formbook | 6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER.exe
Size

763KB
MD5

9df58df76c5826af2a9357287869e0f7
SHA1

c2d804fdeefc82563b51c04870b49cc998588712
SHA256

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af
SHA512

2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494
SSDEEP

12288:eQDFTPiULBMzvlKXj3Z+ka1XmrpVMSTUplRYgK+CVINEX9yKBg7vjG:HPh2NKXj8tVmpmGUpXYfia9yKe/

Score

10^/10

formbook ij84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2868-38-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2868-42-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1520-45-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHUI.lnk	NEW ORDER.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	GHUI.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	cmd.exe
2616	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2868	2592	GHUI.exe	35
PID 2868 set thread context of 1368	2868	AddInProcess32.exe	21
PID 2868 set thread context of 1368	2868	AddInProcess32.exe	21
PID 1520 set thread context of 1368	1520	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE
2684	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3040	NEW ORDER.exe
3040	NEW ORDER.exe
3040	NEW ORDER.exe
3040	NEW ORDER.exe
2592	GHUI.exe
2592	GHUI.exe
2592	GHUI.exe
2592	GHUI.exe
2868	AddInProcess32.exe
2868	AddInProcess32.exe
2868	AddInProcess32.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe
1520	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2868	AddInProcess32.exe
2868	AddInProcess32.exe
2868	AddInProcess32.exe
2868	AddInProcess32.exe
1520	wlanext.exe
1520	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	NEW ORDER.exe
Token: SeDebugPrivilege	2592	GHUI.exe
Token: SeDebugPrivilege	2868	AddInProcess32.exe
Token: SeDebugPrivilege	1520	wlanext.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2616	3040	NEW ORDER.exe	28
PID 3040 wrote to memory of 2616	3040	NEW ORDER.exe	28
PID 3040 wrote to memory of 2616	3040	NEW ORDER.exe	28
PID 3040 wrote to memory of 2616	3040	NEW ORDER.exe	28
PID 2616 wrote to memory of 2920	2616	cmd.exe	30
PID 2616 wrote to memory of 2920	2616	cmd.exe	30
PID 2616 wrote to memory of 2920	2616	cmd.exe	30
PID 2616 wrote to memory of 2920	2616	cmd.exe	30
PID 2616 wrote to memory of 2684	2616	cmd.exe	31
PID 2616 wrote to memory of 2684	2616	cmd.exe	31
PID 2616 wrote to memory of 2684	2616	cmd.exe	31
PID 2616 wrote to memory of 2684	2616	cmd.exe	31
PID 2616 wrote to memory of 2592	2616	cmd.exe	32
PID 2616 wrote to memory of 2592	2616	cmd.exe	32
PID 2616 wrote to memory of 2592	2616	cmd.exe	32
PID 2616 wrote to memory of 2592	2616	cmd.exe	32
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2508	2592	GHUI.exe	33
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2916	2592	GHUI.exe	34
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 2592 wrote to memory of 2868	2592	GHUI.exe	35
PID 1368 wrote to memory of 1520	1368	Explorer.EXE	38
PID 1368 wrote to memory of 1520	1368	Explorer.EXE	38
PID 1368 wrote to memory of 1520	1368	Explorer.EXE	38
PID 1368 wrote to memory of 1520	1368	Explorer.EXE	38
PID 1520 wrote to memory of 1424	1520	wlanext.exe	39
PID 1520 wrote to memory of 1424	1520	wlanext.exe	39
PID 1520 wrote to memory of 1424	1520	wlanext.exe	39
PID 1520 wrote to memory of 1424	1520	wlanext.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 15
      4⤵
      Runs ping.exe
      PID:2920
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 15
      4⤵
      Runs ping.exe
      PID:2684
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:2508
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:2916
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe

Filesize
763KB

MD5
9df58df76c5826af2a9357287869e0f7

SHA1
c2d804fdeefc82563b51c04870b49cc998588712

SHA256
6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

SHA512
2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494

Download Submit
memory/1368-43-0x0000000006830000-0x0000000006937000-memory.dmp

Filesize
1.0MB

Download
memory/1368-41-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/1520-45-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1520-44-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/2508-21-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2508-23-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2508-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-16-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2592-36-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2592-20-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/2592-18-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-17-0x0000000000BE0000-0x0000000000CA6000-memory.dmp

Filesize
792KB

Download
memory/2592-19-0x00000000020B0000-0x00000000020CA000-memory.dmp

Filesize
104KB

Download
memory/2592-39-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-37-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-5-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/3040-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-2-0x0000000000540000-0x0000000000584000-memory.dmp

Filesize
272KB

Download
memory/3040-1-0x00000000003C0000-0x0000000000486000-memory.dmp

Filesize
792KB

Download