formbook | 62ca1c39badbfbc52c6301cb69c8356977db57656c6d98dac7e4ab908753af00

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

810KB
MD5

60bd782aa615ee9354c2221b4ad7b80c
SHA1

f753f3c3c359b38c1051064417d6d0daf89db2c9
SHA256

62ca1c39badbfbc52c6301cb69c8356977db57656c6d98dac7e4ab908753af00
SHA512

0ddc9c16ac39aa6c006bd8ccd11194267b73d646b304f84b911153832dc7a6c960d60ebfc08d0d6314630e124e575bee4c81c75ffa7915faddaeae5d37b351e3
SSDEEP

12288:1y9WilQDz/bhj+nm3m6SsWCG0tP+KpIMD5w2T7S+w74fNJ658N:1wQDfhj+um6SgDEWHPdL65

Score

10^/10

formbook rn10 discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rn10

Decoy

kedai168et.com

mental-olympics.com

pussybuildsstrongbones.net

857691.shop

hisellers.net

exposurecophotography.com

beaded-boutique.net

wednesdayholdings.com

plesacv.xyz

manonlineros.com

a0204.shop

333689g.com

dyprl716h.xyz

pulseirabet.com

fnet.work

bo-2024-001-v1-d1.xyz

ongaurdsecurity.com

giulianacristini.com

miladamani.com

magicalrealmshopkeeper.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1644-29-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1644-48-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2040-58-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 7 IoCs

pid	Process
1272	Ningbo .exe
1224	Ningbo .exe
1644	Ningbo .exe
2440	watchdog.exe
1220	watchdog.exe
1324	Ningbo .exe
1780	Ningbo .exe

Loads dropped DLL 4 IoCs

pid	Process
2860	cmd.exe
2860	cmd.exe
1272	Ningbo .exe
2440	watchdog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ningbo = "C:\\Users\\Admin\\AppData\\Roaming\\Ningbo .exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 1644	1272	Ningbo .exe	41
PID 1644 set thread context of 1208	1644	Ningbo .exe	21
PID 1644 set thread context of 1208	1644	Ningbo .exe	21
PID 2040 set thread context of 1208	2040	msiexec.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ningbo .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	watchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2528	cmd.exe
2552	PING.EXE
2860	cmd.exe
2740	PING.EXE
1252	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2740	PING.EXE
1252	PING.EXE
2552	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3020	MalwareBazaar.exe
3020	MalwareBazaar.exe
3020	MalwareBazaar.exe
3020	MalwareBazaar.exe
3020	MalwareBazaar.exe
1272	Ningbo .exe
1272	Ningbo .exe
1272	Ningbo .exe
1272	Ningbo .exe
1272	Ningbo .exe
1644	Ningbo .exe
1644	Ningbo .exe
2440	watchdog.exe
1220	watchdog.exe
1220	watchdog.exe
1220	watchdog.exe
1272	Ningbo .exe
1272	Ningbo .exe
1644	Ningbo .exe
2040	msiexec.exe
2040	msiexec.exe
1272	Ningbo .exe
1272	Ningbo .exe
1272	Ningbo .exe
1272	Ningbo .exe
2040	msiexec.exe
2040	msiexec.exe
2040	msiexec.exe
2040	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1644	Ningbo .exe
1644	Ningbo .exe
1644	Ningbo .exe
1644	Ningbo .exe
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	MalwareBazaar.exe
Token: SeDebugPrivilege	1272	Ningbo .exe
Token: SeDebugPrivilege	1644	Ningbo .exe
Token: SeDebugPrivilege	2440	watchdog.exe
Token: SeDebugPrivilege	1220	watchdog.exe
Token: SeDebugPrivilege	2040	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2528	3020	MalwareBazaar.exe	30
PID 3020 wrote to memory of 2528	3020	MalwareBazaar.exe	30
PID 3020 wrote to memory of 2528	3020	MalwareBazaar.exe	30
PID 3020 wrote to memory of 2528	3020	MalwareBazaar.exe	30
PID 2528 wrote to memory of 2552	2528	cmd.exe	32
PID 2528 wrote to memory of 2552	2528	cmd.exe	32
PID 2528 wrote to memory of 2552	2528	cmd.exe	32
PID 2528 wrote to memory of 2552	2528	cmd.exe	32
PID 3020 wrote to memory of 2860	3020	MalwareBazaar.exe	34
PID 3020 wrote to memory of 2860	3020	MalwareBazaar.exe	34
PID 3020 wrote to memory of 2860	3020	MalwareBazaar.exe	34
PID 3020 wrote to memory of 2860	3020	MalwareBazaar.exe	34
PID 2860 wrote to memory of 2740	2860	cmd.exe	36
PID 2860 wrote to memory of 2740	2860	cmd.exe	36
PID 2860 wrote to memory of 2740	2860	cmd.exe	36
PID 2860 wrote to memory of 2740	2860	cmd.exe	36
PID 2528 wrote to memory of 2920	2528	cmd.exe	37
PID 2528 wrote to memory of 2920	2528	cmd.exe	37
PID 2528 wrote to memory of 2920	2528	cmd.exe	37
PID 2528 wrote to memory of 2920	2528	cmd.exe	37
PID 2860 wrote to memory of 1252	2860	cmd.exe	38
PID 2860 wrote to memory of 1252	2860	cmd.exe	38
PID 2860 wrote to memory of 1252	2860	cmd.exe	38
PID 2860 wrote to memory of 1252	2860	cmd.exe	38
PID 2860 wrote to memory of 1272	2860	cmd.exe	39
PID 2860 wrote to memory of 1272	2860	cmd.exe	39
PID 2860 wrote to memory of 1272	2860	cmd.exe	39
PID 2860 wrote to memory of 1272	2860	cmd.exe	39
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1224	1272	Ningbo .exe	40
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 1644	1272	Ningbo .exe	41
PID 1272 wrote to memory of 2440	1272	Ningbo .exe	42
PID 1272 wrote to memory of 2440	1272	Ningbo .exe	42
PID 1272 wrote to memory of 2440	1272	Ningbo .exe	42
PID 1272 wrote to memory of 2440	1272	Ningbo .exe	42
PID 2440 wrote to memory of 1220	2440	watchdog.exe	43
PID 2440 wrote to memory of 1220	2440	watchdog.exe	43
PID 2440 wrote to memory of 1220	2440	watchdog.exe	43
PID 2440 wrote to memory of 1220	2440	watchdog.exe	43
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1208 wrote to memory of 2040	1208	Explorer.EXE	44
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45
PID 1272 wrote to memory of 1324	1272	Ningbo .exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Ningbo " /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 16
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Ningbo " /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 25 > nul && copy "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe" "C:\Users\Admin\AppData\Roaming\Ningbo .exe" && ping 127.0.0.1 -n 25 > nul && "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 25
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2740
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 25
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1252
  - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
      "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
        
        "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
        5⤵
        Executes dropped EXE
        
        PID:1224
    - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
        
        "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\watchdog.exe
        
        "C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\watchdog.exe
        
        "C:\Users\Admin\AppData\Local\Temp\watchdog.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
        
        "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
        5⤵
        Executes dropped EXE
        
        PID:1324
    - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
        
        "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
        5⤵
        Executes dropped EXE
        
        PID:1780
    - - C:\Users\Admin\AppData\Roaming\Ningbo .exe
        
        "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
        5⤵
        
        PID:1880
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\Ningbo .exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\watchdog.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.txt

Filesize
53B

MD5
d89b3f5e78be20379d30a42c49678ad3

SHA1
361b270a09529e704b8187c55db2ac81b2ee4589

SHA256
3d3f891c4be265e13346301e1e162807a3f68bf996bfccb3d840806989e01742

SHA512
44b6cc2715aaf6290ae598b8824d2b3b001e9db75ff51de0aa9c31cfb9d574bde6275677d3a06f94f1bf7666f65d85adc7e3832125f160109eda211b274d2207

Download Submit
C:\Users\Admin\AppData\Local\Temp\watchdog.txt

Filesize
56B

MD5
451720a70cf5e512eca7279c72c71f2c

SHA1
274f9b02865060d72012f7cbd986789a8118908f

SHA256
551d410e5e2fd19e8529581c8fab5ec4651883a201215ef52ce37aab63077074

SHA512
b4e15a297a3d7d105af0d92d98bd55c1a621ad4e8b7b8d4e63fa21f7045593cfd7712678eabfc8632bbd501f409597cb6c3ae8110e840fb335fac4036d6f680f

Download Submit
\Users\Admin\AppData\Roaming\Ningbo .exe

Filesize
810KB

MD5
60bd782aa615ee9354c2221b4ad7b80c

SHA1
f753f3c3c359b38c1051064417d6d0daf89db2c9

SHA256
62ca1c39badbfbc52c6301cb69c8356977db57656c6d98dac7e4ab908753af00

SHA512
0ddc9c16ac39aa6c006bd8ccd11194267b73d646b304f84b911153832dc7a6c960d60ebfc08d0d6314630e124e575bee4c81c75ffa7915faddaeae5d37b351e3

Download Submit
memory/1208-49-0x0000000004470000-0x0000000004670000-memory.dmp

Filesize
2.0MB

Download
memory/1224-20-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/1224-18-0x00000000001A0000-0x00000000001CF000-memory.dmp

Filesize
188KB

Download
memory/1224-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1272-15-0x00000000000D0000-0x00000000001A0000-memory.dmp

Filesize
832KB

Download
memory/1272-16-0x0000000000470000-0x000000000048A000-memory.dmp

Filesize
104KB

Download
memory/1272-17-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/1644-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2040-50-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download
memory/2040-57-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download
memory/2040-58-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2440-40-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/3020-4-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-3-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-2-0x0000000000670000-0x00000000006B4000-memory.dmp

Filesize
272KB

Download
memory/3020-1-0x0000000000350000-0x0000000000420000-memory.dmp

Filesize
832KB

Download
memory/3020-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download