formbook | 6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b

Analysis

max time kernel
143s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

710KB
MD5

493562fc3240d634f797be4a433d72c7
SHA1

92569595aa0a20d9937bd03525a756dd35059d3b
SHA256

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b
SHA512

70eb16d06d38d80cc4513962f6fbdeda54e6ec2bc30caa9fb112d3cd355b12c088426c823d3d4a3e315209b3fc908c0339e9cdc8de99462e87eba311f4801a75
SSDEEP

12288:406gna2iNP1UIkvEbtOgVt3KB6bxxXRZEG/p8fD5mcjtqlg6utz5l96OXaq:XTa1F14ot1aIxxAop+mc0g6MNa

Score

10^/10

formbook ro12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ro12

Decoy

start399.com

decyfincoin.com

binguozhijiaok.com

one45.vip

55dy5s.top

regmt.pro

2ahxgaafifl.com

xn--6rtp2flvfc2h.com

justinmburns.com

los3.online

fleshaaikensdivinegiven7llc.com

servicedelv.services

apexcaryhomesforsale.com

shuraop.xyz

sagetotal.com

gratitude-et-compagnie.com

riderarea.com

digitalserviceact.online

contentbyc.com

agenda-digital-planner.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/5084-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5084-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2044-23-0x0000000000D00000-0x0000000000D2F000-memory.dmp	formbook
behavioral2/memory/2044-25-0x0000000000D00000-0x0000000000D2F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
382	2044	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 5084	1708	tmp.exe	97
PID 5084 set thread context of 536	5084	tmp.exe	41
PID 2044 set thread context of 536	2044	rundll32.exe	41

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
1708	tmp.exe
5084	tmp.exe
5084	tmp.exe
5084	tmp.exe
5084	tmp.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
536	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
5084	tmp.exe
5084	tmp.exe
5084	tmp.exe
2044	rundll32.exe
2044	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	tmp.exe
Token: SeDebugPrivilege	5084	tmp.exe
Token: SeDebugPrivilege	2044	rundll32.exe
Token: SeShutdownPrivilege	536	Explorer.EXE
Token: SeCreatePagefilePrivilege	536	Explorer.EXE
Token: SeShutdownPrivilege	536	Explorer.EXE
Token: SeCreatePagefilePrivilege	536	Explorer.EXE
Token: SeManageVolumePrivilege	928	svchost.exe
Token: SeShutdownPrivilege	536	Explorer.EXE
Token: SeCreatePagefilePrivilege	536	Explorer.EXE
Token: SeShutdownPrivilege	536	Explorer.EXE
Token: SeCreatePagefilePrivilege	536	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
536	Explorer.EXE
536	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 1708 wrote to memory of 5084	1708	tmp.exe	97
PID 536 wrote to memory of 2044	536	Explorer.EXE	98
PID 536 wrote to memory of 2044	536	Explorer.EXE	98
PID 536 wrote to memory of 2044	536	Explorer.EXE	98
PID 2044 wrote to memory of 3028	2044	rundll32.exe	99
PID 2044 wrote to memory of 3028	2044	rundll32.exe	99
PID 2044 wrote to memory of 3028	2044	rundll32.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    PID:3028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
f3a8dc2c817d8c561d16eeb581c0aaea

SHA1
494e97e17737ee6ad6eccc6f298113ecbeab0fc0

SHA256
2e7f851549c26aa6e0dd7b65c2bb9d910b56fe473296855b1eca26e312b51183

SHA512
29d4c1cf189a753db4af2eba9dbbd6938fc6a8f77d02e4f24f8f945e616d2bbf8c4f09a8b46b8b5dad6cdc1d2c1eeaf4b66e04c865b2cc3a06e9f545fb47a2c6

Download Submit
memory/536-58-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-50-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-38-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-67-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-65-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-66-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-64-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-63-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-61-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-62-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-60-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-59-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/536-57-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-39-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-54-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-55-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-19-0x0000000008800000-0x0000000008967000-memory.dmp

Filesize
1.4MB

Download
memory/536-45-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-51-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-52-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/536-48-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-49-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-26-0x0000000008800000-0x0000000008967000-memory.dmp

Filesize
1.4MB

Download
memory/536-47-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/536-29-0x0000000008CD0000-0x0000000008DEE000-memory.dmp

Filesize
1.1MB

Download
memory/536-30-0x0000000008CD0000-0x0000000008DEE000-memory.dmp

Filesize
1.1MB

Download
memory/536-32-0x0000000008CD0000-0x0000000008DEE000-memory.dmp

Filesize
1.1MB

Download
memory/536-34-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-35-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-36-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/536-37-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-46-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-43-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-40-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/536-41-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/928-104-0x0000017C28320000-0x0000017C28321000-memory.dmp

Filesize
4KB

Download
memory/928-103-0x0000017C282F0000-0x0000017C282F1000-memory.dmp

Filesize
4KB

Download
memory/928-71-0x0000017C1FC40000-0x0000017C1FC50000-memory.dmp

Filesize
64KB

Download
memory/928-87-0x0000017C1FD40000-0x0000017C1FD50000-memory.dmp

Filesize
64KB

Download
memory/928-105-0x0000017C28320000-0x0000017C28321000-memory.dmp

Filesize
4KB

Download
memory/1708-4-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/1708-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/1708-1-0x00000000001C0000-0x0000000000278000-memory.dmp

Filesize
736KB

Download
memory/1708-2-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/1708-7-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/1708-5-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/1708-14-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/1708-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/1708-6-0x0000000005210000-0x0000000005228000-memory.dmp

Filesize
96KB

Download
memory/1708-11-0x000000000CE30000-0x000000000CECC000-memory.dmp

Filesize
624KB

Download
memory/1708-10-0x0000000009D20000-0x0000000009D8E000-memory.dmp

Filesize
440KB

Download
memory/1708-9-0x00000000061C0000-0x00000000061CA000-memory.dmp

Filesize
40KB

Download
memory/1708-8-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2044-22-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2044-20-0x00000000004F0000-0x0000000000504000-memory.dmp

Filesize
80KB

Download
memory/2044-23-0x0000000000D00000-0x0000000000D2F000-memory.dmp

Filesize
188KB

Download
memory/2044-24-0x0000000002B80000-0x0000000002ECA000-memory.dmp

Filesize
3.3MB

Download
memory/2044-25-0x0000000000D00000-0x0000000000D2F000-memory.dmp

Filesize
188KB

Download
memory/2044-28-0x0000000002ED0000-0x0000000002F63000-memory.dmp

Filesize
588KB

Download
memory/5084-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-18-0x00000000011A0000-0x00000000011B4000-memory.dmp

Filesize
80KB

Download
memory/5084-15-0x00000000016B0000-0x00000000019FA000-memory.dmp

Filesize
3.3MB

Download