formbook | f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe
Size

446KB
MD5

e10c2c5de1c6b8be9f4d6814930fd018
SHA1

9305c3478e82b8e05395c6010737b2ca50e9a026
SHA256

f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd
SHA512

f8c83a346b2e29d8915ba00fef8eaf7d15dfebaffea2ad5e9863bcac3414a224926b627c2371644e0a48ff602aede5ad4b21f2d1513e95a306a6fe2997011040
SSDEEP

12288:YvL8c8ld2qLqxhHe6wQfDxRvIxVvJRjs:e85OqLAHLwQbxtcVvJC

Score

10^/10

formbook rhtn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rhtn

Decoy

ctwlabs.com

zaimjefhi.online

janetsboutiquestore.com

srello.com

dk1380.com

thuphangahhome.com

usahealthcarenetwork.com

ostbet.com

artbacus.com

kuaitaobao.net

aeinnamehranandegi.com

glassesbestselect.com

drain-pipe-cleaning-47086.bond

beyondhorsemanship.com

cottonfuturesbook.com

fairfieldcountyb.com

worldtoronto.com

onairnepal.com

kongmad.com

host-u.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2252-496-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1900-511-0x0000000000F70000-0x0000000000F9F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 2252 set thread context of 3380	2252	calc.exe	50
PID 1900 set thread context of 3380	1900	msiexec.exe	50

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2252	calc.exe
2252	calc.exe
2252	calc.exe
2252	calc.exe
2252	calc.exe
2252	calc.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe
1900	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2252	calc.exe
2252	calc.exe
2252	calc.exe
1900	msiexec.exe
1900	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	calc.exe
Token: SeDebugPrivilege	1900	msiexec.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3380	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 228 wrote to memory of 2252	228	f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe	95
PID 3380 wrote to memory of 1900	3380	Explorer.EXE	96
PID 3380 wrote to memory of 1900	3380	Explorer.EXE	96
PID 3380 wrote to memory of 1900	3380	Explorer.EXE	96
PID 1900 wrote to memory of 3952	1900	msiexec.exe	99
PID 1900 wrote to memory of 3952	1900	msiexec.exe	99
PID 1900 wrote to memory of 3952	1900	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe
"C:\Users\Admin\AppData\Local\Temp\f90db97e56f2eb46d2e55a0cd7674997bbc2d644f6370b477fd04edfca7b9cdd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\SYSWOW64\calc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2252

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\calc.exe"
    3⤵
    PID:3952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-1-0x0000000000E10000-0x0000000000E86000-memory.dmp

Filesize
472KB

Download
memory/228-0-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/228-2-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/228-3-0x0000000003320000-0x000000000332A000-memory.dmp

Filesize
40KB

Download
memory/228-6-0x0000000003350000-0x0000000003376000-memory.dmp

Filesize
152KB

Download
memory/228-10-0x0000000003320000-0x0000000003334000-memory.dmp

Filesize
80KB

Download
memory/228-9-0x0000000003320000-0x000000000332A000-memory.dmp

Filesize
40KB

Download
memory/228-8-0x0000000003320000-0x0000000003327000-memory.dmp

Filesize
28KB

Download
memory/228-11-0x0000000005C40000-0x00000000063F0000-memory.dmp

Filesize
7.7MB

Download
memory/228-7-0x0000000003320000-0x000000000332A000-memory.dmp

Filesize
40KB

Download
memory/228-12-0x0000000003320000-0x000000000333F000-memory.dmp

Filesize
124KB

Download
memory/228-5-0x0000000003350000-0x000000000337D000-memory.dmp

Filesize
180KB

Download
memory/228-16-0x0000000003320000-0x000000000332D000-memory.dmp

Filesize
52KB

Download
memory/228-19-0x0000000005B70000-0x0000000005B9D000-memory.dmp

Filesize
180KB

Download
memory/228-21-0x0000000005C40000-0x0000000005D03000-memory.dmp

Filesize
780KB

Download
memory/228-27-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/228-30-0x0000000005BD0000-0x0000000005BE8000-memory.dmp

Filesize
96KB

Download
memory/228-32-0x0000000005F00000-0x000000000605A000-memory.dmp

Filesize
1.4MB

Download
memory/228-31-0x0000000005C40000-0x0000000005D9A000-memory.dmp

Filesize
1.4MB

Download
memory/228-36-0x0000000005C40000-0x0000000005C5A000-memory.dmp

Filesize
104KB

Download
memory/228-40-0x0000000005D00000-0x0000000005D44000-memory.dmp

Filesize
272KB

Download
memory/228-45-0x0000000005CC0000-0x0000000005CF0000-memory.dmp

Filesize
192KB

Download
memory/228-49-0x00000000060E0000-0x0000000006140000-memory.dmp

Filesize
384KB

Download
memory/228-51-0x0000000005C90000-0x0000000005CB0000-memory.dmp

Filesize
128KB

Download
memory/228-52-0x0000000006500000-0x00000000067C4000-memory.dmp

Filesize
2.8MB

Download
memory/228-54-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/228-57-0x0000000006390000-0x000000000640C000-memory.dmp

Filesize
496KB

Download
memory/228-63-0x0000000005D80000-0x0000000005D88000-memory.dmp

Filesize
32KB

Download
memory/228-62-0x0000000005E80000-0x0000000005E8E000-memory.dmp

Filesize
56KB

Download
memory/228-61-0x0000000005D80000-0x0000000005D8E000-memory.dmp

Filesize
56KB

Download
memory/228-60-0x0000000005E70000-0x0000000005E78000-memory.dmp

Filesize
32KB

Download
memory/228-59-0x0000000005D80000-0x0000000005D88000-memory.dmp

Filesize
32KB

Download
memory/228-58-0x00000000062C0000-0x000000000635C000-memory.dmp

Filesize
624KB

Download
memory/228-56-0x0000000005E70000-0x0000000005EEC000-memory.dmp

Filesize
496KB

Download
memory/228-55-0x0000000005E50000-0x0000000005E6E000-memory.dmp

Filesize
120KB

Download
memory/228-53-0x00000000067D0000-0x0000000006A94000-memory.dmp

Filesize
2.8MB

Download
memory/228-50-0x0000000005C60000-0x0000000005C80000-memory.dmp

Filesize
128KB

Download
memory/228-48-0x0000000005E50000-0x0000000005EB0000-memory.dmp

Filesize
384KB

Download
memory/228-47-0x0000000006440000-0x00000000064FA000-memory.dmp

Filesize
744KB

Download
memory/228-46-0x00000000062C0000-0x000000000637A000-memory.dmp

Filesize
744KB

Download
memory/228-44-0x0000000005C60000-0x0000000005C90000-memory.dmp

Filesize
192KB

Download
memory/228-43-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/228-42-0x0000000006060000-0x00000000060D6000-memory.dmp

Filesize
472KB

Download
memory/228-41-0x0000000005C60000-0x0000000005CD6000-memory.dmp

Filesize
472KB

Download
memory/228-39-0x0000000005C60000-0x0000000005CA4000-memory.dmp

Filesize
272KB

Download
memory/228-38-0x0000000006190000-0x00000000062B2000-memory.dmp

Filesize
1.1MB

Download
memory/228-37-0x0000000005C60000-0x0000000005D82000-memory.dmp

Filesize
1.1MB

Download
memory/228-35-0x0000000005BF0000-0x0000000005C0A000-memory.dmp

Filesize
104KB

Download
memory/228-34-0x0000000005DA0000-0x0000000005E44000-memory.dmp

Filesize
656KB

Download
memory/228-33-0x0000000005C40000-0x0000000005CE4000-memory.dmp

Filesize
656KB

Download
memory/228-29-0x0000000003320000-0x0000000003338000-memory.dmp

Filesize
96KB

Download
memory/228-28-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

Filesize
64KB

Download
memory/228-26-0x0000000005B70000-0x0000000005B82000-memory.dmp

Filesize
72KB

Download
memory/228-25-0x0000000003320000-0x0000000003332000-memory.dmp

Filesize
72KB

Download
memory/228-24-0x0000000003320000-0x000000000333C000-memory.dmp

Filesize
112KB

Download
memory/228-23-0x0000000003320000-0x0000000003333000-memory.dmp

Filesize
76KB

Download
memory/228-22-0x0000000005B70000-0x0000000005BAB000-memory.dmp

Filesize
236KB

Download
memory/228-20-0x0000000005C40000-0x0000000005D45000-memory.dmp

Filesize
1.0MB

Download
memory/228-18-0x0000000003390000-0x00000000033A8000-memory.dmp

Filesize
96KB

Download
memory/228-17-0x0000000003320000-0x0000000003338000-memory.dmp

Filesize
96KB

Download
memory/228-15-0x0000000003390000-0x00000000033B0000-memory.dmp

Filesize
128KB

Download
memory/228-14-0x0000000005B70000-0x0000000005BF9000-memory.dmp

Filesize
548KB

Download
memory/228-13-0x0000000003390000-0x00000000033C8000-memory.dmp

Filesize
224KB

Download
memory/228-4-0x0000000003340000-0x000000000334A000-memory.dmp

Filesize
40KB

Download
memory/1900-504-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1900-508-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1900-506-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1900-511-0x0000000000F70000-0x0000000000F9F000-memory.dmp

Filesize
188KB

Download
memory/2252-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-517-0x0000000008840000-0x00000000089C0000-memory.dmp

Filesize
1.5MB

Download