formbook | 9d9e7bb9c7faa619e5f7c2a88d220812495a078c8a9cdf465765300a9abae4be

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 06:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FLY.exe
Size

575KB
MD5

d400c125c91f0da96b71a1335d5c7e9e
SHA1

c5cadd640c60cc5ae5377fa8726c15f38808a131
SHA256

6aeb335b3a8c4506ba69d98007266a0210930cddabc6d3fe6b6c0a28e59ae7db
SHA512

8d77dc100e939fd72e3036307883584af47c35298e049fbc3c92cfb94c4a782180ff0a5c5148d72e4f2e39d6208c9237f65b1f6488e5bfa31cca5c30c0ffbf2f
SSDEEP

12288:nE+RIimQdL6iHOHpF2hJwy+atu6KVC94MVK4ENzZK:nE+evGOHpKavI4YEN

Score

10^/10

formbook cc73 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cc73

Decoy

viptop77.biz

sell-home-fast-for-cash.xyz

wjbwebsite.top

ceramic.house

anthologymotors.com

acctwiseconsulting.com

xn--bj4blri6mqqan64b.com

roguester.com

blavkimped.com

mostbet-wih8.xyz

biellacapital.com

jasonmoorehead.online

wolrdtenis.com

huahuiblog.com

jonniprince.com

gohanyo.com

l4-j2.pro

coinyeard.com

fh8019.com

iltorlonia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/1144-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1144-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1144-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4768-25-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook
behavioral2/memory/4768-27-0x00000000003B0000-0x00000000003DF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4624 set thread context of 1144	4624	FLY.exe	95
PID 1144 set thread context of 3192	1144	FLY.exe	56
PID 1144 set thread context of 3192	1144	FLY.exe	56
PID 4768 set thread context of 3192	4768	cmstp.exe	56

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4624	FLY.exe
4624	FLY.exe
4624	FLY.exe
4624	FLY.exe
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe
4768	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3192	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
1144	FLY.exe
4768	cmstp.exe
4768	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	FLY.exe
Token: SeDebugPrivilege	1144	FLY.exe
Token: SeDebugPrivilege	4768	cmstp.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3192	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 792	4624	FLY.exe	93
PID 4624 wrote to memory of 792	4624	FLY.exe	93
PID 4624 wrote to memory of 792	4624	FLY.exe	93
PID 4624 wrote to memory of 2552	4624	FLY.exe	94
PID 4624 wrote to memory of 2552	4624	FLY.exe	94
PID 4624 wrote to memory of 2552	4624	FLY.exe	94
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 4624 wrote to memory of 1144	4624	FLY.exe	95
PID 3192 wrote to memory of 4768	3192	Explorer.EXE	97
PID 3192 wrote to memory of 4768	3192	Explorer.EXE	97
PID 3192 wrote to memory of 4768	3192	Explorer.EXE	97
PID 4768 wrote to memory of 2332	4768	cmstp.exe	99
PID 4768 wrote to memory of 2332	4768	cmstp.exe	99
PID 4768 wrote to memory of 2332	4768	cmstp.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\FLY.exe
  "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\FLY.exe
    "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    PID:792
- - C:\Users\Admin\AppData\Local\Temp\FLY.exe
    "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\FLY.exe
    "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1976
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\FLY.exe"
    3⤵
    PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-14-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/1144-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-17-0x0000000001CD0000-0x0000000001CE5000-memory.dmp

Filesize
84KB

Download
memory/1144-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1144-21-0x0000000001D20000-0x0000000001D35000-memory.dmp

Filesize
84KB

Download
memory/3192-22-0x0000000008E80000-0x0000000008FAF000-memory.dmp

Filesize
1.2MB

Download
memory/3192-28-0x00000000089F0000-0x0000000008B00000-memory.dmp

Filesize
1.1MB

Download
memory/3192-31-0x0000000003380000-0x0000000003439000-memory.dmp

Filesize
740KB

Download
memory/3192-18-0x00000000089F0000-0x0000000008B00000-memory.dmp

Filesize
1.1MB

Download
memory/3192-32-0x0000000003380000-0x0000000003439000-memory.dmp

Filesize
740KB

Download
memory/3192-33-0x0000000008E80000-0x0000000008FAF000-memory.dmp

Filesize
1.2MB

Download
memory/3192-36-0x0000000003380000-0x0000000003439000-memory.dmp

Filesize
740KB

Download
memory/4624-7-0x0000000004FC0000-0x0000000004FC6000-memory.dmp

Filesize
24KB

Download
memory/4624-5-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

Filesize
40KB

Download
memory/4624-10-0x0000000006350000-0x00000000063EC000-memory.dmp

Filesize
624KB

Download
memory/4624-9-0x0000000006240000-0x00000000062AE000-memory.dmp

Filesize
440KB

Download
memory/4624-8-0x00000000044B0000-0x00000000044BA000-memory.dmp

Filesize
40KB

Download
memory/4624-0-0x0000000000010000-0x00000000000A6000-memory.dmp

Filesize
600KB

Download
memory/4624-6-0x0000000004C40000-0x0000000004C58000-memory.dmp

Filesize
96KB

Download
memory/4624-1-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-2-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/4624-13-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-3-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/4624-4-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/4768-25-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/4768-30-0x0000000002430000-0x00000000024C4000-memory.dmp

Filesize
592KB

Download
memory/4768-27-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/4768-26-0x0000000002540000-0x000000000288A000-memory.dmp

Filesize
3.3MB

Download
memory/4768-24-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download
memory/4768-23-0x0000000000780000-0x0000000000796000-memory.dmp

Filesize
88KB

Download