formbook | 1c859efff6b87e725cbc02d9b8e383488f243ad2eef13793ef2a2e2ec31bc4ce

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

komut onayı.exe
Size

309KB
MD5

b39a94908d4fe100dc9187de974a365c
SHA1

6882de6ac7ac89779fc9bd59c0f4499b5aa43e71
SHA256

68e6d2750f1617386ddf6ad75b2d03e1b6522e64fd7da365235e7041faa60dbe
SHA512

e5e1c8331c598ae99b732d79188b91b2116ea4e13fe239c83755269c29fe272ccecade3ba0cc4e5e0f97a1427ab45c70db8d9366fb1775041ad8fd4e485ac3fc
SSDEEP

6144:pXFKo5lJFjoGeThVuSqdEcimyOGNIm0DLJpg2KvkgcOFM6Te:pXRJ+vuPdEcsIm4LRwk92e

Score

10^/10

formbook dz01 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz01

Decoy

advisoros.com

harmonyhomeinteriorstx.net

nyhfqrqvxg.com

fugentrade.com

geasme.com

shopsolary.com

wildwasser.club

henryclarkandassociate.com

klodytb.xyz

jsjnbf.com

vivelosupport.com

dealflowrealestate.com

piabellacasino346.com

wdkilat.site

djpedrocruz.com

fmovies.coach

auroreal.com

1win-esw15.fun

hmdfxx.com

gems-spot.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2448-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2448-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2536-25-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2536-27-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2476	tprrb.exe
2448	tprrb.exe

Loads dropped DLL 3 IoCs

pid	Process
2208	komut onayı.exe
2208	komut onayı.exe
2476	tprrb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 2448	2476	tprrb.exe	29
PID 2448 set thread context of 1228	2448	tprrb.exe	17
PID 2536 set thread context of 1228	2536	cmmon32.exe	17

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2448	tprrb.exe
2448	tprrb.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe
2536	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2476	tprrb.exe
2448	tprrb.exe
2448	tprrb.exe
2448	tprrb.exe
2536	cmmon32.exe
2536	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	tprrb.exe
Token: SeDebugPrivilege	2536	cmmon32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2476	2208	komut onayı.exe	28
PID 2208 wrote to memory of 2476	2208	komut onayı.exe	28
PID 2208 wrote to memory of 2476	2208	komut onayı.exe	28
PID 2208 wrote to memory of 2476	2208	komut onayı.exe	28
PID 2476 wrote to memory of 2448	2476	tprrb.exe	29
PID 2476 wrote to memory of 2448	2476	tprrb.exe	29
PID 2476 wrote to memory of 2448	2476	tprrb.exe	29
PID 2476 wrote to memory of 2448	2476	tprrb.exe	29
PID 2476 wrote to memory of 2448	2476	tprrb.exe	29
PID 1228 wrote to memory of 2536	1228	Explorer.EXE	60
PID 1228 wrote to memory of 2536	1228	Explorer.EXE	60
PID 1228 wrote to memory of 2536	1228	Explorer.EXE	60
PID 1228 wrote to memory of 2536	1228	Explorer.EXE	60
PID 2536 wrote to memory of 1144	2536	cmmon32.exe	61
PID 2536 wrote to memory of 1144	2536	cmmon32.exe	61
PID 2536 wrote to memory of 1144	2536	cmmon32.exe	61
PID 2536 wrote to memory of 1144	2536	cmmon32.exe	61

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\komut onayı.exe
  "C:\Users\Admin\AppData\Local\Temp\komut onayı.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\tprrb.exe
    "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\tprrb.exe
      "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2896
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:276
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2648
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2688
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2880
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2676
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2544
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1288
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2680
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
    3⤵
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ibdzhnjhhdu.pyz

Filesize
205KB

MD5
f23609fe08cd99fc04733ac68591b864

SHA1
66f23c37876a21e7c9503f1023829151a00d0edd

SHA256
f427ef9be98a8ab70e4657005db8c1f21cb5ddd114a61e4771d5e00533177ad4

SHA512
82095739186f9aec80349b483deaeda8b84933880a5f2bc0e3a5500e03968f3fea1840932baa15e7f2cc456d36055b155469391a0c240191801f0de0d5ea262a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
memory/1228-35-0x00000000070C0000-0x000000000721D000-memory.dmp

Filesize
1.4MB

Download
memory/1228-28-0x00000000042C0000-0x000000000437D000-memory.dmp

Filesize
756KB

Download
memory/1228-33-0x00000000070C0000-0x000000000721D000-memory.dmp

Filesize
1.4MB

Download
memory/1228-32-0x00000000070C0000-0x000000000721D000-memory.dmp

Filesize
1.4MB

Download
memory/1228-31-0x0000000003E60000-0x0000000004060000-memory.dmp

Filesize
2.0MB

Download
memory/1228-19-0x0000000002EE0000-0x0000000002FE0000-memory.dmp

Filesize
1024KB

Download
memory/1228-20-0x00000000042C0000-0x000000000437D000-memory.dmp

Filesize
756KB

Download
memory/2448-18-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/2448-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-15-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/2448-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-9-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2536-24-0x00000000000E0000-0x00000000000ED000-memory.dmp

Filesize
52KB

Download
memory/2536-25-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2536-26-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/2536-27-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2536-22-0x00000000000E0000-0x00000000000ED000-memory.dmp

Filesize
52KB

Download
memory/2536-30-0x00000000004A0000-0x0000000000533000-memory.dmp

Filesize
588KB

Download