exe
Size

766KB
MD5

ae2f78ed3b32a4e7f969ce267778ac66
SHA1

3b7c6425c65933d6b5dac6187e16a0597f3ea5aa
SHA256

d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
SHA512

f21cf08412c3c53248e7535aa37430f314a6d8e900cc14e908bab730d1c1db555bb8875c9acca9940b1cb5ef6a7d1fdd58ee6abd9b6fe91bd4722d6037e5630e
SSDEEP

12288:0uJas/16/YHmM9mARLAV+/3M73epjTDrFljb3m0z9SFOuDsDtnQkCEgYDjz:0Bs6cV9mA9Im873epjyOxDtQXEnDf

Score

10^/10

formbook ct45 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct45

Decoy

aeepi.com

lifestyledoneright.com

dilojakac.cfd

vievnsfabula.xyz

jiggirirecords.com

sklaap.xyz

prepper.day

tahta4d-vip.info

p94d3.xyz

17819.vip

gptvoucher.com

ig2x0m.com

croppdtt.com

hnnhiuqme6e701.xyz

zeis.xyz

w77773.com

inspantringa.cfd

webnative.xyz

haahhuzns1okd1.xyz

thinkingmansguidetowomen.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/596-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/596-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/596-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1872-78-0x0000000000110000-0x000000000013F000-memory.dmp	formbook
behavioral1/memory/1872-80-0x0000000000110000-0x000000000013F000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 596	2000	THREE quotations.exe	30
PID 596 set thread context of 1248	596	vbc.exe	12
PID 596 set thread context of 1248	596	vbc.exe	12
PID 1872 set thread context of 1248	1872	rundll32.exe	12

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2000	THREE quotations.exe
2000	THREE quotations.exe
2000	THREE quotations.exe
596	vbc.exe
596	vbc.exe
596	vbc.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1248	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
596	vbc.exe
596	vbc.exe
596	vbc.exe
596	vbc.exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	THREE quotations.exe
Token: SeDebugPrivilege	596	vbc.exe
Token: SeDebugPrivilege	1872	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 588	2000	THREE quotations.exe	27
PID 2000 wrote to memory of 588	2000	THREE quotations.exe	27
PID 2000 wrote to memory of 588	2000	THREE quotations.exe	27
PID 2000 wrote to memory of 588	2000	THREE quotations.exe	27
PID 2000 wrote to memory of 1324	2000	THREE quotations.exe	28
PID 2000 wrote to memory of 1324	2000	THREE quotations.exe	28
PID 2000 wrote to memory of 1324	2000	THREE quotations.exe	28
PID 2000 wrote to memory of 1324	2000	THREE quotations.exe	28
PID 2000 wrote to memory of 564	2000	THREE quotations.exe	29
PID 2000 wrote to memory of 564	2000	THREE quotations.exe	29
PID 2000 wrote to memory of 564	2000	THREE quotations.exe	29
PID 2000 wrote to memory of 564	2000	THREE quotations.exe	29
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 2000 wrote to memory of 596	2000	THREE quotations.exe	30
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 596 wrote to memory of 1872	596	vbc.exe	31
PID 1872 wrote to memory of 364	1872	rundll32.exe	32
PID 1872 wrote to memory of 364	1872	rundll32.exe	32
PID 1872 wrote to memory of 364	1872	rundll32.exe	32
PID 1872 wrote to memory of 364	1872	rundll32.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
- C:\Users\Admin\AppData\Local\Temp\THREE quotations.exe
  "C:\Users\Admin\AppData\Local\Temp\THREE quotations.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-64-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/596-67-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/596-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-71-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/596-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/596-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-68-0x0000000006FD0000-0x000000000717C000-memory.dmp

Filesize
1.7MB

Download
memory/1248-82-0x0000000003E70000-0x0000000003F34000-memory.dmp

Filesize
784KB

Download
memory/1248-66-0x0000000003920000-0x0000000003A20000-memory.dmp

Filesize
1024KB

Download
memory/1248-84-0x0000000003E70000-0x0000000003F34000-memory.dmp

Filesize
784KB

Download
memory/1248-86-0x0000000003E70000-0x0000000003F34000-memory.dmp

Filesize
784KB

Download
memory/1248-72-0x0000000007320000-0x00000000074AD000-memory.dmp

Filesize
1.6MB

Download
memory/1872-80-0x0000000000110000-0x000000000013F000-memory.dmp

Filesize
188KB

Download
memory/1872-73-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1872-75-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1872-78-0x0000000000110000-0x000000000013F000-memory.dmp

Filesize
188KB

Download
memory/1872-77-0x00000000008E0000-0x00000000008EE000-memory.dmp

Filesize
56KB

Download
memory/1872-79-0x00000000021D0000-0x00000000024D3000-memory.dmp

Filesize
3.0MB

Download
memory/1872-81-0x00000000007F0000-0x0000000000883000-memory.dmp

Filesize
588KB

Download
memory/2000-58-0x0000000005230000-0x00000000052A0000-memory.dmp

Filesize
448KB

Download
memory/2000-55-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2000-59-0x0000000001100000-0x0000000001138000-memory.dmp

Filesize
224KB

Download
memory/2000-54-0x0000000001150000-0x0000000001216000-memory.dmp

Filesize
792KB

Download
memory/2000-57-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2000-56-0x0000000000CD0000-0x0000000000CE4000-memory.dmp

Filesize
80KB

Download