formbook | 7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sipariş formu 07.14.exe
Size

263KB
MD5

719c522aec409b51c6868a77f80b6fa8
SHA1

416357c9f7ecc7e9a6e70e3703075f53846f176f
SHA256

7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
SHA512

3bd2455092e7ed61838737f68c83e7f4e555dcd92a0a975eb4acff6dd9a08f3986d48afe82d563d8c3db0d1068801b370ad20b3ed517547ed74845a2f1249046
SSDEEP

6144:vYa6ZSSel/J61D4l7EMPHf6G+MDtSSfS606DHTtw7mkNlVxv4ODw:vYrvoJg6diG+MDG60OHTtw7mkZxvu

Score

10^/10

formbook b0y4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b0y4

Decoy

cayocabana.com

handbholidaylighting.com

bombastickmast.com

engageandexceltutoring.com

acdaiucdac.com

alfahifurniture.com

ageingxx.com

app-fintoch.com

quintanaatverde.com

theimperfectangel.com

usvisa-infu.com

774495.com

betjogue.com

jil-fashion.com

luxury-developments.com

tonestarconsulting.com

betonlineaustralia.com

oldglorywineandwhiskey.com

pemimmobiliare.com

carefourexpress.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/4120-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4120-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4120-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/504-156-0x0000000000FA0000-0x0000000000FCF000-memory.dmp	formbook
behavioral2/memory/504-158-0x0000000000FA0000-0x0000000000FCF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
2196	Sipariş formu 07.14.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 4120	2196	Sipariş formu 07.14.exe	86
PID 4120 set thread context of 3116	4120	Sipariş formu 07.14.exe	45
PID 4120 set thread context of 3116	4120	Sipariş formu 07.14.exe	45
PID 504 set thread context of 3116	504	msdt.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe
504	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2196	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
4120	Sipariş formu 07.14.exe
504	msdt.exe
504	msdt.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	Sipariş formu 07.14.exe
Token: SeDebugPrivilege	504	msdt.exe
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4120	2196	Sipariş formu 07.14.exe	86
PID 2196 wrote to memory of 4120	2196	Sipariş formu 07.14.exe	86
PID 2196 wrote to memory of 4120	2196	Sipariş formu 07.14.exe	86
PID 2196 wrote to memory of 4120	2196	Sipariş formu 07.14.exe	86
PID 3116 wrote to memory of 504	3116	Explorer.EXE	92
PID 3116 wrote to memory of 504	3116	Explorer.EXE	92
PID 3116 wrote to memory of 504	3116	Explorer.EXE	92
PID 504 wrote to memory of 528	504	msdt.exe	94
PID 504 wrote to memory of 528	504	msdt.exe	94
PID 504 wrote to memory of 528	504	msdt.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe
  "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe
    "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:504
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
    3⤵
    PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseB826.tmp\runakr.dll

Filesize
62KB

MD5
125ee622e7609b69342418d308d58d5f

SHA1
1260b84e326769819d38ea1c082e9f474ead439e

SHA256
4bd5eb814b8be6ec702ff73b01056c315e1426172da219f2578884aec52e81f1

SHA512
4636e9f4c869e5e147a2f8d45b9d814bc58df16784d5d062e9455b714cd73440c011c33ebdbcc35cdee54ee48424d963fa50849c0124c6d6519c804952b7ac4e

Download Submit
memory/504-156-0x0000000000FA0000-0x0000000000FCF000-memory.dmp

Filesize
188KB

Download
memory/504-151-0x0000000000990000-0x00000000009E7000-memory.dmp

Filesize
348KB

Download
memory/504-155-0x0000000000990000-0x00000000009E7000-memory.dmp

Filesize
348KB

Download
memory/504-194-0x0000000003060000-0x00000000030F3000-memory.dmp

Filesize
588KB

Download
memory/504-158-0x0000000000FA0000-0x0000000000FCF000-memory.dmp

Filesize
188KB

Download
memory/504-157-0x0000000003320000-0x000000000366A000-memory.dmp

Filesize
3.3MB

Download
memory/2196-138-0x0000000074EC0000-0x0000000074ED3000-memory.dmp

Filesize
76KB

Download
memory/2196-140-0x0000000074EC0000-0x0000000074ED3000-memory.dmp

Filesize
76KB

Download
memory/3116-204-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-239-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-262-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3116-264-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-265-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-160-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-161-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-164-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/3116-163-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-213-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-168-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-165-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-167-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-170-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-171-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-172-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3116-173-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-174-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-177-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-175-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-181-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-179-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-207-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-184-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-185-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/3116-186-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-188-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-189-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-190-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-191-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-192-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-193-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-187-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-149-0x00000000091E0000-0x000000000931B000-memory.dmp

Filesize
1.2MB

Download
memory/3116-195-0x0000000003090000-0x0000000003165000-memory.dmp

Filesize
852KB

Download
memory/3116-196-0x0000000003090000-0x0000000003165000-memory.dmp

Filesize
852KB

Download
memory/3116-198-0x0000000003090000-0x0000000003165000-memory.dmp

Filesize
852KB

Download
memory/3116-145-0x0000000008FD0000-0x0000000009162000-memory.dmp

Filesize
1.6MB

Download
memory/3116-205-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-206-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3116-208-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-209-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-183-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-154-0x0000000008FD0000-0x0000000009162000-memory.dmp

Filesize
1.6MB

Download
memory/3116-166-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-215-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-211-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-216-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-217-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3116-218-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-219-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-220-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3116-221-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-223-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-225-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-227-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-229-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-230-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-231-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-233-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-232-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3116-235-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-236-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-237-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-210-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-240-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-247-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-249-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-248-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-250-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-251-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-252-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-253-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-255-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-258-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-257-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-259-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/3116-260-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-261-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3116-263-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/4120-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-141-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/4120-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-144-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/4120-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-148-0x0000000000970000-0x0000000000984000-memory.dmp

Filesize
80KB

Download