formbook | 80762425adc5f24b5c7be359dd4cb7c1c657bb21f0304dcb89eb6bd6d8d8e0da

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift Copy.exe
Size

49KB
MD5

fadef7ce43e9627a752d03a41e71ee41
SHA1

f8a9907fdb73ca4b162b20a79d9384ab5277af31
SHA256

80762425adc5f24b5c7be359dd4cb7c1c657bb21f0304dcb89eb6bd6d8d8e0da
SHA512

764ddce479431043510647f95fb376be3b62bc7e6283173c9d7849130335a8daa2aad2b86e8a7693cd5c92c1b94e809cf1a0ec1ecbb2fb6c196d1764a0a9a081
SSDEEP

768:P1YSqVwQ8rD6pSg12mkQu3MyoELiym7/FDFTNxIrgBjv5VQ6:PyeQkDxtcyJm7tk0jv5VJ

Score

10^/10

formbook zgrat sr62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sr62

Decoy

pizzaperol.com

brooklynlearningstudio.com

legendlearningacghy.net

xtlg3i19o7czkv4.buzz

outdoorsproducts.xyz

nissanthanhhoa.com

mtviewproservices.com

tichris.com

monopolygo.llc

engagemaxmail.com

supremeinsure.com

2018b7.com

tedxkarunyauniversity.com

vaishnaviyoga.in

goddessoffetish.com

dazewu.com

844385.autos

caluxio.com

restaurantlataberna.com

charlieahunter.com

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3320-3-0x0000000008C00000-0x0000000008E3E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-7-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-21-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-23-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-33-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-41-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-47-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-45-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-43-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-39-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-37-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-35-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-32-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-29-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-27-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-25-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-19-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-17-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-15-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-13-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-11-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-9-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-6-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-67-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-69-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-65-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-63-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-61-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-59-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-57-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-55-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-53-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-51-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1
behavioral2/memory/3320-49-0x0000000008C00000-0x0000000008E38000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2292-4895-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2292-4898-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Swift Copy.exeSwift Copy.execmd.exe

description	pid	process	target process
PID 3320 set thread context of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 2292 set thread context of 3376	2292	Swift Copy.exe	Explorer.EXE
PID 4516 set thread context of 3376	4516	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

Swift Copy.execmd.exe

pid	process
2292	Swift Copy.exe
2292	Swift Copy.exe
2292	Swift Copy.exe
2292	Swift Copy.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe
4516	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Swift Copy.execmd.exe

pid process

2292 Swift Copy.exe
2292 Swift Copy.exe
2292 Swift Copy.exe
4516 cmd.exe
4516 cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Swift Copy.exeSwift Copy.execmd.exe

description	pid	process
Token: SeDebugPrivilege	3320	Swift Copy.exe
Token: SeDebugPrivilege	3320	Swift Copy.exe
Token: SeDebugPrivilege	2292	Swift Copy.exe
Token: SeDebugPrivilege	4516	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3376 Explorer.EXE

pid	process
3376	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Swift Copy.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3320 wrote to memory of 2292	3320	Swift Copy.exe	Swift Copy.exe
PID 3376 wrote to memory of 4516	3376	Explorer.EXE	cmd.exe
PID 3376 wrote to memory of 4516	3376	Explorer.EXE	cmd.exe
PID 3376 wrote to memory of 4516	3376	Explorer.EXE	cmd.exe
PID 4516 wrote to memory of 1484	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 1484	4516	cmd.exe	cmd.exe
PID 4516 wrote to memory of 1484	4516	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"
    3⤵
    PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-4895-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-4896-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2292-4899-0x0000000000A20000-0x0000000000A34000-memory.dmp

Filesize
80KB

Download
memory/2292-4898-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-17-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-7-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-2-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3320-3-0x0000000008C00000-0x0000000008E3E000-memory.dmp

Filesize
2.2MB

Download
memory/3320-4-0x00000000093F0000-0x0000000009994000-memory.dmp

Filesize
5.6MB

Download
memory/3320-5-0x0000000008EE0000-0x0000000008F72000-memory.dmp

Filesize
584KB

Download
memory/3320-11-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-21-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-23-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-33-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-41-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-47-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-45-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-43-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-39-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-37-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-35-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-32-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-13-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-27-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-25-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-19-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/3320-15-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-29-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-1-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/3320-9-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-6-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-67-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-69-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-65-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-63-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-61-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-59-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-57-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-55-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-53-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-51-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-49-0x0000000008C00000-0x0000000008E38000-memory.dmp

Filesize
2.2MB

Download
memory/3320-4886-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3320-4888-0x00000000013C0000-0x000000000140C000-memory.dmp

Filesize
304KB

Download
memory/3320-4887-0x0000000001340000-0x00000000013BA000-memory.dmp

Filesize
488KB

Download
memory/3320-4889-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/3320-4890-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3320-4891-0x0000000001410000-0x0000000001464000-memory.dmp

Filesize
336KB

Download
memory/3320-4894-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-4900-0x0000000008470000-0x00000000085BF000-memory.dmp

Filesize
1.3MB

Download
memory/3376-4907-0x0000000008470000-0x00000000085BF000-memory.dmp

Filesize
1.3MB

Download
memory/3376-4909-0x0000000008BE0000-0x0000000008D21000-memory.dmp

Filesize
1.3MB

Download
memory/3376-4914-0x0000000008BE0000-0x0000000008D21000-memory.dmp

Filesize
1.3MB

Download
memory/4516-4904-0x00000000003B0000-0x000000000040A000-memory.dmp

Filesize
360KB

Download