formbook | fbc2dcb6615f34cd3518733f34ce939dcf3bb576a5464022977e62e7480480e4

Analysis

max time kernel
147s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BKG#339LN2035492.exe
Size

428KB
MD5

fc9a7d91c44b35ac45235cbd428d5f71
SHA1

3a2306041f07ac63b24375f2393cdcaae4a9aff2
SHA256

10a9aab39489aa507d35bb18b357ca6c9f8642d8fa27fc1ad9c7de03c8e9415d
SHA512

d235cd67e1e74675a1adaeffc89df82b2314dcb0d8f67887a9b9b0d14e9f3a0bd5c6c3df47ed08e6ab7f5de879be32b8434aa1843647b911629018db1312bdfc
SSDEEP

12288:QnOLBomnNZTudDLhkNbjPNUg6zhDn1ShWOi:QnkymnN6SNXWg6z91AWOi

Score

10^/10

formbook cmg discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cmg

Decoy

bestessentialcare.com

lemonguild.com

veronabling.com

omvzshop.com

austingutterrepair.com

noracbn.com

shizukis.com

keatingfreelanceservice.com

teamtobook.com

mqcsegurosyfinanzas.com

t-chou-pino-v.com

yuyunst.com

ctlaltignite.com

zinaidaphoto.com

ag-gis.com

hdollars.net

usa-zuche.com

opexsoftwaresupport.com

kaizenseed.com

thejoyshare.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2588-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2588-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2588-22-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1064	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2588	2372	BKG#339LN2035492.exe	31
PID 2588 set thread context of 1252	2588	BKG#339LN2035492.exe	21
PID 2588 set thread context of 1252	2588	BKG#339LN2035492.exe	21
PID 768 set thread context of 1252	768	chkdsk.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKG#339LN2035492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BKG#339LN2035492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2372	BKG#339LN2035492.exe
2372	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe
768	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2588	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
2588	BKG#339LN2035492.exe
768	chkdsk.exe
768	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	BKG#339LN2035492.exe
Token: SeDebugPrivilege	2588	BKG#339LN2035492.exe
Token: SeDebugPrivilege	768	chkdsk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2564	2372	BKG#339LN2035492.exe	30
PID 2372 wrote to memory of 2564	2372	BKG#339LN2035492.exe	30
PID 2372 wrote to memory of 2564	2372	BKG#339LN2035492.exe	30
PID 2372 wrote to memory of 2564	2372	BKG#339LN2035492.exe	30
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2372 wrote to memory of 2588	2372	BKG#339LN2035492.exe	31
PID 2588 wrote to memory of 768	2588	BKG#339LN2035492.exe	77
PID 2588 wrote to memory of 768	2588	BKG#339LN2035492.exe	77
PID 2588 wrote to memory of 768	2588	BKG#339LN2035492.exe	77
PID 2588 wrote to memory of 768	2588	BKG#339LN2035492.exe	77
PID 768 wrote to memory of 1064	768	chkdsk.exe	78
PID 768 wrote to memory of 1064	768	chkdsk.exe	78
PID 768 wrote to memory of 1064	768	chkdsk.exe	78
PID 768 wrote to memory of 1064	768	chkdsk.exe	78

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe
  "C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe
    "C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe"
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe
    "C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\BKG#339LN2035492.exe"
        5⤵
        Deletes itself
        System Location Discovery: System Language Discovery
        
        PID:1064
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2052
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1464
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2500
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1528
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2284
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1880
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2528
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1088
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2432
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1476
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:752
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1876
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2900
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2960
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:640
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1632
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:556
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1352
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2648
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2492
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1456
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:440
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2868
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2776
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2880
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2856
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-25-0x0000000000F00000-0x0000000000F07000-memory.dmp

Filesize
28KB

Download
memory/1252-27-0x00000000076C0000-0x0000000007853000-memory.dmp

Filesize
1.6MB

Download
memory/1252-21-0x0000000006EC0000-0x0000000006FF9000-memory.dmp

Filesize
1.2MB

Download
memory/1252-24-0x00000000076C0000-0x0000000007853000-memory.dmp

Filesize
1.6MB

Download
memory/1252-19-0x0000000006EC0000-0x0000000006FF9000-memory.dmp

Filesize
1.2MB

Download
memory/2372-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2372-6-0x0000000002050000-0x00000000020A6000-memory.dmp

Filesize
344KB

Download
memory/2372-7-0x0000000004600000-0x0000000004636000-memory.dmp

Filesize
216KB

Download
memory/2372-5-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-4-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2372-1-0x0000000000040000-0x00000000000B2000-memory.dmp

Filesize
456KB

Download
memory/2372-14-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-2-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/2588-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-18-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/2588-15-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download
memory/2588-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2588-23-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/2588-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download