formbook | ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 16:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JUNEupdatedSOAexe.exe
Size

352KB
MD5

69c2be41eea373b5fd86c88464868064
SHA1

af52386882ee00e91425ebce6fb409b36cd49d2c
SHA256

ec9d091c881ad4da6f5e77f947c2723b1aa374fbf373931871c767dfb9cabb0e
SHA512

b5fe4d6fb8276552a1c16b2ec94341e549401a71645d7ab26b53dc63e20de7201cfa28ab543459951a8f50c2049974533c82083c95c353b1e9ac4ceed41fbbc4
SSDEEP

6144:vYa6cmu5R3tS1ZmDoPfLLw6gCeF00DxKzMu+GAPgnYyXy8eBkoxG+o3V6kfm:vYSz5eZmMPfLhEFBszj+GAPeLi8e+6qm

Score

10^/10

formbook s28y persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s28y

Decoy

whytry.shop

readyconcreto.com

redbudvending.com

prosblogs.com

litescales.sbs

campinglager.beer

serenitysuite.health

starbytescafe.com

youbi.cyou

hg301d.cfd

nissanvideos.com

kedou25.com

relovedresses.com

contourbioinc.com

usrinfo.top

i8ep58.cfd

wildcatcreekhomes.com

mpocash.mobi

shisokj.vip

jiangwan.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2736-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2736-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5104-149-0x0000000000DD0000-0x0000000000DFF000-memory.dmp	formbook
behavioral2/memory/5104-151-0x0000000000DD0000-0x0000000000DFF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
4956	JUNEupdatedSOAexe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vrbkgpyueajso = "C:\\Users\\Admin\\AppData\\Roaming\\irbwgcl\\uqajfoktdyiqm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\JUNEupdatedSOAexe.exe\""	JUNEupdatedSOAexe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 2736	4956	JUNEupdatedSOAexe.exe	84
PID 2736 set thread context of 3172	2736	JUNEupdatedSOAexe.exe	43
PID 5104 set thread context of 3172	5104	cmmon32.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2736	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe
5104	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4956	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
2736	JUNEupdatedSOAexe.exe
5104	cmmon32.exe
5104	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	JUNEupdatedSOAexe.exe
Token: SeDebugPrivilege	5104	cmmon32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2736	4956	JUNEupdatedSOAexe.exe	84
PID 4956 wrote to memory of 2736	4956	JUNEupdatedSOAexe.exe	84
PID 4956 wrote to memory of 2736	4956	JUNEupdatedSOAexe.exe	84
PID 4956 wrote to memory of 2736	4956	JUNEupdatedSOAexe.exe	84
PID 3172 wrote to memory of 5104	3172	Explorer.EXE	85
PID 3172 wrote to memory of 5104	3172	Explorer.EXE	85
PID 3172 wrote to memory of 5104	3172	Explorer.EXE	85
PID 5104 wrote to memory of 1740	5104	cmmon32.exe	88
PID 5104 wrote to memory of 1740	5104	cmmon32.exe	88
PID 5104 wrote to memory of 1740	5104	cmmon32.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\JUNEupdatedSOAexe.exe
  "C:\Users\Admin\AppData\Local\Temp\JUNEupdatedSOAexe.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\JUNEupdatedSOAexe.exe
    "C:\Users\Admin\AppData\Local\Temp\JUNEupdatedSOAexe.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\JUNEupdatedSOAexe.exe"
    3⤵
    PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg7C56.tmp\ztgffpw.dll

Filesize
277KB

MD5
fe8d97766d43cb2325e30421ccd9583e

SHA1
53ff473d6b9dbc624e8fdb4575e680658cff41cc

SHA256
61e8097de8efef06b7510abffb5e8be94f70c8c8e00c5ac8c3dc00e8be45f740

SHA512
294cccc6ec23970607ad60112c27abe3cb58d855efada0f6e015380536106e0fa210bd0117afa73beeb14a763e4bdf986734c7170d0473e36699226d07578694

Download Submit
memory/2736-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-142-0x00000000009D0000-0x0000000000D1A000-memory.dmp

Filesize
3.3MB

Download
memory/2736-143-0x00000000006D0000-0x00000000006E5000-memory.dmp

Filesize
84KB

Download
memory/2736-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-154-0x00000000085D0000-0x00000000086D2000-memory.dmp

Filesize
1.0MB

Download
memory/3172-144-0x0000000008230000-0x00000000083AB000-memory.dmp

Filesize
1.5MB

Download
memory/3172-157-0x00000000085D0000-0x00000000086D2000-memory.dmp

Filesize
1.0MB

Download
memory/3172-155-0x00000000085D0000-0x00000000086D2000-memory.dmp

Filesize
1.0MB

Download
memory/5104-148-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/5104-151-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

Filesize
188KB

Download
memory/5104-153-0x0000000002D00000-0x0000000002D94000-memory.dmp

Filesize
592KB

Download
memory/5104-149-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

Filesize
188KB

Download
memory/5104-150-0x0000000002F90000-0x00000000032DA000-memory.dmp

Filesize
3.3MB

Download
memory/5104-145-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download