formbook | 2b05890fb7420b28f7bf26724e58d2ae4a09c9cd9b1020d2bbe42d03ac4b35f8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 12:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b05890fb7420b28f7bf26724.exe
Size

762KB
MD5

177ed09e1d8216f87a593057ec413a52
SHA1

1cec954b01bcd3fc8e9e35f0d07dc49c1fcb9853
SHA256

2b05890fb7420b28f7bf26724e58d2ae4a09c9cd9b1020d2bbe42d03ac4b35f8
SHA512

44f92f848c1eae04cc0dfe2452a5dadd6293cfde9b8c742c612c839f4970e1b463bb27549ce6ccc32341aa9ef093861c0b39b0bb25c7d07e54bd3206058e950e
SSDEEP

12288:VPRdmMlUOv2nhg+kX0WmSJXkP4x5MlnXkr:VJddU7nS+FJSiPGMlnXk

Score

10^/10

formbook modiloader nvp4 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral2/memory/2928-135-0x00000000023A0000-0x00000000023D1000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	2b05890fb7420b28f7bf26724.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qekkvthl = "C:\\Users\\Public\\Qekkvthl.url"	2b05890fb7420b28f7bf26724.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 788	2928	2b05890fb7420b28f7bf26724.exe	28
PID 2064 set thread context of 788	2064	WWAHost.exe	28

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	WWAHost.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
788	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2928	2b05890fb7420b28f7bf26724.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe
2064	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	2b05890fb7420b28f7bf26724.exe
Token: SeShutdownPrivilege	788	Explorer.EXE
Token: SeCreatePagefilePrivilege	788	Explorer.EXE
Token: SeDebugPrivilege	2064	WWAHost.exe
Token: SeShutdownPrivilege	788	Explorer.EXE
Token: SeCreatePagefilePrivilege	788	Explorer.EXE
Token: SeShutdownPrivilege	788	Explorer.EXE
Token: SeCreatePagefilePrivilege	788	Explorer.EXE
Token: SeShutdownPrivilege	788	Explorer.EXE
Token: SeCreatePagefilePrivilege	788	Explorer.EXE
Token: SeShutdownPrivilege	788	Explorer.EXE
Token: SeCreatePagefilePrivilege	788	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 2064	788	Explorer.EXE	79
PID 788 wrote to memory of 2064	788	Explorer.EXE	79
PID 788 wrote to memory of 2064	788	Explorer.EXE	79
PID 2064 wrote to memory of 2852	2064	WWAHost.exe	80
PID 2064 wrote to memory of 2852	2064	WWAHost.exe	80
PID 2064 wrote to memory of 2852	2064	WWAHost.exe	80

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\2b05890fb7420b28f7bf26724.exe
  "C:\Users\Admin\AppData\Local\Temp\2b05890fb7420b28f7bf26724.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/788-194-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-192-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-206-0x00000000012A0000-0x00000000012A2000-memory.dmp

Filesize
8KB

Download
memory/788-205-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-204-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-203-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-202-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-145-0x0000000007790000-0x000000000784F000-memory.dmp

Filesize
764KB

Download
memory/788-201-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-200-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-199-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-174-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-175-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-197-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-155-0x0000000009320000-0x0000000009410000-memory.dmp

Filesize
960KB

Download
memory/788-156-0x0000000009320000-0x0000000009410000-memory.dmp

Filesize
960KB

Download
memory/788-159-0x0000000009320000-0x0000000009410000-memory.dmp

Filesize
960KB

Download
memory/788-166-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-167-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-168-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-169-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-170-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-171-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-172-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-196-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-198-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-195-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-176-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-177-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-178-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-179-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-180-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-181-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-182-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/788-183-0x00000000012E0000-0x00000000012EA000-memory.dmp

Filesize
40KB

Download
memory/788-190-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-191-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-173-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/788-193-0x0000000001280000-0x0000000001290000-memory.dmp

Filesize
64KB

Download
memory/2064-150-0x0000000000EC0000-0x0000000000EED000-memory.dmp

Filesize
180KB

Download
memory/2064-152-0x0000000000EC0000-0x0000000000EED000-memory.dmp

Filesize
180KB

Download
memory/2064-149-0x0000000000FC0000-0x000000000109C000-memory.dmp

Filesize
880KB

Download
memory/2064-154-0x00000000019C0000-0x0000000001A4F000-memory.dmp

Filesize
572KB

Download
memory/2064-151-0x0000000001BC0000-0x0000000001F0A000-memory.dmp

Filesize
3.3MB

Download
memory/2064-146-0x0000000000FC0000-0x000000000109C000-memory.dmp

Filesize
880KB

Download
memory/2928-141-0x0000000003B70000-0x0000000003B9F000-memory.dmp

Filesize
188KB

Download
memory/2928-133-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2928-144-0x0000000003F30000-0x0000000003F40000-memory.dmp

Filesize
64KB

Download
memory/2928-143-0x00000000040A0000-0x00000000043EA000-memory.dmp

Filesize
3.3MB

Download
memory/2928-142-0x0000000003B70000-0x0000000003B9F000-memory.dmp

Filesize
188KB

Download
memory/2928-135-0x00000000023A0000-0x00000000023D1000-memory.dmp

Filesize
196KB

Download
memory/2928-137-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download