formbook | 0678008b99744da75d64b17e189a5f8934780a0ddf2384d8c24e4240f796dc34

Analysis

max time kernel
39s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
12/07/2023, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53ce90f8e820d5e4684735fc005b88a.exe
Size

665KB
MD5

a53ce90f8e820d5e4684735fc005b88a
SHA1

8be02cb798e731ab23b05f14cfc99ce632294423
SHA256

0678008b99744da75d64b17e189a5f8934780a0ddf2384d8c24e4240f796dc34
SHA512

95bfa247271621a5b13630f51321715702508158eaea844715ab6e9b0f97438090aaf278f9ba69fe56b7137cc441b02c8595a45615a3a017f1ca0d8ffc6c88c2
SSDEEP

12288:pN1C8HeuvIEkbB95s/yhn6Vv0g1Ma3hxG/9yG4OK23PR:8eIES5sK5Wd7bG/9YnI

Score

10^/10

formbook ge83 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ge83

Decoy

zqgf529.com

ohrana-truda-truda-rf.online

alyasra-sa.com

luxurynev.com

glassfactorycaribe.com

computechitsolutions.info

chillbeathk.com

fxphones.com

glamvoyager.com

empresaspiana.com

doraemon.center

jobstora.xyz

clicasaqui.com

shopchanticleers.com

xrworldnft.xyz

xrtrump.com

nirapottabd.com

azino777-600.buzz

2223malcolm.com

darunfayxaklf.vip

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2408-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2288	powershell.exe
2408	a53ce90f8e820d5e4684735fc005b88a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2288	1824	a53ce90f8e820d5e4684735fc005b88a.exe	28
PID 1824 wrote to memory of 2288	1824	a53ce90f8e820d5e4684735fc005b88a.exe	28
PID 1824 wrote to memory of 2288	1824	a53ce90f8e820d5e4684735fc005b88a.exe	28
PID 1824 wrote to memory of 2288	1824	a53ce90f8e820d5e4684735fc005b88a.exe	28
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30
PID 1824 wrote to memory of 2408	1824	a53ce90f8e820d5e4684735fc005b88a.exe	30

C:\Users\Admin\AppData\Local\Temp\a53ce90f8e820d5e4684735fc005b88a.exe
"C:\Users\Admin\AppData\Local\Temp\a53ce90f8e820d5e4684735fc005b88a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a53ce90f8e820d5e4684735fc005b88a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\a53ce90f8e820d5e4684735fc005b88a.exe
  "C:\Users\Admin\AppData\Local\Temp\a53ce90f8e820d5e4684735fc005b88a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-55-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1824-56-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/1824-57-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/1824-58-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1824-59-0x0000000004D40000-0x0000000004DAE000-memory.dmp

Filesize
440KB

Download
memory/1824-54-0x0000000001010000-0x00000000010BC000-memory.dmp

Filesize
688KB

Download
memory/2288-67-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2288-68-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2288-69-0x00000000023D0000-0x0000000002410000-memory.dmp

Filesize
256KB

Download
memory/2408-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-66-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/2408-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download