formbook | ff87df006fb01a3f40c3eaa5f64efbb699378e096c28d4179eb5b3c023774acc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TNT Shipping Document.exe
Size

620KB
MD5

0593245b016a4aabdd56134224efa148
SHA1

62aa8ce315251c033878e82324d786dc2c2f2ec1
SHA256

ff87df006fb01a3f40c3eaa5f64efbb699378e096c28d4179eb5b3c023774acc
SHA512

f5391c70a233be9568d252e8b920cec388817c04ab3a7dfc691c3b1e68743ed46db3261eb1080053b207631cb5e45e5226443ee64b8ed8c989a334f4652e6e2a
SSDEEP

12288:/UZqEisUH/iA0ZTCFmTGpU3TEtxQ4CcH0R5SH9+yF05IyrsgpWVa6AJ/qn:qqEWpuCY/3T3jEd+e05IEhpF6+qn

Score

10^/10

formbook cy12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cy12

Decoy

routinelywell.com

traderinformation.com

xv1lz.cfd

elfiensclinic.com

dfwtexasmilitaryagent.com

gb3p8a.com

ofcure.com

kslgd.link

apexassisthubs.com

270hg.com

spacovitta.com

mattress-info-hu-kwu.today

jakestarrbroadcast.com

modestswimwearshop.com

game0814.com

gec.tokyo

growwellnesscoaching.com

thefavoreats.com

gaasmantech.net

mloffers.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4400-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4400-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3748-23-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral2/memory/3748-25-0x0000000000600000-0x000000000062F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 472 set thread context of 4400	472	TNT Shipping Document.exe	91
PID 4400 set thread context of 3088	4400	TNT Shipping Document.exe	62
PID 3748 set thread context of 3088	3748	systray.exe	62

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
472	TNT Shipping Document.exe
472	TNT Shipping Document.exe
472	TNT Shipping Document.exe
472	TNT Shipping Document.exe
472	TNT Shipping Document.exe
472	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe
3748	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3088	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4400	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
4400	TNT Shipping Document.exe
3748	systray.exe
3748	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	TNT Shipping Document.exe
Token: SeDebugPrivilege	4400	TNT Shipping Document.exe
Token: SeDebugPrivilege	3748	systray.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3088	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 3816	472	TNT Shipping Document.exe	89
PID 472 wrote to memory of 3816	472	TNT Shipping Document.exe	89
PID 472 wrote to memory of 3816	472	TNT Shipping Document.exe	89
PID 472 wrote to memory of 1808	472	TNT Shipping Document.exe	90
PID 472 wrote to memory of 1808	472	TNT Shipping Document.exe	90
PID 472 wrote to memory of 1808	472	TNT Shipping Document.exe	90
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 472 wrote to memory of 4400	472	TNT Shipping Document.exe	91
PID 3088 wrote to memory of 3748	3088	Explorer.EXE	92
PID 3088 wrote to memory of 3748	3088	Explorer.EXE	92
PID 3088 wrote to memory of 3748	3088	Explorer.EXE	92
PID 3748 wrote to memory of 4748	3748	systray.exe	94
PID 3748 wrote to memory of 4748	3748	systray.exe	94
PID 3748 wrote to memory of 4748	3748	systray.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe
  "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\TNT Shipping Document.exe"
    3⤵
    PID:4748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-15-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/472-9-0x0000000006390000-0x0000000006398000-memory.dmp

Filesize
32KB

Download
memory/472-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/472-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/472-4-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/472-5-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

Filesize
40KB

Download
memory/472-6-0x0000000005510000-0x0000000005526000-memory.dmp

Filesize
88KB

Download
memory/472-7-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/472-8-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/472-0-0x0000000000470000-0x000000000050E000-memory.dmp

Filesize
632KB

Download
memory/472-10-0x00000000063C0000-0x00000000063CC000-memory.dmp

Filesize
48KB

Download
memory/472-11-0x00000000066C0000-0x000000000672E000-memory.dmp

Filesize
440KB

Download
memory/472-12-0x0000000008D10000-0x0000000008DAC000-memory.dmp

Filesize
624KB

Download
memory/472-1-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/3088-32-0x0000000008A00000-0x0000000008B5F000-memory.dmp

Filesize
1.4MB

Download
memory/3088-30-0x0000000008A00000-0x0000000008B5F000-memory.dmp

Filesize
1.4MB

Download
memory/3088-26-0x00000000083F0000-0x0000000008513000-memory.dmp

Filesize
1.1MB

Download
memory/3088-29-0x0000000008A00000-0x0000000008B5F000-memory.dmp

Filesize
1.4MB

Download
memory/3088-20-0x00000000083F0000-0x0000000008513000-memory.dmp

Filesize
1.1MB

Download
memory/3748-22-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/3748-21-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/3748-23-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/3748-24-0x0000000002580000-0x00000000028CA000-memory.dmp

Filesize
3.3MB

Download
memory/3748-25-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/3748-27-0x00000000023C0000-0x0000000002453000-memory.dmp

Filesize
588KB

Download
memory/4400-16-0x00000000011B0000-0x00000000014FA000-memory.dmp

Filesize
3.3MB

Download
memory/4400-19-0x0000000000EC0000-0x0000000000ED4000-memory.dmp

Filesize
80KB

Download
memory/4400-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download