formbook | f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72

Analysis

max time kernel
157s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

915KB
MD5

c51050da2c94bbb62c6d2c51862b15dd
SHA1

84489f41759b69be75fa13430ba2f78143a857a1
SHA256

f62de2f1a6d9798f4278ab073890c06f8a1027c216d3c02dbc4c84ff84c4ee72
SHA512

9b22c562b3c84c0dce7a9888a227b67d991d4175d82ed2399d1629a216c0df9afc08285af94f06a09238ac896df2e0484d354bac4fab977bb2d3337a5b1521ef
SSDEEP

24576:nJzp/ZBD1bJJReGhyAynCXbwZ4pHzZhrh0Fy1:JVTD1Xhyn0bwZSnh0I

Score

10^/10

formbook guloader ce10 downloader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce10

Decoy

universalbowls.com

bp5.site

thiagokielingwebdesign.net

grapper.fun

grow-more.us

cqdh888.com

facthunter.app

cstars05.xyz

baumeagency.com

montevallotowing.top

joshtdownes.com

ampvit88.info

timelesscoutureclothing.com

stimuscle.com

uppervillekeyword.top

victoriabaltzer.com

laguindah.art

kiddieboost.com

santafekeyword.top

818experience.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1804-617-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/1804-643-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3200-642-0x0000000000D40000-0x0000000000D6F000-memory.dmp	formbook
behavioral2/memory/3200-646-0x0000000000D40000-0x0000000000D6F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

tmp.exe

pid	Process
2640	tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

tmp.exe

pid	Process
1804	tmp.exe
1804	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

tmp.exetmp.exe

pid	Process
2640	tmp.exe
1804	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.execscript.exe

description	pid	Process	procid_target
PID 2640 set thread context of 1804	2640	tmp.exe	97
PID 1804 set thread context of 3484	1804	tmp.exe	46
PID 3200 set thread context of 3484	3200	cscript.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

tmp.execscript.exe

pid	Process
1804	tmp.exe
1804	tmp.exe
1804	tmp.exe
1804	tmp.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe
3200	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tmp.exetmp.execscript.exe

pid	Process
2640	tmp.exe
1804	tmp.exe
1804	tmp.exe
1804	tmp.exe
3200	cscript.exe
3200	cscript.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tmp.exeExplorer.EXEcscript.exe

description	pid	Process
Token: SeDebugPrivilege	1804	tmp.exe
Token: SeShutdownPrivilege	3484	Explorer.EXE
Token: SeCreatePagefilePrivilege	3484	Explorer.EXE
Token: SeShutdownPrivilege	3484	Explorer.EXE
Token: SeCreatePagefilePrivilege	3484	Explorer.EXE
Token: SeDebugPrivilege	3200	cscript.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3484	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

tmp.exeExplorer.EXEcscript.exe

description	pid	Process	procid_target
PID 2640 wrote to memory of 1804	2640	tmp.exe	97
PID 2640 wrote to memory of 1804	2640	tmp.exe	97
PID 2640 wrote to memory of 1804	2640	tmp.exe	97
PID 2640 wrote to memory of 1804	2640	tmp.exe	97
PID 2640 wrote to memory of 1804	2640	tmp.exe	97
PID 3484 wrote to memory of 3200	3484	Explorer.EXE	99
PID 3484 wrote to memory of 3200	3484	Explorer.EXE	99
PID 3484 wrote to memory of 3200	3484	Explorer.EXE	99
PID 3200 wrote to memory of 384	3200	cscript.exe	100
PID 3200 wrote to memory of 384	3200	cscript.exe	100
PID 3200 wrote to memory of 384	3200	cscript.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:4540
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\fouette.ini

Filesize
44B

MD5
eb4da25d6c0d919bbe9ebc480cee0d05

SHA1
dfaeae9c23e9b282a82b1abb971599a5bcd51b27

SHA256
70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3

SHA512
1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4C58.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/1804-643-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-615-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-630-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-598-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-599-0x00000000775E8000-0x00000000775E9000-memory.dmp

Filesize
4KB

Download
memory/1804-600-0x0000000077605000-0x0000000077606000-memory.dmp

Filesize
4KB

Download
memory/1804-614-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-640-0x0000000036D40000-0x000000003708A000-memory.dmp

Filesize
3.3MB

Download
memory/1804-613-0x0000000001660000-0x00000000066DD000-memory.dmp

Filesize
80.5MB

Download
memory/1804-616-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-617-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-618-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-645-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-620-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-621-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-622-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-623-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-624-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-625-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-627-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-619-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-641-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-597-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-632-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-626-0x0000000001660000-0x00000000066DD000-memory.dmp

Filesize
80.5MB

Download
memory/1804-633-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1804-635-0x0000000036C50000-0x0000000036C64000-memory.dmp

Filesize
80KB

Download
memory/1804-636-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-638-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-639-0x0000000077561000-0x0000000077681000-memory.dmp

Filesize
1.1MB

Download
memory/2640-596-0x00000000743C0000-0x00000000743C7000-memory.dmp

Filesize
28KB

Download
memory/2640-595-0x0000000077561000-0x0000000077681000-memory.dmp

Filesize
1.1MB

Download
memory/3200-628-0x0000000000E90000-0x0000000000EB7000-memory.dmp

Filesize
156KB

Download
memory/3200-644-0x0000000002E80000-0x00000000031CA000-memory.dmp

Filesize
3.3MB

Download
memory/3200-642-0x0000000000D40000-0x0000000000D6F000-memory.dmp

Filesize
188KB

Download
memory/3200-629-0x0000000000E90000-0x0000000000EB7000-memory.dmp

Filesize
156KB

Download
memory/3200-646-0x0000000000D40000-0x0000000000D6F000-memory.dmp

Filesize
188KB

Download
memory/3200-649-0x0000000002D20000-0x0000000002DB3000-memory.dmp

Filesize
588KB

Download
memory/3484-637-0x0000000008E00000-0x0000000008F24000-memory.dmp

Filesize
1.1MB

Download
memory/3484-651-0x0000000008630000-0x0000000008704000-memory.dmp

Filesize
848KB

Download
memory/3484-652-0x0000000008630000-0x0000000008704000-memory.dmp

Filesize
848KB

Download
memory/3484-655-0x0000000008630000-0x0000000008704000-memory.dmp

Filesize
848KB

Download