formbook | b9944dc05df7b7a10e4326dfb17a10e7c174238cbebf8bea02091a839cc0f0f0

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-07-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JTM300724IU.vbe
Size

3.1MB
MD5

c845430ea08040d92adc7e9e5870143e
SHA1

0715a93a9902b41b72ff8beaa4f371782c40aaab
SHA256

b9944dc05df7b7a10e4326dfb17a10e7c174238cbebf8bea02091a839cc0f0f0
SHA512

d517d1b9c4cca21f3bdc295133795a9265d44ab436f38bf44f035ca58888f6a14cc5e063fe4ccf20081b9592088bbc56df2b70efdceb6c2450872e194e0bfded
SSDEEP

24576:IQ3d8+MwrXBn6Dc0FEJZF1Nx+bFOoWV+xzN1ewkqlK/4VF7m66W0aGIC3G0zr8lv:J50mJTow+xn3S4OWdbCgTOGN

Score

10^/10

formbook de94 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de94

Decoy

way2future.net

worldnewsdailys.online

rendamaisbr.com

s485.icu

vcxwpo.xyz

imagivilleartists.com

herbatyorganics.com

xn--80ado1abokv5d.xn--p1acf

invigoratewell.com

especialistaleitura.online

pkrstg.com

performacaretechnical.com

dreamgame55.net

hkitgugx.xyz

istanlikbilgiler.click

slotter99j.vip

exploringtheoutdoors.net

triberoots.com

energiaslotsbet.com

dkforcm.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2064-7-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2064-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2672	HHhHh.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	WScript.exe
2832	Process not Found

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2064	2672	HHhHh.exe	35
PID 2064 set thread context of 1216	2064	wmplayer.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	2664	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2064	wmplayer.exe
2064	wmplayer.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2064	wmplayer.exe
2064	wmplayer.exe
2064	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	wmplayer.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2672	2364	WScript.exe	30
PID 2364 wrote to memory of 2672	2364	WScript.exe	30
PID 2364 wrote to memory of 2672	2364	WScript.exe	30
PID 2672 wrote to memory of 2920	2672	HHhHh.exe	32
PID 2672 wrote to memory of 2920	2672	HHhHh.exe	32
PID 2672 wrote to memory of 2920	2672	HHhHh.exe	32
PID 2672 wrote to memory of 2920	2672	HHhHh.exe	32
PID 2672 wrote to memory of 2920	2672	HHhHh.exe	32
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 1240	2672	HHhHh.exe	33
PID 2672 wrote to memory of 2800	2672	HHhHh.exe	34
PID 2672 wrote to memory of 2800	2672	HHhHh.exe	34
PID 2672 wrote to memory of 2800	2672	HHhHh.exe	34
PID 2672 wrote to memory of 2800	2672	HHhHh.exe	34
PID 2672 wrote to memory of 2800	2672	HHhHh.exe	34
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 2672 wrote to memory of 2064	2672	HHhHh.exe	35
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 1216 wrote to memory of 2664	1216	Explorer.EXE	36
PID 2664 wrote to memory of 2448	2664	msiexec.exe	37
PID 2664 wrote to memory of 2448	2664	msiexec.exe	37
PID 2664 wrote to memory of 2448	2664	msiexec.exe	37
PID 2664 wrote to memory of 2448	2664	msiexec.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JTM300724IU.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\HHhHh.exe
    "C:\Users\Admin\AppData\Local\Temp\HHhHh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
      4⤵
      PID:1240
  - - C:\Windows\System32\calc.exe
      "C:\Windows\System32\calc.exe"
      4⤵
      PID:2800
  - - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 268
    3⤵
    - Program crash
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\HHhHh.exe

Filesize
2.2MB

MD5
c12a1b7b35e81e02e296c3d85d75298d

SHA1
74c948db8c7d23fff962a2e8b64c7d626b04073f

SHA256
edf069b9c35c34df17fbfcde19add89033dcb6cbb874686f03330033d88a5e61

SHA512
b06944d71772d5d4a8c92387a5671641f6eeac6f8d897c6966ca98cc241fdfa3184e708b2194272b76c8a6d213a9ee93edc4a882be6458a76b00aa30ba324b25

Download Submit
memory/1216-12-0x00000000072E0000-0x0000000007402000-memory.dmp

Filesize
1.1MB

Download
memory/1216-19-0x00000000072E0000-0x0000000007402000-memory.dmp

Filesize
1.1MB

Download
memory/2064-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-10-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2064-9-0x0000000000960000-0x0000000000C63000-memory.dmp

Filesize
3.0MB

Download
memory/2664-14-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/2664-13-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/2664-16-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download