formbook | f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AB2hQJZ77ipdWem.exe
Size

606KB
MD5

f640126d8e76c2a343754ff0f41c1eef
SHA1

b00e9297c74fe4847f4a0667d9cc4379409cb501
SHA256

f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96
SHA512

cd05b460ce74792dbc91891cc13ad888f894c05747907bce0dd79193a126e996e7efadfb7831aee0fd219f3ba92f55858cdf4dbfed876280585daedb92c20083
SSDEEP

12288:1DrlAypLTnapSEkztfGLI70wWsrRJvHG5yCgMLCAUIKtT:PAyp/naSft+s70wfHvH3iCp9

Score

10^/10

formbook v15n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

v15n

Decoy

dyahwoahjuk.store

toysstorm.com

y7rak9.com

2222233p6.shop

betbox2341.com

visualvarta.com

nijssenadventures.com

main-12.site

leng4d.net

kurainu.xyz

hatesa.xyz

culturamosaica.com

supermallify.store

gigboard.app

rxforgive.com

ameliestones.com

kapalwin.live

tier.credit

sobol-ksa.com

faredeal.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3844-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3844-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3956-20-0x0000000000150000-0x000000000017F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 3844 set thread context of 3456	3844	AB2hQJZ77ipdWem.exe	54
PID 3956 set thread context of 3456	3956	cmmon32.exe	54

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3844	AB2hQJZ77ipdWem.exe
3844	AB2hQJZ77ipdWem.exe
3844	AB2hQJZ77ipdWem.exe
3844	AB2hQJZ77ipdWem.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe
3956	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3844	AB2hQJZ77ipdWem.exe
3844	AB2hQJZ77ipdWem.exe
3844	AB2hQJZ77ipdWem.exe
3956	cmmon32.exe
3956	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	AB2hQJZ77ipdWem.exe
Token: SeDebugPrivilege	3956	cmmon32.exe
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	Explorer.EXE
3456	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3456	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 4004 wrote to memory of 3844	4004	AB2hQJZ77ipdWem.exe	92
PID 3456 wrote to memory of 3956	3456	Explorer.EXE	93
PID 3456 wrote to memory of 3956	3456	Explorer.EXE	93
PID 3456 wrote to memory of 3956	3456	Explorer.EXE	93
PID 3956 wrote to memory of 1524	3956	cmmon32.exe	95
PID 3956 wrote to memory of 1524	3956	cmmon32.exe	95
PID 3956 wrote to memory of 1524	3956	cmmon32.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Users\Admin\AppData\Local\Temp\AB2hQJZ77ipdWem.exe
  "C:\Users\Admin\AppData\Local\Temp\AB2hQJZ77ipdWem.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\AB2hQJZ77ipdWem.exe
    "C:\Users\Admin\AppData\Local\Temp\AB2hQJZ77ipdWem.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\AB2hQJZ77ipdWem.exe"
    3⤵
    PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3456-17-0x0000000007050000-0x0000000007172000-memory.dmp

Filesize
1.1MB

Download
memory/3456-28-0x0000000007EF0000-0x0000000007FB7000-memory.dmp

Filesize
796KB

Download
memory/3456-25-0x0000000007EF0000-0x0000000007FB7000-memory.dmp

Filesize
796KB

Download
memory/3456-24-0x0000000007EF0000-0x0000000007FB7000-memory.dmp

Filesize
796KB

Download
memory/3456-22-0x0000000007050000-0x0000000007172000-memory.dmp

Filesize
1.1MB

Download
memory/3844-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-13-0x0000000001350000-0x000000000169A000-memory.dmp

Filesize
3.3MB

Download
memory/3844-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-16-0x0000000001230000-0x0000000001245000-memory.dmp

Filesize
84KB

Download
memory/3956-20-0x0000000000150000-0x000000000017F000-memory.dmp

Filesize
188KB

Download
memory/3956-19-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/3956-18-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/4004-8-0x00000000057D0000-0x0000000005846000-memory.dmp

Filesize
472KB

Download
memory/4004-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/4004-7-0x0000000005760000-0x000000000576E000-memory.dmp

Filesize
56KB

Download
memory/4004-5-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/4004-9-0x0000000008DD0000-0x0000000008E6C000-memory.dmp

Filesize
624KB

Download
memory/4004-12-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4004-6-0x0000000005720000-0x000000000573A000-memory.dmp

Filesize
104KB

Download
memory/4004-4-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4004-3-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/4004-2-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4004-1-0x0000000000990000-0x0000000000A2C000-memory.dmp

Filesize
624KB

Download