formbook | 6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER.exe
Size

763KB
MD5

9df58df76c5826af2a9357287869e0f7
SHA1

c2d804fdeefc82563b51c04870b49cc998588712
SHA256

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af
SHA512

2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494
SSDEEP

12288:eQDFTPiULBMzvlKXj3Z+ka1XmrpVMSTUplRYgK+CVINEX9yKBg7vjG:HPh2NKXj8tVmpmGUpXYfia9yKe/

Score

10^/10

formbook ij84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3004-27-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3004-31-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1668-34-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHUI.lnk	NEW ORDER.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	GHUI.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	cmd.exe
2660	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 3004	2288	GHUI.exe	33
PID 3004 set thread context of 1196	3004	AddInProcess32.exe	21
PID 3004 set thread context of 1196	3004	AddInProcess32.exe	21
PID 1668 set thread context of 1196	1668	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2756	PING.EXE
2812	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2156	NEW ORDER.exe
2156	NEW ORDER.exe
2156	NEW ORDER.exe
2156	NEW ORDER.exe
2288	GHUI.exe
2288	GHUI.exe
3004	AddInProcess32.exe
3004	AddInProcess32.exe
3004	AddInProcess32.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe
1668	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3004	AddInProcess32.exe
3004	AddInProcess32.exe
3004	AddInProcess32.exe
3004	AddInProcess32.exe
1668	svchost.exe
1668	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	NEW ORDER.exe
Token: SeDebugPrivilege	2288	GHUI.exe
Token: SeDebugPrivilege	3004	AddInProcess32.exe
Token: SeDebugPrivilege	1668	svchost.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2660	2156	NEW ORDER.exe	28
PID 2156 wrote to memory of 2660	2156	NEW ORDER.exe	28
PID 2156 wrote to memory of 2660	2156	NEW ORDER.exe	28
PID 2156 wrote to memory of 2660	2156	NEW ORDER.exe	28
PID 2660 wrote to memory of 2756	2660	cmd.exe	30
PID 2660 wrote to memory of 2756	2660	cmd.exe	30
PID 2660 wrote to memory of 2756	2660	cmd.exe	30
PID 2660 wrote to memory of 2756	2660	cmd.exe	30
PID 2660 wrote to memory of 2812	2660	cmd.exe	31
PID 2660 wrote to memory of 2812	2660	cmd.exe	31
PID 2660 wrote to memory of 2812	2660	cmd.exe	31
PID 2660 wrote to memory of 2812	2660	cmd.exe	31
PID 2660 wrote to memory of 2288	2660	cmd.exe	32
PID 2660 wrote to memory of 2288	2660	cmd.exe	32
PID 2660 wrote to memory of 2288	2660	cmd.exe	32
PID 2660 wrote to memory of 2288	2660	cmd.exe	32
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 2288 wrote to memory of 3004	2288	GHUI.exe	33
PID 1196 wrote to memory of 1668	1196	Explorer.EXE	36
PID 1196 wrote to memory of 1668	1196	Explorer.EXE	36
PID 1196 wrote to memory of 1668	1196	Explorer.EXE	36
PID 1196 wrote to memory of 1668	1196	Explorer.EXE	36
PID 1668 wrote to memory of 1684	1668	svchost.exe	37
PID 1668 wrote to memory of 1684	1668	svchost.exe	37
PID 1668 wrote to memory of 1684	1668	svchost.exe	37
PID 1668 wrote to memory of 1684	1668	svchost.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 8
      4⤵
      Runs ping.exe
      PID:2756
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 8
      4⤵
      Runs ping.exe
      PID:2812
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe

Filesize
763KB

MD5
9df58df76c5826af2a9357287869e0f7

SHA1
c2d804fdeefc82563b51c04870b49cc998588712

SHA256
6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

SHA512
2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494

Download Submit
memory/1196-32-0x00000000050A0000-0x00000000051F4000-memory.dmp

Filesize
1.3MB

Download
memory/1196-30-0x0000000003C00000-0x0000000003D00000-memory.dmp

Filesize
1024KB

Download
memory/1668-34-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1668-33-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/2156-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x00000000008F0000-0x00000000009B6000-memory.dmp

Filesize
792KB

Download
memory/2156-2-0x0000000004380000-0x00000000043C4000-memory.dmp

Filesize
272KB

Download
memory/2156-3-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-5-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2288-20-0x0000000000960000-0x0000000000966000-memory.dmp

Filesize
24KB

Download
memory/2288-26-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-28-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-19-0x0000000004C60000-0x0000000004C7A000-memory.dmp

Filesize
104KB

Download
memory/2288-18-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-17-0x0000000074CB0000-0x000000007539E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-16-0x0000000000310000-0x00000000003D6000-memory.dmp

Filesize
792KB

Download
memory/3004-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download