formbook | a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
Size

981KB
MD5

249c382387f592eafab7e20a55560280
SHA1

364c13a8ac03c9708d92fa01e5d9d442c94f75dc
SHA256

a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7
SHA512

4c8ff6f05af4967c9d40638c86ea360d9b452d1be86ae6739e9fe36f84e20f7577032d4e32e349a1819777a1af2ce6515356a31533e1f269dbfd18fc86902ad5
SSDEEP

12288:X3/p8sL8kKR0zIYaGzp9t6Mde/l5KCuz65cgOGsLNaYuPjIG4Z6jf:n/p8/pR0EYp9wMdM5Juz6INKPjR4q

Score

10^/10

formbook uu09 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

uu09

Decoy

gnbojjfds.xyz

thepinkpen.net

oclocksl.com

aaaajjjjjffff.com

onlineppl.com

rokomariebook.com

protagonagency.store

brilliant.radio

amaniyaonline.shop

bouqclub.net

mrtranceman.com

mybet88gacor.com

huixua.shop

foundersdao.xyz

pileasures.top

summit-rhode.com

6wwr.top

randombutessential.com

ux-design-courses-85926.bond

domainz.rent

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2732-30-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2732-34-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2732-39-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/488-45-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/488-47-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skpye.lnk	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
864	skpye.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	cmd.exe
2784	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 2732	864	skpye.exe	36
PID 2732 set thread context of 1200	2732	AddInProcess32.exe	21
PID 2732 set thread context of 1200	2732	AddInProcess32.exe	21
PID 488 set thread context of 1200	488	chkdsk.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2444	PING.EXE
2872	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
2956	sype.exe
2956	sype.exe
2956	sype.exe
2956	sype.exe
864	skpye.exe
864	skpye.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe
488	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
488	chkdsk.exe
488	chkdsk.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
Token: SeDebugPrivilege	2956	sype.exe
Token: SeDebugPrivilege	864	skpye.exe
Token: SeDebugPrivilege	2732	AddInProcess32.exe
Token: SeDebugPrivilege	488	chkdsk.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2956	1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	28
PID 1624 wrote to memory of 2956	1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	28
PID 1624 wrote to memory of 2956	1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	28
PID 1624 wrote to memory of 2956	1624	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	28
PID 2956 wrote to memory of 2784	2956	sype.exe	29
PID 2956 wrote to memory of 2784	2956	sype.exe	29
PID 2956 wrote to memory of 2784	2956	sype.exe	29
PID 2956 wrote to memory of 2784	2956	sype.exe	29
PID 2784 wrote to memory of 2444	2784	cmd.exe	31
PID 2784 wrote to memory of 2444	2784	cmd.exe	31
PID 2784 wrote to memory of 2444	2784	cmd.exe	31
PID 2784 wrote to memory of 2444	2784	cmd.exe	31
PID 2784 wrote to memory of 2872	2784	cmd.exe	34
PID 2784 wrote to memory of 2872	2784	cmd.exe	34
PID 2784 wrote to memory of 2872	2784	cmd.exe	34
PID 2784 wrote to memory of 2872	2784	cmd.exe	34
PID 2784 wrote to memory of 864	2784	cmd.exe	35
PID 2784 wrote to memory of 864	2784	cmd.exe	35
PID 2784 wrote to memory of 864	2784	cmd.exe	35
PID 2784 wrote to memory of 864	2784	cmd.exe	35
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 864 wrote to memory of 2732	864	skpye.exe	36
PID 2732 wrote to memory of 488	2732	AddInProcess32.exe	37
PID 2732 wrote to memory of 488	2732	AddInProcess32.exe	37
PID 2732 wrote to memory of 488	2732	AddInProcess32.exe	37
PID 2732 wrote to memory of 488	2732	AddInProcess32.exe	37
PID 488 wrote to memory of 2504	488	chkdsk.exe	38
PID 488 wrote to memory of 2504	488	chkdsk.exe	38
PID 488 wrote to memory of 2504	488	chkdsk.exe	38
PID 488 wrote to memory of 2504	488	chkdsk.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
  "C:\Users\Admin\AppData\Local\Temp\a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\sype.exe
    "C:\Users\Admin\AppData\Local\Temp\sype.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\Users\Admin\AppData\Local\Temp\sype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe"
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 11
        5⤵
        Runs ping.exe
        
        PID:2444
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 11
        5⤵
        Runs ping.exe
        
        PID:2872
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\chkdsk.exe
        
        "C:\Windows\SysWOW64\chkdsk.exe"
        7⤵
        Suspicious use of SetThreadContext
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:488
        
        C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        8⤵
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe

Filesize
981KB

MD5
249c382387f592eafab7e20a55560280

SHA1
364c13a8ac03c9708d92fa01e5d9d442c94f75dc

SHA256
a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7

SHA512
4c8ff6f05af4967c9d40638c86ea360d9b452d1be86ae6739e9fe36f84e20f7577032d4e32e349a1819777a1af2ce6515356a31533e1f269dbfd18fc86902ad5

Download Submit
memory/488-48-0x0000000001E40000-0x0000000001ED3000-memory.dmp

Filesize
588KB

Download
memory/488-47-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/488-46-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/488-45-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/488-44-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/488-43-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/864-29-0x0000000001040000-0x0000000001080000-memory.dmp

Filesize
256KB

Download
memory/864-31-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/864-19-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/864-20-0x00000000011C0000-0x00000000012BC000-memory.dmp

Filesize
1008KB

Download
memory/864-21-0x0000000001040000-0x0000000001080000-memory.dmp

Filesize
256KB

Download
memory/864-22-0x0000000000B90000-0x0000000000BAA000-memory.dmp

Filesize
104KB

Download
memory/864-23-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/864-28-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1200-49-0x0000000008890000-0x0000000008A33000-memory.dmp

Filesize
1.6MB

Download
memory/1200-36-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/1200-42-0x0000000008890000-0x0000000008A33000-memory.dmp

Filesize
1.6MB

Download
memory/1200-37-0x0000000006390000-0x0000000006507000-memory.dmp

Filesize
1.5MB

Download
memory/1624-1-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/1624-2-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/1624-0-0x0000000000E20000-0x0000000000F1C000-memory.dmp

Filesize
1008KB

Download
memory/1624-3-0x0000000000D90000-0x0000000000DD4000-memory.dmp

Filesize
272KB

Download
memory/1624-5-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2732-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-35-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2732-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-40-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/2732-32-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/2732-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-8-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download
memory/2956-7-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2956-6-0x0000000074A30000-0x000000007511E000-memory.dmp

Filesize
6.9MB

Download