formbook | 1c859efff6b87e725cbc02d9b8e383488f243ad2eef13793ef2a2e2ec31bc4ce

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

komut onayı.exe
Size

309KB
MD5

b39a94908d4fe100dc9187de974a365c
SHA1

6882de6ac7ac89779fc9bd59c0f4499b5aa43e71
SHA256

68e6d2750f1617386ddf6ad75b2d03e1b6522e64fd7da365235e7041faa60dbe
SHA512

e5e1c8331c598ae99b732d79188b91b2116ea4e13fe239c83755269c29fe272ccecade3ba0cc4e5e0f97a1427ab45c70db8d9366fb1775041ad8fd4e485ac3fc
SSDEEP

6144:pXFKo5lJFjoGeThVuSqdEcimyOGNIm0DLJpg2KvkgcOFM6Te:pXRJ+vuPdEcsIm4LRwk92e

Score

10^/10

formbook dz01 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz01

Decoy

advisoros.com

harmonyhomeinteriorstx.net

nyhfqrqvxg.com

fugentrade.com

geasme.com

shopsolary.com

wildwasser.club

henryclarkandassociate.com

klodytb.xyz

jsjnbf.com

vivelosupport.com

dealflowrealestate.com

piabellacasino346.com

wdkilat.site

djpedrocruz.com

fmovies.coach

auroreal.com

1win-esw15.fun

hmdfxx.com

gems-spot.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4068-7-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4068-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/380-18-0x00000000010A0000-0x00000000010CF000-memory.dmp	formbook
behavioral2/memory/380-21-0x00000000010A0000-0x00000000010CF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3860	tprrb.exe
4068	tprrb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3860 set thread context of 4068	3860	tprrb.exe	87
PID 4068 set thread context of 3224	4068	tprrb.exe	44
PID 380 set thread context of 3224	380	cmmon32.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4068	tprrb.exe
4068	tprrb.exe
4068	tprrb.exe
4068	tprrb.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe
380	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3224	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3860	tprrb.exe
4068	tprrb.exe
4068	tprrb.exe
4068	tprrb.exe
380	cmmon32.exe
380	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	tprrb.exe
Token: SeDebugPrivilege	380	cmmon32.exe
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE
Token: SeShutdownPrivilege	3224	Explorer.EXE
Token: SeCreatePagefilePrivilege	3224	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3224	Explorer.EXE
3224	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3224	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3860	1316	komut onayı.exe	85
PID 1316 wrote to memory of 3860	1316	komut onayı.exe	85
PID 1316 wrote to memory of 3860	1316	komut onayı.exe	85
PID 3860 wrote to memory of 4068	3860	tprrb.exe	87
PID 3860 wrote to memory of 4068	3860	tprrb.exe	87
PID 3860 wrote to memory of 4068	3860	tprrb.exe	87
PID 3860 wrote to memory of 4068	3860	tprrb.exe	87
PID 3224 wrote to memory of 380	3224	Explorer.EXE	88
PID 3224 wrote to memory of 380	3224	Explorer.EXE	88
PID 3224 wrote to memory of 380	3224	Explorer.EXE	88
PID 380 wrote to memory of 4716	380	cmmon32.exe	95
PID 380 wrote to memory of 4716	380	cmmon32.exe	95
PID 380 wrote to memory of 4716	380	cmmon32.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\komut onayı.exe
  "C:\Users\Admin\AppData\Local\Temp\komut onayı.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\tprrb.exe
    "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\tprrb.exe
      "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4068
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tprrb.exe"
    3⤵
    PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ibdzhnjhhdu.pyz

Filesize
205KB

MD5
f23609fe08cd99fc04733ac68591b864

SHA1
66f23c37876a21e7c9503f1023829151a00d0edd

SHA256
f427ef9be98a8ab70e4657005db8c1f21cb5ddd114a61e4771d5e00533177ad4

SHA512
82095739186f9aec80349b483deaeda8b84933880a5f2bc0e3a5500e03968f3fea1840932baa15e7f2cc456d36055b155469391a0c240191801f0de0d5ea262a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprrb.exe

Filesize
167KB

MD5
0e0d3fbb1384ba3e1b32039037c01533

SHA1
ce6d2675f5e8dbdf806261f82ee72fda1eb0d254

SHA256
48e400a800ad9748933ba9c106d9fa75fbc2526c231412afd62b678e14c69a78

SHA512
ffe264a99dbdacd6fd2c718501e70fc5e62cb87ff7739779e90f3ba33e17f6126848233b9e50fd91c6c8d7ba4cdd42145a3de4f3506744b5d8fd638500ab8713

Download Submit
memory/380-21-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download
memory/380-15-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/380-23-0x0000000002E00000-0x0000000002E93000-memory.dmp

Filesize
588KB

Download
memory/380-19-0x00000000030D0000-0x000000000341A000-memory.dmp

Filesize
3.3MB

Download
memory/380-18-0x00000000010A0000-0x00000000010CF000-memory.dmp

Filesize
188KB

Download
memory/380-17-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/3224-20-0x0000000008630000-0x000000000875E000-memory.dmp

Filesize
1.2MB

Download
memory/3224-13-0x0000000008630000-0x000000000875E000-memory.dmp

Filesize
1.2MB

Download
memory/3224-24-0x0000000007EF0000-0x0000000007FDF000-memory.dmp

Filesize
956KB

Download
memory/3224-25-0x0000000007EF0000-0x0000000007FDF000-memory.dmp

Filesize
956KB

Download
memory/3224-27-0x0000000007EF0000-0x0000000007FDF000-memory.dmp

Filesize
956KB

Download
memory/3860-5-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/4068-12-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/4068-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-9-0x0000000000B60000-0x0000000000EAA000-memory.dmp

Filesize
3.3MB

Download