formbook | dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
05-10-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

310KB
MD5

da83ec739bfe2751dadf73b88a2d4de3
SHA1

5122f9be87149ad355f0cbf33ca3ae603432b5d2
SHA256

dc999aa2db84e4f91022be10a55e971c49da82960027b7482b44856fee46f9cc
SHA512

358679f4da6265685f6d41aa159220a3dc80e6a76b0dc4e57bc548394acf6507622dfc09ef86dcb892e32d72c6be5af1fce57b3562d4bc8d3bc646ae3afee8c3
SSDEEP

6144:LnPdudwDzV7hvMwtSPqGas8x0UAHsvEt57FFUxgbddgAcuWm5M2:LnPdvhsZyAEEvFFUxgbRM2

Score

10^/10

formbook sy22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2628-10-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

bdmuxzu.exebdmuxzu.exe

pid process

2684 bdmuxzu.exe
2628 bdmuxzu.exe
Loads dropped DLL 5 IoCs

Processes:

tmp.exebdmuxzu.exeWerFault.exe

pid process

1680 tmp.exe
2684 bdmuxzu.exe
2764 WerFault.exe
2764 WerFault.exe
2764 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bdmuxzu.exe

description pid process target process

PID 2684 set thread context of 2628 2684 bdmuxzu.exe bdmuxzu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2764 2628 WerFault.exe bdmuxzu.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bdmuxzu.exe

pid process

2684 bdmuxzu.exe
2684 bdmuxzu.exe

pid	process
2684	bdmuxzu.exe
2628	bdmuxzu.exe

pid	process
1680	tmp.exe
2684	bdmuxzu.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe

description	pid	process	target process
PID 2684 set thread context of 2628	2684	bdmuxzu.exe	bdmuxzu.exe

pid	pid_target	process	target process
2764	2628	WerFault.exe	bdmuxzu.exe

pid	process
2684	bdmuxzu.exe
2684	bdmuxzu.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exebdmuxzu.exebdmuxzu.exe

description	pid	process	target process
PID 1680 wrote to memory of 2684	1680	tmp.exe	bdmuxzu.exe
PID 1680 wrote to memory of 2684	1680	tmp.exe	bdmuxzu.exe
PID 1680 wrote to memory of 2684	1680	tmp.exe	bdmuxzu.exe
PID 1680 wrote to memory of 2684	1680	tmp.exe	bdmuxzu.exe
PID 2684 wrote to memory of 2628	2684	bdmuxzu.exe	bdmuxzu.exe
PID 2684 wrote to memory of 2628	2684	bdmuxzu.exe	bdmuxzu.exe
PID 2684 wrote to memory of 2628	2684	bdmuxzu.exe	bdmuxzu.exe
PID 2684 wrote to memory of 2628	2684	bdmuxzu.exe	bdmuxzu.exe
PID 2684 wrote to memory of 2628	2684	bdmuxzu.exe	bdmuxzu.exe
PID 2628 wrote to memory of 2764	2628	bdmuxzu.exe	WerFault.exe
PID 2628 wrote to memory of 2764	2628	bdmuxzu.exe	WerFault.exe
PID 2628 wrote to memory of 2764	2628	bdmuxzu.exe	WerFault.exe
PID 2628 wrote to memory of 2764	2628	bdmuxzu.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
  "C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe
    "C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnpwl.ufx

Filesize
205KB

MD5
80405658fbbf7c2bde5c54656cc3282b

SHA1
96c9716132a64388609b103c3e32385653153366

SHA256
a1b2102fc79de307f0a816f3c0cc3a0807f25517db6dff4194c2d7e7bf5ba693

SHA512
c5e899b93a7efe2a823c3324236deda97d4354d7b5058be89b22a310942a26acb095847276c89dd90b1cba8ee33210839b590c08cc8eec03c2e5687c1f3d01fa

Download Submit
\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
\Users\Admin\AppData\Local\Temp\bdmuxzu.exe

Filesize
171KB

MD5
4b59d30a0dfe2ef576a684738840836f

SHA1
2648e01c6e47e0878df86d07e6171de62c2bf6db

SHA256
5ab248198de9803f51b17aaa8401a293219f8199699f6ebe6152ad33c7b11a8b

SHA512
bba64225181183edfd7514ca46ab3102e47411ff47fe957d12873cc1d175b916afdc467dd0377ecfc112f66c6cc9234949574e0dfe28ed53803341a4b165e508

Download Submit
memory/2628-10-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2684-6-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download