formbook | 13a39c0bd091be394593c3f3e37012e09f1a22317e5fc1c604e12753ae4bbda0

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-de
resource tags

arch:x64arch:x86image:win10v2004-20230915-delocale:de-deos:windows10-2004-x64systemwindows
submitted
06/10/2023, 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

alleromac2.1.exe
Size

324KB
MD5

a7cc0c43dc0dc90f1f79cb9c01ec0107
SHA1

8ce46a6ccbf88df27a8aaf8ac4cc289e26f61654
SHA256

13a39c0bd091be394593c3f3e37012e09f1a22317e5fc1c604e12753ae4bbda0
SHA512

7ea05a253105ca7c6520909dbc14aab0ab6bd1331fdbcd68df006fad505eeb8d28c9b765be6f771c02392975cfd3f99cdcf74406026db2234cecc337cfcce1f5
SSDEEP

6144:6XFKo5kfYbvba18ks7aGQffNF0UVG0CROy1NjU79PddymsI+2FiVxvwvAPy:6XoEeyRQffNAfLg9Pf2I+y0wvAPy

Score

10^/10

formbook t6tg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t6tg

Decoy

dwolfgang.com

changeandcourse.com

sonexhospitallimited.com

izeera.com

7m9.lat

fem-studio.com

santocielostore.com

0xinxg7e50de2n7q2z.site

ssongg13026.cfd

promushealth.com

g7bety.com

molinoelvinculo.com

smallthingteamwork.world

zewagripro.shop

adam-automatik.com

raquelaranibar.com

aigeniusink.com

maddirazoki.com

nextino.app

verbenashungary.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1596-7-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1596-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3860-18-0x0000000000D90000-0x0000000000DBF000-memory.dmp	formbook
behavioral2/memory/3860-20-0x0000000000D90000-0x0000000000DBF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
74	3860	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4596	ymliwsvz.exe
1596	ymliwsvz.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 1596	4596	ymliwsvz.exe	89
PID 1596 set thread context of 3124	1596	ymliwsvz.exe	43
PID 3860 set thread context of 3124	3860	wscript.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1596	ymliwsvz.exe
1596	ymliwsvz.exe
1596	ymliwsvz.exe
1596	ymliwsvz.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe
3860	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3124	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4596	ymliwsvz.exe
1596	ymliwsvz.exe
1596	ymliwsvz.exe
1596	ymliwsvz.exe
3860	wscript.exe
3860	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	ymliwsvz.exe
Token: SeDebugPrivilege	3860	wscript.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3124	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 4596	4164	alleromac2.1.exe	88
PID 4164 wrote to memory of 4596	4164	alleromac2.1.exe	88
PID 4164 wrote to memory of 4596	4164	alleromac2.1.exe	88
PID 4596 wrote to memory of 1596	4596	ymliwsvz.exe	89
PID 4596 wrote to memory of 1596	4596	ymliwsvz.exe	89
PID 4596 wrote to memory of 1596	4596	ymliwsvz.exe	89
PID 4596 wrote to memory of 1596	4596	ymliwsvz.exe	89
PID 3124 wrote to memory of 3860	3124	Explorer.EXE	90
PID 3124 wrote to memory of 3860	3124	Explorer.EXE	90
PID 3124 wrote to memory of 3860	3124	Explorer.EXE	90
PID 3860 wrote to memory of 4832	3860	wscript.exe	91
PID 3860 wrote to memory of 4832	3860	wscript.exe	91
PID 3860 wrote to memory of 4832	3860	wscript.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\alleromac2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\alleromac2.1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe
    "C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe
      "C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1596
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe"
    3⤵
    PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjheczp.jf

Filesize
205KB

MD5
fe4a9491e389a60d19c3bca59aad5531

SHA1
4d6680108ee312e403f3d90d03d18cda0803ac4a

SHA256
090c04c39da723c90a23a64a76e520ee3d9c7e6bc45216432f1f83261b161563

SHA512
3e57429d0c643b856d568ea798096cdf7c44b1f6971359be2a45a13f94f945742cadf54a2c99c050d710f56a475bf07b78d4203f39251b11986bdd3044504885

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe

Filesize
152KB

MD5
59bc9c036a6cd7766c543923cfac8ccc

SHA1
88be8e75387622245468c4c68c4596294251c0b5

SHA256
267acf1a00514b1e9e75b5cc36d1366b07ef990341821d3e404f5a5a56d38934

SHA512
3da4b0fb2e417b6f6437524008d8c7cd228198e4742f55850fb399a4ecfebb0e0ec563bcf2974fc9a67fee938d73ec29fed6d618682cb25a471792923ca54987

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe

Filesize
152KB

MD5
59bc9c036a6cd7766c543923cfac8ccc

SHA1
88be8e75387622245468c4c68c4596294251c0b5

SHA256
267acf1a00514b1e9e75b5cc36d1366b07ef990341821d3e404f5a5a56d38934

SHA512
3da4b0fb2e417b6f6437524008d8c7cd228198e4742f55850fb399a4ecfebb0e0ec563bcf2974fc9a67fee938d73ec29fed6d618682cb25a471792923ca54987

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymliwsvz.exe

Filesize
152KB

MD5
59bc9c036a6cd7766c543923cfac8ccc

SHA1
88be8e75387622245468c4c68c4596294251c0b5

SHA256
267acf1a00514b1e9e75b5cc36d1366b07ef990341821d3e404f5a5a56d38934

SHA512
3da4b0fb2e417b6f6437524008d8c7cd228198e4742f55850fb399a4ecfebb0e0ec563bcf2974fc9a67fee938d73ec29fed6d618682cb25a471792923ca54987

Download Submit
memory/1596-12-0x00000000006C0000-0x00000000006D5000-memory.dmp

Filesize
84KB

Download
memory/1596-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-9-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download
memory/1596-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-21-0x0000000007670000-0x0000000007726000-memory.dmp

Filesize
728KB

Download
memory/3124-13-0x0000000007670000-0x0000000007726000-memory.dmp

Filesize
728KB

Download
memory/3124-24-0x0000000008970000-0x0000000008A9D000-memory.dmp

Filesize
1.2MB

Download
memory/3124-25-0x0000000008970000-0x0000000008A9D000-memory.dmp

Filesize
1.2MB

Download
memory/3124-27-0x0000000008970000-0x0000000008A9D000-memory.dmp

Filesize
1.2MB

Download
memory/3860-15-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/3860-17-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/3860-18-0x0000000000D90000-0x0000000000DBF000-memory.dmp

Filesize
188KB

Download
memory/3860-19-0x0000000003130000-0x000000000347A000-memory.dmp

Filesize
3.3MB

Download
memory/3860-20-0x0000000000D90000-0x0000000000DBF000-memory.dmp

Filesize
188KB

Download
memory/3860-23-0x0000000002F70000-0x0000000003004000-memory.dmp

Filesize
592KB

Download
memory/4596-5-0x0000000000580000-0x0000000000582000-memory.dmp

Filesize
8KB

Download