formbook | e6acd013f402294fb872251fc4ad72420d608afff59ba25d57efe2f812493096

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE, & REMITTANCE INFORMATIO.exe
Size

108KB
MD5

61ce3c89c2578f45fccd23b556634adf
SHA1

fb4c545865c343e4fa1c3e289c68a432c5cbf307
SHA256

e6acd013f402294fb872251fc4ad72420d608afff59ba25d57efe2f812493096
SHA512

e16f72251be777f6230ae0da589970f0e24d783bf3a9243bf553720359ea96aed60c06b40f7e68622991652b469dbf2dbfd21a7f77aac1753e7afbe229a6681c
SSDEEP

3072:5Pyx4EtMJ+aoHibA4UbOB2P06J/RtfwXALweSaIKg/u3:5Ho8vUa2PjWXAsevg

Score

10^/10

formbook purecrypter c1e9 downloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

purecrypter

https://files.catbox.moe/gmiwb3.vdf

Extracted

Family

formbook

Version

4.1

Campaign

c1e9

Decoy

solvedturkeysecuritysbn.net

premiermanufacturinggroup.net

1mvirqw.sbs

5zaclc2.top

b71h.xyz

oldiescafe.shop

371qp.com

h2arc.com

kiwork.xyz

www007ts.info

cgnant.info

m5arun.cfd

askme.click

fd5gsym.sbs

m940o1.cfd

gaurangnaik.xyz

loveoftheriver.farm

nk1966.cfd

lazuritebluediamond.biz

lir337.cfd

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4940-1221-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4940-1226-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4660-1232-0x0000000000CA0000-0x0000000000CCF000-memory.dmp	formbook
behavioral2/memory/4660-1237-0x0000000000CA0000-0x0000000000CCF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2928 set thread context of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 4940 set thread context of 3240	4940	INVOICE, & REMITTANCE INFORMATIO.exe	62
PID 4660 set thread context of 3240	4660	cmstp.exe	62

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe
4660	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4940	INVOICE, & REMITTANCE INFORMATIO.exe
4660	cmstp.exe
4660	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	INVOICE, & REMITTANCE INFORMATIO.exe
Token: SeDebugPrivilege	4940	INVOICE, & REMITTANCE INFORMATIO.exe
Token: SeDebugPrivilege	4660	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 2928 wrote to memory of 4940	2928	INVOICE, & REMITTANCE INFORMATIO.exe	90
PID 3240 wrote to memory of 4660	3240	Explorer.EXE	91
PID 3240 wrote to memory of 4660	3240	Explorer.EXE	91
PID 3240 wrote to memory of 4660	3240	Explorer.EXE	91
PID 4660 wrote to memory of 5072	4660	cmstp.exe	92
PID 4660 wrote to memory of 5072	4660	cmstp.exe	92
PID 4660 wrote to memory of 5072	4660	cmstp.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\INVOICE, & REMITTANCE INFORMATIO.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE, & REMITTANCE INFORMATIO.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\INVOICE, & REMITTANCE INFORMATIO.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE, & REMITTANCE INFORMATIO.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE, & REMITTANCE INFORMATIO.exe"
    3⤵
    PID:5072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-180-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-137-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2928-133-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2928-136-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/2928-182-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-138-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/2928-139-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2928-140-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2928-141-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-142-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-144-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-146-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-148-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-150-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-152-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-154-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-156-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-158-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-160-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-162-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-164-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-166-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-168-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-170-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-184-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-174-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-176-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-178-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-135-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/2928-134-0x0000000000920000-0x0000000000942000-memory.dmp

Filesize
136KB

Download
memory/2928-172-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-186-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-188-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-190-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-192-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-194-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-196-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-198-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-200-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-202-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-204-0x00000000090F0000-0x00000000091BF000-memory.dmp

Filesize
828KB

Download
memory/2928-1217-0x0000000008660000-0x0000000008661000-memory.dmp

Filesize
4KB

Download
memory/2928-1218-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2928-1219-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2928-1223-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-1235-0x0000000007BB0000-0x0000000007CFB000-memory.dmp

Filesize
1.3MB

Download
memory/3240-1239-0x0000000008070000-0x00000000081EB000-memory.dmp

Filesize
1.5MB

Download
memory/3240-1242-0x0000000008070000-0x00000000081EB000-memory.dmp

Filesize
1.5MB

Download
memory/3240-1228-0x0000000007BB0000-0x0000000007CFB000-memory.dmp

Filesize
1.3MB

Download
memory/4660-1233-0x0000000002B20000-0x0000000002E6A000-memory.dmp

Filesize
3.3MB

Download
memory/4660-1237-0x0000000000CA0000-0x0000000000CCF000-memory.dmp

Filesize
188KB

Download
memory/4660-1238-0x00000000029C0000-0x0000000002A54000-memory.dmp

Filesize
592KB

Download
memory/4660-1231-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/4660-1232-0x0000000000CA0000-0x0000000000CCF000-memory.dmp

Filesize
188KB

Download
memory/4940-1221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-1224-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/4940-1226-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-1227-0x0000000001610000-0x0000000001625000-memory.dmp

Filesize
84KB

Download