formbook | 60bc892c0d2392091394c2ba22701447e399860c4b8d9a0dee014db3da78b1a6

Analysis

max time kernel
149s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

656KB
MD5

dae6a17dd50c76b58fb2c7d980e801d9
SHA1

8b1fce08ff057639bd4eb7ebd6231417569b6494
SHA256

60bc892c0d2392091394c2ba22701447e399860c4b8d9a0dee014db3da78b1a6
SHA512

9453a2389c54b524adfeee11bf90284168b2fff30c7c962fe48cdc3e7e1c893dfc45a64107067900440834be95f0cf02e83c7c7a8c2e673a2d73ef311f6bda04
SSDEEP

12288:2M23a/zmcDXmxqPbKwII+foXlIHdHfQJkE1ij7qObjjTCYT59Whpehsh9kR:2V3aakXenBmSokE1ivcGshhg

Score

10^/10

formbook md02 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

md02

Decoy

onsen1508.com

partymaxclubmen36.click

texasshelvingwarehouse.com

tiantiying.com

taxcredits-pr.com

33mgbet.com

equipoleiremnacional.com

andrewghita.com

zbbnp.xyz

englandbreaking.com

a1b5v.xyz

vizamag.com

h0lg3.rest

ux-design-courses-17184.bond

of84.top

qqkartel88v1.com

avalynkate.com

cpuk-finance.com

yeslabs.xyz

webuyandsellpa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2524-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2112-29-0x00000000000B0000-0x00000000000DF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe
2712	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2524	2448	MalwareBazaar.exe	36
PID 2524 set thread context of 1300	2524	RegSvcs.exe	21
PID 2112 set thread context of 1300	2112	cscript.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2448	MalwareBazaar.exe
2216	powershell.exe
2448	MalwareBazaar.exe
2448	MalwareBazaar.exe
2712	powershell.exe
2448	MalwareBazaar.exe
2524	RegSvcs.exe
2524	RegSvcs.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe
2112	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2524	RegSvcs.exe
2524	RegSvcs.exe
2524	RegSvcs.exe
2112	cscript.exe
2112	cscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	MalwareBazaar.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2524	RegSvcs.exe
Token: SeDebugPrivilege	2112	cscript.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2216	2448	MalwareBazaar.exe	30
PID 2448 wrote to memory of 2216	2448	MalwareBazaar.exe	30
PID 2448 wrote to memory of 2216	2448	MalwareBazaar.exe	30
PID 2448 wrote to memory of 2216	2448	MalwareBazaar.exe	30
PID 2448 wrote to memory of 2712	2448	MalwareBazaar.exe	32
PID 2448 wrote to memory of 2712	2448	MalwareBazaar.exe	32
PID 2448 wrote to memory of 2712	2448	MalwareBazaar.exe	32
PID 2448 wrote to memory of 2712	2448	MalwareBazaar.exe	32
PID 2448 wrote to memory of 2376	2448	MalwareBazaar.exe	34
PID 2448 wrote to memory of 2376	2448	MalwareBazaar.exe	34
PID 2448 wrote to memory of 2376	2448	MalwareBazaar.exe	34
PID 2448 wrote to memory of 2376	2448	MalwareBazaar.exe	34
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 2448 wrote to memory of 2524	2448	MalwareBazaar.exe	36
PID 1300 wrote to memory of 2112	1300	Explorer.EXE	37
PID 1300 wrote to memory of 2112	1300	Explorer.EXE	37
PID 1300 wrote to memory of 2112	1300	Explorer.EXE	37
PID 1300 wrote to memory of 2112	1300	Explorer.EXE	37
PID 2112 wrote to memory of 2492	2112	cscript.exe	38
PID 2112 wrote to memory of 2492	2112	cscript.exe	38
PID 2112 wrote to memory of 2492	2112	cscript.exe	38
PID 2112 wrote to memory of 2492	2112	cscript.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BGELwANFeozDW.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BGELwANFeozDW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DE9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5DE9.tmp

Filesize
1KB

MD5
8684cc97919f86e3dc4027b9c4ff6915

SHA1
2719b1c6900b2aa5f0aefc478b200cc4a1642f1b

SHA256
a9aa277d1afd037752899b5d0689d539fd069f9b9029fe30531dfb061d8f8ab4

SHA512
41e4762cd5942fb01654a2d9d402d08d19c9789c1d28e05420c22083cda76dfce6025aaf732fe4532d6c26a655107058f80a878d0de72c83b300ba77803da2d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
09e0a7533c587b8c9009aba9b6a98447

SHA1
9a46df39c05187b3a956bec3c0f32b2d8d1a0cfb

SHA256
2d2c933bf46cafa95cb68006f6363c32a0cbfeb6b6cf309d7a9704a52068a6e7

SHA512
e1f1343bc50416822764a90535f5e88a4fdc4b7d94d2c9e7cd4bdba6bde5e8f44853d3272284a9323711dfe8aa6fa91d7623117b456a1e49bf30c10492d70126

Download Submit
memory/1300-32-0x0000000007130000-0x0000000007289000-memory.dmp

Filesize
1.3MB

Download
memory/1300-27-0x0000000003D50000-0x0000000003F50000-memory.dmp

Filesize
2.0MB

Download
memory/2112-29-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/2112-28-0x0000000000F30000-0x0000000000F52000-memory.dmp

Filesize
136KB

Download
memory/2448-4-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2448-6-0x0000000004500000-0x0000000004576000-memory.dmp

Filesize
472KB

Download
memory/2448-5-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/2448-25-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2448-3-0x0000000000420000-0x0000000000438000-memory.dmp

Filesize
96KB

Download
memory/2448-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-1-0x0000000000370000-0x0000000000418000-memory.dmp

Filesize
672KB

Download
memory/2524-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download