formbook | 0060a054e71c2e0560265860cbd3cbd26119ada2e991202318cbd4b75a51e044

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2304620x00000000004000000.exe
Size

188KB
MD5

c4df10ee6bd4cf17be8d55ec284aa5e8
SHA1

fb60ceb65ddd9bcc1ed140c83ffeaea8a2b7c977
SHA256

0060a054e71c2e0560265860cbd3cbd26119ada2e991202318cbd4b75a51e044
SHA512

a8a178b142f4991ecdf711134fd26a24ece8273de015ce1027c8cd12098882091266c8c01b968db8f5c6d83e158a430659ac1ceeaa803dc2d29e51fe1ab2f146
SSDEEP

3072:Iur9kcu499njk3K0vu6gx9btwU9LiJi4viUg4pK8dL8mHUj6A2UZIyJA:aWKKenI9btwU9LiJi4C4pqmTA2fU

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3728-138-0x0000000000F10000-0x0000000000F3F000-memory.dmp	formbook
behavioral2/memory/3728-140-0x0000000000F10000-0x0000000000F3F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

Processes:

2304620x00000000004000000.execmstp.exe

description	pid	process	target process
PID 2988 set thread context of 3232	2988	2304620x00000000004000000.exe	Explorer.EXE
PID 3728 set thread context of 3232	3728	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

2304620x00000000004000000.execmstp.exe

pid	process
2988	2304620x00000000004000000.exe
2988	2304620x00000000004000000.exe
2988	2304620x00000000004000000.exe
2988	2304620x00000000004000000.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe
3728	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

2304620x00000000004000000.execmstp.exe

pid process

2988 2304620x00000000004000000.exe
2988 2304620x00000000004000000.exe
2988 2304620x00000000004000000.exe
3728 cmstp.exe
3728 cmstp.exe

pid	process
3232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

2304620x00000000004000000.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2988	2304620x00000000004000000.exe
Token: SeDebugPrivilege	3728	cmstp.exe
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE
Token: SeShutdownPrivilege	3232	Explorer.EXE
Token: SeCreatePagefilePrivilege	3232	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Explorer.EXEcmstp.exe

description	pid	process	target process
PID 3232 wrote to memory of 3728	3232	Explorer.EXE	cmstp.exe
PID 3232 wrote to memory of 3728	3232	Explorer.EXE	cmstp.exe
PID 3232 wrote to memory of 3728	3232	Explorer.EXE	cmstp.exe
PID 3728 wrote to memory of 4636	3728	cmstp.exe	cmd.exe
PID 3728 wrote to memory of 4636	3728	cmstp.exe	cmd.exe
PID 3728 wrote to memory of 4636	3728	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\2304620x00000000004000000.exe
"C:\Users\Admin\AppData\Local\Temp\2304620x00000000004000000.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\2304620x00000000004000000.exe"
3⤵
PID:4636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2988-133-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/2988-134-0x0000000000B80000-0x0000000000B95000-memory.dmp

Filesize
84KB

Download
memory/3232-178-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-200-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-144-0x00000000085E0000-0x00000000086D7000-memory.dmp

Filesize
988KB

Download
memory/3232-145-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-146-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-147-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-135-0x00000000084F0000-0x00000000085E0000-memory.dmp

Filesize
960KB

Download
memory/3232-148-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-149-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-150-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-180-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-153-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-152-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-154-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-155-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-156-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-157-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-158-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-161-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3232-160-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-162-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3232-163-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-164-0x00000000085E0000-0x00000000086D7000-memory.dmp

Filesize
988KB

Download
memory/3232-166-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3232-172-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-173-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-174-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-175-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-176-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-177-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-179-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-211-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-151-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-181-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-183-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-182-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-184-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-185-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-186-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-187-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-188-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/3232-189-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3232-191-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3232-192-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/3232-198-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-199-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-143-0x00000000085E0000-0x00000000086D7000-memory.dmp

Filesize
988KB

Download
memory/3232-201-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-202-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-203-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-204-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-206-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-205-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-207-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-208-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-209-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-210-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3232-212-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/3728-137-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/3728-139-0x00000000030F0000-0x000000000343A000-memory.dmp

Filesize
3.3MB

Download
memory/3728-138-0x0000000000F10000-0x0000000000F3F000-memory.dmp

Filesize
188KB

Download
memory/3728-136-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/3728-140-0x0000000000F10000-0x0000000000F3F000-memory.dmp

Filesize
188KB

Download
memory/3728-142-0x0000000002E50000-0x0000000002EE4000-memory.dmp

Filesize
592KB

Download