formbook | f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

915KB
MD5

c51050da2c94bbb62c6d2c51862b15dd
SHA1

84489f41759b69be75fa13430ba2f78143a857a1
SHA256

f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72
SHA512

9b22c562b3c84c0dce7a9888a227b67d991d4175d82ed2399d1629a216c0df9afc08285af94f06a09238ac896df2e0484d354bac4fab977bb2d3337a5b1521ef
SSDEEP

24576:nJzp/ZBD1bJJReGhyAynCXbwZ4pHzZhrh0Fy1:JVTD1Xhyn0bwZSnh0I

Score

10^/10

formbook guloader ce10 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce10

Decoy

universalbowls.com

bp5.site

thiagokielingwebdesign.net

grapper.fun

grow-more.us

cqdh888.com

facthunter.app

cstars05.xyz

baumeagency.com

montevallotowing.top

joshtdownes.com

ampvit88.info

timelesscoutureclothing.com

stimuscle.com

uppervillekeyword.top

victoriabaltzer.com

laguindah.art

kiddieboost.com

santafekeyword.top

818experience.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3196-628-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/3196-630-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/3196-631-0x0000000000400000-0x0000000001462000-memory.dmp	formbook
behavioral1/memory/3808-671-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/3808-673-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3896	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid	Process
2292	tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

tmp.exe

pid	Process
3196	tmp.exe
3196	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

tmp.exetmp.exe

pid	Process
2292	tmp.exe
3196	tmp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exetmp.execolorcpl.exe

description	pid	Process	procid_target
PID 2292 set thread context of 3196	2292	tmp.exe	28
PID 3196 set thread context of 1208	3196	tmp.exe	16
PID 3196 set thread context of 1208	3196	tmp.exe	16
PID 3808 set thread context of 1208	3808	colorcpl.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

tmp.execolorcpl.exe

pid	Process
3196	tmp.exe
3196	tmp.exe
3196	tmp.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe
3808	colorcpl.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

tmp.exetmp.execolorcpl.exe

pid	Process
2292	tmp.exe
3196	tmp.exe
3196	tmp.exe
3196	tmp.exe
3196	tmp.exe
3808	colorcpl.exe
3808	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exeExplorer.EXEcolorcpl.exe

description	pid	Process
Token: SeDebugPrivilege	3196	tmp.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	3808	colorcpl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

tmp.exetmp.execolorcpl.exe

description	pid	Process	procid_target
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 2292 wrote to memory of 3196	2292	tmp.exe	28
PID 3196 wrote to memory of 3808	3196	tmp.exe	34
PID 3196 wrote to memory of 3808	3196	tmp.exe	34
PID 3196 wrote to memory of 3808	3196	tmp.exe	34
PID 3196 wrote to memory of 3808	3196	tmp.exe	34
PID 3808 wrote to memory of 3896	3808	colorcpl.exe	35
PID 3808 wrote to memory of 3896	3808	colorcpl.exe	35
PID 3808 wrote to memory of 3896	3808	colorcpl.exe	35
PID 3808 wrote to memory of 3896	3808	colorcpl.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      4⤵
      PID:3800
  - - C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        5⤵
        Deletes itself
        
        PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\fouette.ini

Filesize
44B

MD5
eb4da25d6c0d919bbe9ebc480cee0d05

SHA1
dfaeae9c23e9b282a82b1abb971599a5bcd51b27

SHA256
70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3

SHA512
1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carmind.ini

Filesize
52B

MD5
16d2907f72ba61bcf429972b96cb4069

SHA1
9e4b5b253fd60f5af867610a6e0861ca0e426456

SHA256
5fe8b9c597b96a9a541903505adb7899b7ed6b444c2f7d11913e836d66711448

SHA512
fcd064fb6fcb9e4b3184348671e2f3db3c4419abc02248151bde2654e30ce840c04a7410196a55eba39885ffa44335bdc18c9849972fe18a528f35787d57679c

Download Submit
\Users\Admin\AppData\Local\Temp\nst8C2B.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/1208-646-0x0000000004D40000-0x0000000004EE9000-memory.dmp

Filesize
1.7MB

Download
memory/1208-658-0x0000000007550000-0x00000000076C7000-memory.dmp

Filesize
1.5MB

Download
memory/1208-678-0x00000000076D0000-0x000000000782B000-memory.dmp

Filesize
1.4MB

Download
memory/1208-682-0x00000000076D0000-0x000000000782B000-memory.dmp

Filesize
1.4MB

Download
memory/1208-679-0x00000000076D0000-0x000000000782B000-memory.dmp

Filesize
1.4MB

Download
memory/2292-596-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/2292-597-0x0000000077310000-0x00000000773E6000-memory.dmp

Filesize
856KB

Download
memory/2292-599-0x0000000074A00000-0x0000000074A07000-memory.dmp

Filesize
28KB

Download
memory/3196-640-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-647-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-628-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-629-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-630-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-631-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-625-0x0000000001470000-0x00000000064ED000-memory.dmp

Filesize
80.5MB

Download
memory/3196-632-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-633-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-634-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-635-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-636-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-637-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-638-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-639-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-602-0x0000000077120000-0x00000000772C9000-memory.dmp

Filesize
1.7MB

Download
memory/3196-641-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-642-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-643-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-644-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-645-0x0000000036A20000-0x0000000036A34000-memory.dmp

Filesize
80KB

Download
memory/3196-603-0x0000000077346000-0x0000000077347000-memory.dmp

Filesize
4KB

Download
memory/3196-648-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-649-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-650-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-652-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-653-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-654-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-657-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/3196-659-0x0000000036B10000-0x0000000036E13000-memory.dmp

Filesize
3.0MB

Download
memory/3196-661-0x0000000077310000-0x00000000773E6000-memory.dmp

Filesize
856KB

Download
memory/3196-664-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-665-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-667-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-668-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-669-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-600-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3196-601-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/3808-671-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/3808-672-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/3808-673-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/3808-670-0x0000000000E20000-0x0000000000E38000-memory.dmp

Filesize
96KB

Download
memory/3808-666-0x0000000000E20000-0x0000000000E38000-memory.dmp

Filesize
96KB

Download
memory/3808-675-0x0000000000AF0000-0x0000000000B83000-memory.dmp

Filesize
588KB

Download