formbook | 287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8

Analysis

max time kernel
155s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
Size

1.7MB
MD5

241cdb0904844ba61a4058b567f79370
SHA1

1f734501276fd771b8998b55221cbb425c613906
SHA256

287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8
SHA512

787fc29278f50d9a57823a4a77360090d11189408dd8f4d151a0a8e49c3cad29cc3017b3103599197dba720ef8561e7f9e912366d749e07aed097b0c77f41a1b
SSDEEP

24576:PmqruRzSJcuXCyWs2lRxm/WhDZ96EpfNcA10O2C:PuRzSJcuXpWHlvm/WhH6EpfNcAGO2C

Score

10^/10

formbook hs94 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs94

Decoy

hrnlius.com

righthouse39.store

nh12dgsdh.top

d6es.com

qjgx8ol.xyz

claricraft.com

amor-de-luxo.com

triokitchenbar.com

britlleysantos.com

hairluxe.info

openclosetstore.com

edubraintoys.com

goldeneaglescoin.com

mayacottage.com

taekyoong.com

mahiguel.com

dramulyamullapudi.com

osaruru.com

momaustralia.com

xiaotu.gay

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2264-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2264-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/844-20-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook
behavioral2/memory/844-22-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2264 set thread context of 3096	2264	InstallUtil.exe	52
PID 844 set thread context of 3096	844	systray.exe	52

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
2264	InstallUtil.exe
2264	InstallUtil.exe
2264	InstallUtil.exe
2264	InstallUtil.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe
844	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3096	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2264	InstallUtil.exe
2264	InstallUtil.exe
2264	InstallUtil.exe
844	systray.exe
844	systray.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
Token: SeDebugPrivilege	2264	InstallUtil.exe
Token: SeDebugPrivilege	844	systray.exe
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE
Token: SeShutdownPrivilege	3096	Explorer.EXE
Token: SeCreatePagefilePrivilege	3096	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3096	Explorer.EXE
3096	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3096	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3892	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	89
PID 2272 wrote to memory of 3892	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	89
PID 2272 wrote to memory of 3892	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	89
PID 2272 wrote to memory of 1312	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	90
PID 2272 wrote to memory of 1312	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	90
PID 2272 wrote to memory of 1312	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	90
PID 2272 wrote to memory of 3744	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	91
PID 2272 wrote to memory of 3744	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	91
PID 2272 wrote to memory of 3744	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	91
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 2272 wrote to memory of 2264	2272	287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe	92
PID 3096 wrote to memory of 844	3096	Explorer.EXE	94
PID 3096 wrote to memory of 844	3096	Explorer.EXE	94
PID 3096 wrote to memory of 844	3096	Explorer.EXE	94
PID 844 wrote to memory of 1212	844	systray.exe	100
PID 844 wrote to memory of 1212	844	systray.exe	100
PID 844 wrote to memory of 1212	844	systray.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe
  "C:\Users\Admin\AppData\Local\Temp\287a3e38227ec9d2a0fcebfdfedbe1f8ac01fda9f654c173184dd7956ca31cd8.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:3892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:1312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:3744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-18-0x0000000000A30000-0x0000000000A36000-memory.dmp

Filesize
24KB

Download
memory/844-24-0x0000000002770000-0x0000000002803000-memory.dmp

Filesize
588KB

Download
memory/844-22-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/844-21-0x0000000002A40000-0x0000000002D8A000-memory.dmp

Filesize
3.3MB

Download
memory/844-20-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/844-19-0x0000000000A30000-0x0000000000A36000-memory.dmp

Filesize
24KB

Download
memory/2264-13-0x0000000001830000-0x0000000001B7A000-memory.dmp

Filesize
3.3MB

Download
memory/2264-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2264-16-0x0000000001BA0000-0x0000000001BB4000-memory.dmp

Filesize
80KB

Download
memory/2264-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2272-3-0x0000000006470000-0x0000000006A14000-memory.dmp

Filesize
5.6MB

Download
memory/2272-5-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2272-1-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2272-9-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/2272-8-0x0000000006310000-0x000000000635E000-memory.dmp

Filesize
312KB

Download
memory/2272-0-0x0000000000CB0000-0x0000000000E72000-memory.dmp

Filesize
1.8MB

Download
memory/2272-6-0x0000000006270000-0x00000000062BE000-memory.dmp

Filesize
312KB

Download
memory/2272-12-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2272-4-0x0000000005FC0000-0x0000000006052000-memory.dmp

Filesize
584KB

Download
memory/2272-7-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/2272-2-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/3096-17-0x0000000003400000-0x00000000034E2000-memory.dmp

Filesize
904KB

Download
memory/3096-25-0x0000000008A50000-0x0000000008B2D000-memory.dmp

Filesize
884KB

Download
memory/3096-26-0x0000000008A50000-0x0000000008B2D000-memory.dmp

Filesize
884KB

Download
memory/3096-28-0x0000000008A50000-0x0000000008B2D000-memory.dmp

Filesize
884KB

Download