Malware Analysis Report

2025-01-18 12:40

Sample ID 240402-maabhafa53
Target 8e0cab6e15c8ecf53d170b396a5cdb6db74f1a8cc5bfd408ef5d480f25fa358c.zip
SHA256 493c4a1e5d1dc441a17c45f95bd2f4a586dccdd2c877fa1e2749f8c24a699117
Tags
formbook ns03 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

493c4a1e5d1dc441a17c45f95bd2f4a586dccdd2c877fa1e2749f8c24a699117

Threat Level: Known bad

The file 8e0cab6e15c8ecf53d170b396a5cdb6db74f1a8cc5bfd408ef5d480f25fa358c.zip was found to be: Known bad.

Malicious Activity Summary

formbook ns03 rat spyware stealer trojan

Formbook

Formbook payload

Deletes itself

Suspicious use of SetThreadContext

Suspicious behavior: MapViewOfSection

Gathers network information

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:15

Reported

2024-04-02 10:18

Platform

win7-20231129-en

Max time kernel

148s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1752 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 3056 set thread context of 1400 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Windows\Explorer.EXE
PID 2644 set thread context of 1400 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1752 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1400 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1400 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1400 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1400 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2876 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe

"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe

"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

Network

N/A

Files

memory/1752-1-0x0000000074060000-0x000000007474E000-memory.dmp

memory/1752-0-0x0000000000B00000-0x0000000000B9C000-memory.dmp

memory/1752-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/1752-3-0x0000000000390000-0x00000000003A4000-memory.dmp

memory/1752-4-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/1752-5-0x0000000000520000-0x000000000052C000-memory.dmp

memory/1752-6-0x0000000004900000-0x0000000004976000-memory.dmp

memory/3056-7-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3056-9-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3056-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-13-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1752-14-0x0000000074060000-0x000000007474E000-memory.dmp

memory/3056-15-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

memory/3056-19-0x00000000002A0000-0x00000000002B4000-memory.dmp

memory/1400-20-0x0000000004F50000-0x000000000500F000-memory.dmp

memory/3056-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1400-17-0x0000000003A40000-0x0000000003B40000-memory.dmp

memory/2644-21-0x00000000009C0000-0x00000000009DB000-memory.dmp

memory/2644-22-0x00000000009C0000-0x00000000009DB000-memory.dmp

memory/2644-23-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2644-24-0x0000000001FC0000-0x00000000022C3000-memory.dmp

memory/2644-25-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2644-28-0x0000000000A80000-0x0000000000B13000-memory.dmp

memory/1400-29-0x0000000004F50000-0x000000000500F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:15

Reported

2024-04-02 10:18

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1864 set thread context of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 3252 set thread context of 3500 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Windows\Explorer.EXE
PID 3252 set thread context of 3500 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Windows\Explorer.EXE
PID 3716 set thread context of 3500 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\Explorer.EXE

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NETSTAT.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 1864 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
PID 3500 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3500 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3500 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NETSTAT.EXE
PID 3716 wrote to memory of 764 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 764 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 764 N/A C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe

"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe

"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

C:\Windows\SysWOW64\NETSTAT.EXE

"C:\Windows\SysWOW64\NETSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 www.vb4n53g4fh354gf5jh.top udp
US 8.8.8.8:53 www.kukrejaassociates.in udp
IN 68.178.145.116:80 www.kukrejaassociates.in tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 116.145.178.68.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 www.grupooceanique.com udp
US 8.8.8.8:53 www.circly.net udp
DE 3.64.163.50:80 www.circly.net tcp
US 8.8.8.8:53 50.163.64.3.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1864-0-0x0000000000F00000-0x0000000000F9C000-memory.dmp

memory/1864-1-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/1864-2-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/1864-3-0x0000000005A00000-0x0000000005A92000-memory.dmp

memory/1864-4-0x0000000005900000-0x0000000005910000-memory.dmp

memory/1864-5-0x0000000005990000-0x000000000599A000-memory.dmp

memory/1864-6-0x0000000005C10000-0x0000000005C24000-memory.dmp

memory/1864-7-0x0000000005C30000-0x0000000005C3A000-memory.dmp

memory/1864-8-0x0000000005DE0000-0x0000000005DEC000-memory.dmp

memory/1864-9-0x0000000006CE0000-0x0000000006D56000-memory.dmp

memory/1864-10-0x00000000095F0000-0x000000000968C000-memory.dmp

memory/3252-11-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1864-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/3252-14-0x00000000014D0000-0x000000000181A000-memory.dmp

memory/3252-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3252-17-0x00000000014B0000-0x00000000014C4000-memory.dmp

memory/3500-18-0x0000000009470000-0x00000000095DA000-memory.dmp

memory/3252-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3252-21-0x0000000003130000-0x0000000003144000-memory.dmp

memory/3500-22-0x000000000AF00000-0x000000000B03C000-memory.dmp

memory/3716-23-0x0000000000300000-0x000000000030B000-memory.dmp

memory/3716-24-0x0000000000300000-0x000000000030B000-memory.dmp

memory/3716-25-0x0000000000F90000-0x0000000000FBF000-memory.dmp

memory/3716-26-0x0000000001960000-0x0000000001CAA000-memory.dmp

memory/3716-27-0x0000000000F90000-0x0000000000FBF000-memory.dmp

memory/3716-30-0x0000000001800000-0x0000000001893000-memory.dmp

memory/3500-29-0x0000000009470000-0x00000000095DA000-memory.dmp

memory/3500-31-0x0000000008D70000-0x0000000008ED2000-memory.dmp

memory/3500-32-0x0000000008D70000-0x0000000008ED2000-memory.dmp

memory/3500-35-0x0000000008D70000-0x0000000008ED2000-memory.dmp