formbook | ecd04804617988e39d5f075e021f6403a33b688ef388f75b897e4c4f7e21e466

Analysis

max time kernel
62s
max time network
37s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

327KB
MD5

7ff646fbaa5bb955d1b0cfaffaf61cb2
SHA1

91f6d86cc0cb5ef9860752d10315ce65a6b6fb3c
SHA256

ecd04804617988e39d5f075e021f6403a33b688ef388f75b897e4c4f7e21e466
SHA512

99a6eac16659c579f4a4176861148d3c2c56099eec95f3e1dd4d0ff18e7f87e8db792f3b5c03b16f9d62c5fd16e9f6e37ed79bb4a4bf63d3b286a1aeb5702eb9
SSDEEP

6144:vYa6iwngrjoJm3rXSpywnBRwA6QfGO4LiC6aAV4Fii6RhUCpOMLILE6cv3ciy:vY0CgrcM7XSpfBRCQe9ujRRlTOEZ4

Score

10^/10

formbook sy22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2716-10-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2180	bhkgnm.exe
2716	bhkgnm.exe

Loads dropped DLL 5 IoCs

pid	Process
2796	tmp.exe
2180	bhkgnm.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 2716	2180	bhkgnm.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	2716	WerFault.exe	30

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2180	bhkgnm.exe
2180	bhkgnm.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2180	2796	tmp.exe	29
PID 2796 wrote to memory of 2180	2796	tmp.exe	29
PID 2796 wrote to memory of 2180	2796	tmp.exe	29
PID 2796 wrote to memory of 2180	2796	tmp.exe	29
PID 2180 wrote to memory of 2716	2180	bhkgnm.exe	30
PID 2180 wrote to memory of 2716	2180	bhkgnm.exe	30
PID 2180 wrote to memory of 2716	2180	bhkgnm.exe	30
PID 2180 wrote to memory of 2716	2180	bhkgnm.exe	30
PID 2180 wrote to memory of 2716	2180	bhkgnm.exe	30
PID 2716 wrote to memory of 2640	2716	bhkgnm.exe	31
PID 2716 wrote to memory of 2640	2716	bhkgnm.exe	31
PID 2716 wrote to memory of 2640	2716	bhkgnm.exe	31
PID 2716 wrote to memory of 2640	2716	bhkgnm.exe	31

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
  "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
    "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 36
      4⤵
      Loads dropped DLL
      Program crash
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqrse.ily

Filesize
205KB

MD5
a453cea43f21db1509d89404630b842d

SHA1
2c97d2e24d9c6464666ddee5063fac4978f0524c

SHA256
f729f6645338d7e33cdc873d1c3e4b9b5d8e76c677b29f2a75aa4a865d78c86a

SHA512
bcdfe0fd6080e3167fb3d597829b25a9a257280ab620f19160cae76851749ed53aea4ef6211d0d5563fed2ff98a0d3513e9489caedf42aff21aa7b0a4c220a46

Download Submit
\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
\Users\Admin\AppData\Local\Temp\bhkgnm.exe

Filesize
194KB

MD5
eab8e6995213ca81ec2579ae8454d658

SHA1
990ca146cdc55c347f20325f61d0a579c59cd175

SHA256
c73c0e3afe2d95420d4ac987143bb32d5e761a22acaafaa1e0dc35b2140efe76

SHA512
c1e8e2cfa84724009a6682c464c9075684fedd2cd902c5a537ceb0e82bd8d2dc83a7295f6bc3441d7710d1b29cad176e445d60550c2032055dddf5047e4bda40

Download Submit
memory/2180-6-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2716-10-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download