formbook | cd56edf9ac230205c76045c5fabbbf68b28b011e066721e4f2b95653dc22a34c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE.exe
Size

237KB
MD5

0ee858a143b831660ad55a2fbf13a6e1
SHA1

f378acacb7da3fe89f0bb0df43776797084313cf
SHA256

cd56edf9ac230205c76045c5fabbbf68b28b011e066721e4f2b95653dc22a34c
SHA512

20a4385d61c6826299b9ff3e61b101a9a57d446c967f478458369d39d6d95e3ce23a0e595f46fe68470a972869104f91c7f3f69ac9248c6dac3f05a776fa80f3
SSDEEP

6144:vYa618FO4xhOTAuavp5J9t/rswGImsj+O6zFhfOB6myN9d/HnpEryOd:vYP8FzMT87J9N1ZB6JgcdN9d+rFd

Score

10^/10

formbook ds19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ds19

Decoy

pribit-92.com

wrist-couture.com

alanka.company

uffitgvr.click

bwtsatotravel.com

anpmarketinginc.com

startupsvibes.com

shearabia.com

sayemail5.store

solsticeinstitute.com

perfectholidaydeals.com

xfitness.life

mmbs-ad.com

jacodile.com

hjpolastudio.com

healuu.com

agtwer.homes

installationschampions.info

bettys70th.com

sustainable-re.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2124-6-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2124-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/220-16-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook
behavioral2/memory/220-18-0x0000000000A00000-0x0000000000A2F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
2440	INVOICE.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 2124	2440	INVOICE.exe	82
PID 2124 set thread context of 3180	2124	INVOICE.exe	35
PID 220 set thread context of 3180	220	cmmon32.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2124	INVOICE.exe
2124	INVOICE.exe
2124	INVOICE.exe
2124	INVOICE.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe
220	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2440	INVOICE.exe
2124	INVOICE.exe
2124	INVOICE.exe
2124	INVOICE.exe
220	cmmon32.exe
220	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	INVOICE.exe
Token: SeDebugPrivilege	220	cmmon32.exe
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE
Token: SeShutdownPrivilege	3180	Explorer.EXE
Token: SeCreatePagefilePrivilege	3180	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2124	2440	INVOICE.exe	82
PID 2440 wrote to memory of 2124	2440	INVOICE.exe	82
PID 2440 wrote to memory of 2124	2440	INVOICE.exe	82
PID 2440 wrote to memory of 2124	2440	INVOICE.exe	82
PID 3180 wrote to memory of 220	3180	Explorer.EXE	83
PID 3180 wrote to memory of 220	3180	Explorer.EXE	83
PID 3180 wrote to memory of 220	3180	Explorer.EXE	83
PID 220 wrote to memory of 4920	220	cmmon32.exe	88
PID 220 wrote to memory of 4920	220	cmmon32.exe	88
PID 220 wrote to memory of 4920	220	cmmon32.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
    3⤵
    PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg89F2.tmp\pgfasb.dll

Filesize
11KB

MD5
69455b1cf51ca23385cd850a46eefefb

SHA1
54a87eaa1be72a12a276ae60aa456e088057f0fb

SHA256
613dd7289f5cc9f53a850b7de98eebff647d85ecebf3e71e55c7e4cc1a4efc80

SHA512
2732beafc9c1a35f38f99fa672845e741855fe18a54b9487404c7b3bafa1151b7d5dbfad28ab3158a2035bf3ff381a93bc450e9991a56b5b9ab443b93fbaca6b

Download Submit
memory/220-12-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/220-15-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/220-16-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/220-17-0x0000000002880000-0x0000000002BCA000-memory.dmp

Filesize
3.3MB

Download
memory/220-18-0x0000000000A00000-0x0000000000A2F000-memory.dmp

Filesize
188KB

Download
memory/220-20-0x0000000002770000-0x0000000002803000-memory.dmp

Filesize
588KB

Download
memory/2124-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-7-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/2124-10-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2124-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-5-0x0000000003190000-0x0000000003192000-memory.dmp

Filesize
8KB

Download
memory/3180-52-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-61-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-22-0x00000000084B0000-0x0000000008568000-memory.dmp

Filesize
736KB

Download
memory/3180-24-0x00000000084B0000-0x0000000008568000-memory.dmp

Filesize
736KB

Download
memory/3180-26-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-27-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-28-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3180-29-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-30-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-33-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-32-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-35-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-37-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-36-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-38-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-31-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-39-0x0000000008580000-0x0000000008590000-memory.dmp

Filesize
64KB

Download
memory/3180-40-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-41-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-43-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-45-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-47-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-42-0x0000000008580000-0x0000000008590000-memory.dmp

Filesize
64KB

Download
memory/3180-49-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/3180-48-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-51-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-11-0x0000000008F10000-0x0000000009013000-memory.dmp

Filesize
1.0MB

Download
memory/3180-53-0x0000000008580000-0x0000000008590000-memory.dmp

Filesize
64KB

Download
memory/3180-54-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-57-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-56-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-58-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-60-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-21-0x00000000084B0000-0x0000000008568000-memory.dmp

Filesize
736KB

Download
memory/3180-68-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-70-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-71-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-69-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-72-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-73-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-74-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-76-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-75-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-78-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-79-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-80-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/3180-82-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-81-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-83-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/3180-86-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-84-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-88-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-87-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-90-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-92-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-93-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-94-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/3180-95-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-97-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-98-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-96-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-100-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-102-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-101-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/3180-99-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download