formbook | cc0f366752ad8832bf26a387da04626c8db6f00a69d5a98ce5934d0db01c1329

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rProductSpecs.exe
Size

594KB
MD5

05579b705197cc4ff3728af6d4d49f08
SHA1

89fb958792780a68990427aa3d8dfc9262c05dc1
SHA256

cc0f366752ad8832bf26a387da04626c8db6f00a69d5a98ce5934d0db01c1329
SHA512

b2bb887f3f07aa64afd7d3c6afce1532c83d380b25e0ef984ac591e3a4aac4980f18367370ddfbb0028bedc43b2ca4020f2b99fa149c75cff6e1ed7ed7b113bc
SSDEEP

12288:fbqwi/iWsjKX/Covqtk1Nla6KU9HTk8WjssUD1hZfxgEqD:jqwiiW9CysDOg8fh9xC

Score

10^/10

formbook hinf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hinf

Decoy

gemaprojects.com

infinitymarketingsystems.com

pustmegfram.com

mydetailaccelerator.com

zeusoffyp6.click

thegoddessofthehunt.com

abajim.com

jctrhc78.com

iyouiyiti.com

jobscnwire.com

emirates-tobacco.com

onledutech.com

medicinefloor.com

lghyr.fun

dohodnaavtomate.online

fbaxqevemd7.xyz

descontode70porcento.online

assmaco.com

bb845933.site

pinapplecapital.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3024-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3024-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4684-19-0x0000000000980000-0x00000000009AF000-memory.dmp	formbook
behavioral2/memory/4684-21-0x0000000000980000-0x00000000009AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 3024	448	rProductSpecs.exe	90
PID 3024 set thread context of 3164	3024	rProductSpecs.exe	55
PID 4684 set thread context of 3164	4684	msdt.exe	55

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3024	rProductSpecs.exe
3024	rProductSpecs.exe
3024	rProductSpecs.exe
3024	rProductSpecs.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe
4684	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3164	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3024	rProductSpecs.exe
3024	rProductSpecs.exe
3024	rProductSpecs.exe
4684	msdt.exe
4684	msdt.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	rProductSpecs.exe
Token: SeDebugPrivilege	4684	msdt.exe
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE
Token: SeShutdownPrivilege	3164	Explorer.EXE
Token: SeCreatePagefilePrivilege	3164	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 448 wrote to memory of 3024	448	rProductSpecs.exe	90
PID 3164 wrote to memory of 4684	3164	Explorer.EXE	91
PID 3164 wrote to memory of 4684	3164	Explorer.EXE	91
PID 3164 wrote to memory of 4684	3164	Explorer.EXE	91
PID 4684 wrote to memory of 3876	4684	msdt.exe	92
PID 4684 wrote to memory of 3876	4684	msdt.exe	92
PID 4684 wrote to memory of 3876	4684	msdt.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe
  "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe
    "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
    3⤵
    PID:3876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-6-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/448-11-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/448-2-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/448-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/448-4-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/448-5-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/448-8-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/448-7-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/448-1-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/448-0-0x0000000000350000-0x00000000003EA000-memory.dmp

Filesize
616KB

Download
memory/3024-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-12-0x0000000001120000-0x000000000146A000-memory.dmp

Filesize
3.3MB

Download
memory/3024-15-0x00000000010C0000-0x00000000010D4000-memory.dmp

Filesize
80KB

Download
memory/3024-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3164-56-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-60-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-108-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-106-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-107-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-105-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-22-0x0000000007B80000-0x0000000007D27000-memory.dmp

Filesize
1.7MB

Download
memory/3164-104-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-25-0x00000000085C0000-0x000000000871B000-memory.dmp

Filesize
1.4MB

Download
memory/3164-26-0x00000000085C0000-0x000000000871B000-memory.dmp

Filesize
1.4MB

Download
memory/3164-28-0x00000000085C0000-0x000000000871B000-memory.dmp

Filesize
1.4MB

Download
memory/3164-31-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-33-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-34-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-36-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-35-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/3164-32-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-37-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-40-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-38-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-42-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-43-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-44-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3164-45-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-46-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-47-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3164-48-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-50-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-52-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-51-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-16-0x0000000007B80000-0x0000000007D27000-memory.dmp

Filesize
1.7MB

Download
memory/3164-54-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/3164-53-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-57-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-58-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-62-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-59-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/3164-101-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-63-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-61-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-64-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-66-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-65-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-67-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-74-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-75-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-76-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-77-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-78-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-79-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-80-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-82-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-81-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-84-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-85-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-86-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/3164-87-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-88-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-90-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-89-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/3164-92-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-91-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-94-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-96-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-99-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-98-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-100-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/3164-103-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/3164-102-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/4684-17-0x0000000000D20000-0x0000000000D77000-memory.dmp

Filesize
348KB

Download
memory/4684-24-0x0000000002B30000-0x0000000002BC3000-memory.dmp

Filesize
588KB

Download
memory/4684-21-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/4684-20-0x0000000002DF0000-0x000000000313A000-memory.dmp

Filesize
3.3MB

Download
memory/4684-19-0x0000000000980000-0x00000000009AF000-memory.dmp

Filesize
188KB

Download
memory/4684-18-0x0000000000D20000-0x0000000000D77000-memory.dmp

Filesize
348KB

Download