formbook | 6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL-081023.exe
Size

1005KB
MD5

e9577305797da56c4538f35d2da1e6ef
SHA1

4b19ed069368fa3b9433c9c8d8b4a050dfae77bc
SHA256

6c8bb939433b05a8b56b08ef68f8c5b5f396bc2b5454ec09d4ee1654951ff463
SHA512

28427e4d980c8aceb27fe0fd31275bf7fbf6fdac1b9730c80ff9e3917c6b064b0a605f83c0df3fd7cc0642305797e159711ffe5f94f6aaa3d42d3cc8373077f5
SSDEEP

24576:NTbBv5rUanWnNr75xArQDF8XhV+dFGa6mPcyGJzQfs8FiNGVDoB:HBjWnd7HbghVRoGBQfookB

Score

10^/10

formbook hesf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hesf

Decoy

rizublog-aromama-a.com

87b52.club

allportablepower.com

brownkrosshui.com

schuobu.fun

qevtjrobrb.xyz

throne-rooms.com

hostcheker.net

buzztsunamiloja.com

kkudatogel27.com

91fulizifen.com

148secretbet.com

outlookthailand.com

zonaduniabet.net

boursobankk.com

tuneuphypnosis.com

sahabatzulhelmi.com

usbulletinnow.com

durdurdarshi.com

zz-agency.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 8 IoCs

rat

resource	yara_rule
behavioral2/memory/60-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3996-72-0x0000000000400000-0x00000000009CD000-memory.dmp	formbook
behavioral2/memory/3996-77-0x0000000000400000-0x00000000009CD000-memory.dmp	formbook
behavioral2/memory/60-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2092-85-0x0000000000800000-0x000000000082F000-memory.dmp	formbook
behavioral2/memory/3252-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3252-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2092-122-0x0000000000800000-0x000000000082F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	DHL-081023.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	taol.dll

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 60	4780	taol.dll	105
PID 4780 set thread context of 3996	4780	taol.dll	104
PID 3996 set thread context of 3208	3996	RegSvcs.exe	55
PID 60 set thread context of 3208	60	RegSvcs.exe	55
PID 2092 set thread context of 3208	2092	ipconfig.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1892	ipconfig.exe
2092	ipconfig.exe
3252	ipconfig.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	DHL-081023.exe
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
4780	taol.dll
3996	RegSvcs.exe
3996	RegSvcs.exe
60	RegSvcs.exe
60	RegSvcs.exe
3996	RegSvcs.exe
3996	RegSvcs.exe
60	RegSvcs.exe
60	RegSvcs.exe
2092	ipconfig.exe
2092	ipconfig.exe
3252	ipconfig.exe
3252	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe
2092	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3208	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3996	RegSvcs.exe
60	RegSvcs.exe
3996	RegSvcs.exe
3996	RegSvcs.exe
60	RegSvcs.exe
60	RegSvcs.exe
2092	ipconfig.exe
2092	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	RegSvcs.exe
Token: SeDebugPrivilege	60	RegSvcs.exe
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeDebugPrivilege	2092	ipconfig.exe
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeShutdownPrivilege	3208	Explorer.EXE
Token: SeCreatePagefilePrivilege	3208	Explorer.EXE
Token: SeDebugPrivilege	3252	ipconfig.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3208	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1156	4968	DHL-081023.exe	86
PID 4968 wrote to memory of 1156	4968	DHL-081023.exe	86
PID 4968 wrote to memory of 1156	4968	DHL-081023.exe	86
PID 1156 wrote to memory of 1480	1156	WScript.exe	94
PID 1156 wrote to memory of 1480	1156	WScript.exe	94
PID 1156 wrote to memory of 1480	1156	WScript.exe	94
PID 1480 wrote to memory of 4780	1480	cmd.exe	96
PID 1480 wrote to memory of 4780	1480	cmd.exe	96
PID 1480 wrote to memory of 4780	1480	cmd.exe	96
PID 1156 wrote to memory of 2728	1156	WScript.exe	100
PID 1156 wrote to memory of 2728	1156	WScript.exe	100
PID 1156 wrote to memory of 2728	1156	WScript.exe	100
PID 2728 wrote to memory of 1892	2728	cmd.exe	102
PID 2728 wrote to memory of 1892	2728	cmd.exe	102
PID 2728 wrote to memory of 1892	2728	cmd.exe	102
PID 4780 wrote to memory of 3996	4780	taol.dll	104
PID 4780 wrote to memory of 3996	4780	taol.dll	104
PID 4780 wrote to memory of 3996	4780	taol.dll	104
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 60	4780	taol.dll	105
PID 4780 wrote to memory of 3996	4780	taol.dll	104
PID 4780 wrote to memory of 3996	4780	taol.dll	104
PID 3208 wrote to memory of 3252	3208	Explorer.EXE	108
PID 3208 wrote to memory of 3252	3208	Explorer.EXE	108
PID 3208 wrote to memory of 3252	3208	Explorer.EXE	108
PID 3208 wrote to memory of 2092	3208	Explorer.EXE	107
PID 3208 wrote to memory of 2092	3208	Explorer.EXE	107
PID 3208 wrote to memory of 2092	3208	Explorer.EXE	107
PID 2092 wrote to memory of 4260	2092	ipconfig.exe	109
PID 2092 wrote to memory of 4260	2092	ipconfig.exe	109
PID 2092 wrote to memory of 4260	2092	ipconfig.exe	109

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\DHL-081023.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL-081023.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taol.dll hoxcaxg.msc
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll
        
        taol.dll hoxcaxg.msc
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:1892
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2124
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4260
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbcpmgvfqh.txt

Filesize
36KB

MD5
5da9afc278ffb2274a11e358952488b6

SHA1
03b59988b177d85196fa24ad16b3f479885a1225

SHA256
e6ddac6f7529b465d32ef9b859101978823c8548eb2abff81a24d4a157cb4f7c

SHA512
02f58173b7941cfa072129f3cc246659b09c97fe531aa8fb09a6c8c24a221d89feaf44392a29315817d0c981f3d8f33fff57dd1c3082b8832c8111620569f9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hoxcaxg.msc

Filesize
99.9MB

MD5
7ce501e5d4da15b684f8af06858b42bd

SHA1
6aa3bf27660d54c339e7bd4b62240af304958030

SHA256
7ba659601042af782be15538c14574e8607649547cb07815f385f257b7c9a4d7

SHA512
d86f9e0420bca82e9325038691c40c017fd0acc21fba48e27b347f2aa7b8510efe192d9a71674a0357c63c2872e494ad9b2763620029fc4fa12791efef490d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opw-s.vbe

Filesize
52KB

MD5
e0eaf1e9ac5bf23c5fe44e27a1846835

SHA1
becc298f97effe56108d3cf51a4a827763bed2bf

SHA256
7c5feaf38228475be4d3396fafe423f0331f8d6d4ad8ba6f669d8739932daaa7

SHA512
39a0c9fc6f610ffaf3502e9ef4e5819ba5b649c5f351e9d87f6511415fd8b5d5b07733f9362704c3f2119d058d34a46a8795d984a51c2d77d808e4c5852bad0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taol.dll

Filesize
925KB

MD5
874798cb576e238642281b10189b031c

SHA1
eafb30e710d557918533a6f10f09ca1f4227c77e

SHA256
e24858235af8c85aed95375be6dea083c7910917f78731ef4d195799e6f49713

SHA512
eaa0cff408fd3366813f1a80cf866bd590a885984a525d4a1b07fdf21c2d6df07c98fd0782050539f912a93b7df6a5a8831b676cb6200592995f108cb2659b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vfgio.ssj

Filesize
352KB

MD5
8cddef3c2e89cfe5b2bc527cdf316725

SHA1
1a689db5e39e1e788605316d3524b50d499c84e2

SHA256
bf1169787491f2f717aa645277d678e34593aff8996044f1623dfa1b046d4352

SHA512
a85d6d2926765a256006fbdd9e0b3e62ff0f4ffe42a2c1b4f29269671ac4b5bf0eaad3b181814d6bbf89e7faf96134f1f2f850550c8c0ecbebe554803bd22586

Download Submit
memory/60-80-0x0000000001B30000-0x0000000001B44000-memory.dmp

Filesize
80KB

Download
memory/60-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/60-74-0x00000000017C0000-0x0000000001B0A000-memory.dmp

Filesize
3.3MB

Download
memory/2092-124-0x0000000000DE0000-0x0000000000E73000-memory.dmp

Filesize
588KB

Download
memory/2092-89-0x00000000010A0000-0x00000000013EA000-memory.dmp

Filesize
3.3MB

Download
memory/2092-85-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/2092-122-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/2092-83-0x0000000000B10000-0x0000000000B1B000-memory.dmp

Filesize
44KB

Download
memory/2092-84-0x0000000000B10000-0x0000000000B1B000-memory.dmp

Filesize
44KB

Download
memory/3208-128-0x000000000FAF0000-0x000000000FBEE000-memory.dmp

Filesize
1016KB

Download
memory/3208-125-0x000000000FAF0000-0x000000000FBEE000-memory.dmp

Filesize
1016KB

Download
memory/3208-82-0x000000000D1A0000-0x000000000D29B000-memory.dmp

Filesize
1004KB

Download
memory/3208-81-0x000000000D050000-0x000000000D196000-memory.dmp

Filesize
1.3MB

Download
memory/3208-120-0x000000000D050000-0x000000000D196000-memory.dmp

Filesize
1.3MB

Download
memory/3208-121-0x000000000D1A0000-0x000000000D29B000-memory.dmp

Filesize
1004KB

Download
memory/3208-126-0x000000000FAF0000-0x000000000FBEE000-memory.dmp

Filesize
1016KB

Download
memory/3252-86-0x0000000000B10000-0x0000000000B1B000-memory.dmp

Filesize
44KB

Download
memory/3252-87-0x0000000000B10000-0x0000000000B1B000-memory.dmp

Filesize
44KB

Download
memory/3252-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3252-114-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/3252-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-73-0x0000000001930000-0x0000000001C7A000-memory.dmp

Filesize
3.3MB

Download
memory/3996-78-0x0000000001380000-0x0000000001394000-memory.dmp

Filesize
80KB

Download
memory/3996-77-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download
memory/3996-72-0x0000000000400000-0x00000000009CD000-memory.dmp

Filesize
5.8MB

Download