formbook | 321691557b39805530f57b29887ab32e5ddd81ad080ac4d91d964c978fbc6b04

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2023, 11:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DHL Receipt276334VWE.exe
Size

253KB
MD5

b6f80ee925e9745fb5305429f1ce1a74
SHA1

c1d19e16638195fd2fdf8e4adabea6d1b25a8681
SHA256

321691557b39805530f57b29887ab32e5ddd81ad080ac4d91d964c978fbc6b04
SHA512

1ec6563bdd4d073008b796c5ae307d77012904faee0dbc0197d099018cf5a37f2e32370001018a61758d2269a506373457b9d0ccfc6a2a3e8891fae230e10f2b
SSDEEP

6144:/Ya6RZ7+pUU4mnLG7nwjhtwa9sIStaIR125jJvTMa2R:/YDZ7KUVmnLG7nwjZ2JaIR1UTbi

Score

10^/10

formbook j0c7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j0c7

Decoy

dvyuansu.com

flyersfirst.com

lbvasd.xyz

samodeling.com

lsty.net

agreels.com

gptvai.com

tyec.xyz

infercn.top

restinpeace.website

flaxtest.com

manaroo.com

altyazi-hub.xyz

devrijeweide.store

thebestfurnitureplace.com

combatsportsacademyus.com

segui276.pics

starseedalignment.com

fish-pay.com

letsbet.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4288-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4288-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3564-152-0x00000000010A0000-0x00000000010CF000-memory.dmp	formbook
behavioral2/memory/3564-154-0x00000000010A0000-0x00000000010CF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
2480	DHL Receipt276334VWE.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2480 set thread context of 4288	2480	DHL Receipt276334VWE.exe	83
PID 4288 set thread context of 3204	4288	DHL Receipt276334VWE.exe	46
PID 3564 set thread context of 3204	3564	cmmon32.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4288	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe
3564	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3204	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2480	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
4288	DHL Receipt276334VWE.exe
3564	cmmon32.exe
3564	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4288	DHL Receipt276334VWE.exe
Token: SeDebugPrivilege	3564	cmmon32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4288	2480	DHL Receipt276334VWE.exe	83
PID 2480 wrote to memory of 4288	2480	DHL Receipt276334VWE.exe	83
PID 2480 wrote to memory of 4288	2480	DHL Receipt276334VWE.exe	83
PID 2480 wrote to memory of 4288	2480	DHL Receipt276334VWE.exe	83
PID 3204 wrote to memory of 3564	3204	Explorer.EXE	85
PID 3204 wrote to memory of 3564	3204	Explorer.EXE	85
PID 3204 wrote to memory of 3564	3204	Explorer.EXE	85
PID 3564 wrote to memory of 1272	3564	cmmon32.exe	88
PID 3564 wrote to memory of 1272	3564	cmmon32.exe	88
PID 3564 wrote to memory of 1272	3564	cmmon32.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4800
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
    3⤵
    PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdCFAB.tmp\xhkpkm.dll

Filesize
41KB

MD5
a7d4f2328803da6d4c3099267d5e6f6e

SHA1
da374b32542513ddf1085f59dbdcd98f7d25cbd7

SHA256
220f8168831410ae1876665fa2022c863dbe26918ecbcedc52a356c47919ebcf

SHA512
ed58001ba41ada9e6988b78963e685a071e2a2cd0ffda0a6d6f92452d0c610a84f2795dc47d1998bbaff1ab2271897010b214ada824db94cb4634222642392eb

Download Submit
memory/2480-140-0x0000000003150000-0x0000000003152000-memory.dmp

Filesize
8KB

Download
memory/3204-161-0x00000000097E0000-0x00000000098C4000-memory.dmp

Filesize
912KB

Download
memory/3204-159-0x00000000097E0000-0x00000000098C4000-memory.dmp

Filesize
912KB

Download
memory/3204-158-0x00000000097E0000-0x00000000098C4000-memory.dmp

Filesize
912KB

Download
memory/3204-156-0x00000000094E0000-0x0000000009606000-memory.dmp

Filesize
1.1MB

Download
memory/3204-147-0x00000000094E0000-0x0000000009606000-memory.dmp

Filesize
1.1MB

Download
memory/3564-151-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/3564-149-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/3564-152-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download
memory/3564-153-0x0000000002F40000-0x000000000328A000-memory.dmp

Filesize
3.3MB

Download
memory/3564-154-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download
memory/3564-157-0x0000000002DB0000-0x0000000002E44000-memory.dmp

Filesize
592KB

Download
memory/4288-146-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/4288-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-144-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/4288-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download