formbook | 31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22

Analysis

max time kernel
30s
max time network
19s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-08-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ej.exe
Size

472KB
MD5

0948d25e80d3fe36133ea70394d16c93
SHA1

b1d9c2f690fb5820055439d9f4a0a2e858621b03
SHA256

9c2c89920c9d9d94674149fb789e2cf78cb9e20c451658d63b95cfd77c58a1d5
SHA512

538a25805e24f39d122d06a9f877b0116941bc668f21f5c0306a7c8f96e112b98b2ecaa1d8dc8f9ad39fbffe49c4b909407152ac21e78dfd926f00ae9460b772
SSDEEP

6144:GCmB8MwX6rWu5dIybQNcpYB1UukBvWxNMfuGe3wRpZSvANzC+3A0RvdtDsAyFRqo:c6X6rId+uEKNOk3EWvczC+Lv9UR4

Score

10^/10

formbook el rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

fundayinc.com

91shiping.red

piccgz.com

greylockiceandheating.com

6-15hothamstreetstkildaeast.com

bladspiegel.com

xn--ruq41buok09a6r0azmh.com

reallifeandlipstick.com

wwwjinsha594.com

wpnull.info

dtaubman.net

eldhw.win

caringhouseholds.com

texasisrael.com

confiservice.com

unihome.store

xn--doqs90b84tkjg.com

xuanweiping.com

edictiosapiens.com

kalkulatorkredytow.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral15/memory/2240-58-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral15/memory/2240-61-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral15/memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral15/memory/2824-72-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral15/memory/2824-79-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2856 cmd.exe

pid	process
2856	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ej.exeej.execontrol.exe

description	pid	process	target process
PID 3000 set thread context of 2240	3000	ej.exe	ej.exe
PID 2240 set thread context of 1284	2240	ej.exe	Explorer.EXE
PID 2240 set thread context of 1284	2240	ej.exe	Explorer.EXE
PID 2824 set thread context of 1284	2824	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ej.execontrol.exe

pid process

2240 ej.exe
2240 ej.exe
2240 ej.exe
2824 control.exe
2824 control.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ej.execontrol.exe

pid process

2240 ej.exe
2240 ej.exe
2240 ej.exe
2240 ej.exe
2824 control.exe
2824 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ej.execontrol.exe

description pid process

Token: SeDebugPrivilege 2240 ej.exe
Token: SeDebugPrivilege 2824 control.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ej.exe

pid process

3000 ej.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

ej.exe

pid process

2240 ej.exe

pid	process
2240	ej.exe
2240	ej.exe
2240	ej.exe
2824	control.exe
2824	control.exe

pid	process
1284	Explorer.EXE

pid	process
2240	ej.exe
2240	ej.exe
2240	ej.exe
2240	ej.exe
2824	control.exe
2824	control.exe

description	pid	process
Token: SeDebugPrivilege	2240	ej.exe
Token: SeDebugPrivilege	2824	control.exe

pid	process
3000	ej.exe

pid	process
2240	ej.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ej.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3000 wrote to memory of 2240	3000	ej.exe	ej.exe
PID 3000 wrote to memory of 2240	3000	ej.exe	ej.exe
PID 3000 wrote to memory of 2240	3000	ej.exe	ej.exe
PID 3000 wrote to memory of 2240	3000	ej.exe	ej.exe
PID 1284 wrote to memory of 2824	1284	Explorer.EXE	control.exe
PID 1284 wrote to memory of 2824	1284	Explorer.EXE	control.exe
PID 1284 wrote to memory of 2824	1284	Explorer.EXE	control.exe
PID 1284 wrote to memory of 2824	1284	Explorer.EXE	control.exe
PID 2824 wrote to memory of 2856	2824	control.exe	cmd.exe
PID 2824 wrote to memory of 2856	2824	control.exe	cmd.exe
PID 2824 wrote to memory of 2856	2824	control.exe	cmd.exe
PID 2824 wrote to memory of 2856	2824	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\ej.exe
"C:\Users\Admin\AppData\Local\Temp\ej.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\ej.exe
C:\Users\Admin\AppData\Local\Temp\ej.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2240

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ej.exe"
3⤵
- Deletes itself
PID:2856

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1284-68-0x00000000070B0000-0x00000000071F7000-memory.dmp

Filesize
1.3MB

Download
memory/1284-84-0x0000000007200000-0x000000000730A000-memory.dmp

Filesize
1.0MB

Download
memory/1284-83-0x0000000007200000-0x000000000730A000-memory.dmp

Filesize
1.0MB

Download
memory/1284-81-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1284-78-0x00000000070B0000-0x00000000071F7000-memory.dmp

Filesize
1.3MB

Download
memory/1284-77-0x000007FE7BB70000-0x000007FE7BB7A000-memory.dmp

Filesize
40KB

Download
memory/1284-63-0x00000000040C0000-0x0000000004193000-memory.dmp

Filesize
844KB

Download
memory/1284-76-0x000007FEF5C00000-0x000007FEF5D43000-memory.dmp

Filesize
1.3MB

Download
memory/2240-62-0x0000000001C10000-0x0000000001C24000-memory.dmp

Filesize
80KB

Download
memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-66-0x0000000001C50000-0x0000000001C64000-memory.dmp

Filesize
80KB

Download
memory/2240-60-0x00000000066D0000-0x00000000069D3000-memory.dmp

Filesize
3.0MB

Download
memory/2240-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-80-0x0000000000430000-0x00000000004C3000-memory.dmp

Filesize
588KB

Download
memory/2824-73-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/2824-72-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2824-70-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/2824-79-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2824-71-0x0000000000CF0000-0x0000000000D0F000-memory.dmp

Filesize
124KB

Download
memory/3000-56-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/3000-57-0x0000000077500000-0x00000000775D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads