formbook | f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7MZSs0P9IvJHGya.exe
Size

634KB
MD5

b848cbbb4d07a75edc0f3bbedeacd096
SHA1

73e77737438539c5f6d8547e9afcc160902a131c
SHA256

f24eca1c3ebbbb6d043a05f5e0684843326abadb28ecd4ff746de38defeb8929
SHA512

16bf768045d05d7eda9352ec39d9dfff6847797213eac991c51536d6fadb51bd550d580ee725357aa08205f7c083ed57071d16ce94659f75d481f8a1e8c77aba
SSDEEP

12288:d0tjlGAiSeURm5CO5OkpIkFSE6oGph+IoI3FocZziba2JGcJ4pelEteiAdkR:olGAOUejF2MSE4h+Iz3FF5Ca2JG2uel0

Score

10^/10

formbook ps15 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps15

Decoy

57797.asia

jhpwt.net

basketballdrillsforkids.com

zgzf6.rest

casinomaxnodepositbonus.icu

uptocryptonews.com

gomenasorry.com

fortanix.space

stripscity.xyz

genbotdiy.xyz

mayson-wedding.com

neb-hub.net

seancollinsmusic.com

migraine-treatment-57211.bond

prosperawoman.info

tradefairleads.tech

xn--yeminlitercme-6ob.com

xwaveevent.com

fashiontrendshub.xyz

window-replacement-80823.bond

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2616-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/276-29-0x0000000000130000-0x000000000015F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.exe
2684	powershell.exe

Deletes itself 1 IoCs

pid	Process
672	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 2616 set thread context of 1232	2616	7MZSs0P9IvJHGya.exe	21
PID 276 set thread context of 1232	276	cmmon32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7MZSs0P9IvJHGya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2616	7MZSs0P9IvJHGya.exe
2616	7MZSs0P9IvJHGya.exe
2684	powershell.exe
2996	powershell.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe
276	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2616	7MZSs0P9IvJHGya.exe
2616	7MZSs0P9IvJHGya.exe
2616	7MZSs0P9IvJHGya.exe
276	cmmon32.exe
276	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	7MZSs0P9IvJHGya.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	276	cmmon32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2996	1960	7MZSs0P9IvJHGya.exe	30
PID 1960 wrote to memory of 2996	1960	7MZSs0P9IvJHGya.exe	30
PID 1960 wrote to memory of 2996	1960	7MZSs0P9IvJHGya.exe	30
PID 1960 wrote to memory of 2996	1960	7MZSs0P9IvJHGya.exe	30
PID 1960 wrote to memory of 2684	1960	7MZSs0P9IvJHGya.exe	32
PID 1960 wrote to memory of 2684	1960	7MZSs0P9IvJHGya.exe	32
PID 1960 wrote to memory of 2684	1960	7MZSs0P9IvJHGya.exe	32
PID 1960 wrote to memory of 2684	1960	7MZSs0P9IvJHGya.exe	32
PID 1960 wrote to memory of 2852	1960	7MZSs0P9IvJHGya.exe	33
PID 1960 wrote to memory of 2852	1960	7MZSs0P9IvJHGya.exe	33
PID 1960 wrote to memory of 2852	1960	7MZSs0P9IvJHGya.exe	33
PID 1960 wrote to memory of 2852	1960	7MZSs0P9IvJHGya.exe	33
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1960 wrote to memory of 2616	1960	7MZSs0P9IvJHGya.exe	36
PID 1232 wrote to memory of 276	1232	Explorer.EXE	37
PID 1232 wrote to memory of 276	1232	Explorer.EXE	37
PID 1232 wrote to memory of 276	1232	Explorer.EXE	37
PID 1232 wrote to memory of 276	1232	Explorer.EXE	37
PID 276 wrote to memory of 672	276	cmmon32.exe	38
PID 276 wrote to memory of 672	276	cmmon32.exe	38
PID 276 wrote to memory of 672	276	cmmon32.exe	38
PID 276 wrote to memory of 672	276	cmmon32.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe
  "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WPszxeq.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WPszxeq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe
    "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\7MZSs0P9IvJHGya.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8601.tmp

Filesize
1KB

MD5
5db5a59d780c5c12a0bc5b60a236f972

SHA1
7df5109723f06762aef35510414d77cc10d9684e

SHA256
8faae0d3c26ef3e5feb2799cf9bc579246fe72253310fb311ab8a5e852da4024

SHA512
557d71f53c0dacf735105017128aec6c994209c99bf9b16f9b49d8444da6240befeb9b7c8d1548a4d869afdda43df55539d70f54d4be707076b4e254ed2edf2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8PIVQMPJ693MWOHN078H.temp

Filesize
7KB

MD5
3ce3b7671d82827c81ae99cfd0eef9f9

SHA1
9e3ee2945f63ced49490901948177944d6255ea3

SHA256
a1012447c16565a5f81b7f62fd66c202216255e524149ff2e6ee82971848070a

SHA512
3bdf0733952233af78531e0bc5cc61759e9fa3b67439fc3c3a29fb455c63ea377540978213194147ea1311a70f36065442fe0bb5069005fafedf36af66db1fda

Download Submit
memory/276-29-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/276-28-0x0000000000AE0000-0x0000000000AED000-memory.dmp

Filesize
52KB

Download
memory/1232-27-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1960-4-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1960-6-0x0000000004EB0000-0x0000000004F26000-memory.dmp

Filesize
472KB

Download
memory/1960-5-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/1960-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/1960-25-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-3-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/1960-2-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-1-0x0000000000900000-0x00000000009A0000-memory.dmp

Filesize
640KB

Download
memory/2616-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download