formbook | ffa6edc1cd151506e2512ac8f3dade5947d26cf25a29e9920f5c41f0a48ca6ed

Analysis

max time kernel
146s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02-016.exe
Size

732KB
MD5

957014bc66c96533ca3cf65a5b355038
SHA1

cedbfdb6bd9d4ee9397d2fe0bfab563b01c9ba2a
SHA256

fdf3aa0df3a0d4a6d053c55b970ad22f71f5db88f2da4f94bc18f1926b731f1b
SHA512

dd3a42758775b0b8cbd53f89dd23d99ae56a76fa4c13abae3e307c5209ec1edf5a070fddafa9bf6174a0243089bab53fe0c9988ae4b4af2f72f42a2d4e089314
SSDEEP

12288:nX6Orlv+6cJ/QlI2eUBvV+klwuimKb0aw1xcA6i5zDJEkcYv2tasGHW:X6O5Lg/XUB9+jPsxJ6i5zDeyutasoW

Score

10^/10

formbook bf3 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bf3

Decoy

ecatcom.com

what3emoji.com

primbathandbody.com

yt-itclub.com

newbieeer.com

getyoursofa.com

mexicanitems.info

catalogcardgames.net

leagueofwomengolfers.com

gvanmp.com

midnightsunhi.com

cnluma.com

sunsetcherrydesigns.com

cosmoproturkey.com

inifinityapps.net

making50masks.com

battalionice.com

uk-calculation.net

frosteatlove.com

bs-mag.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2948-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2948-19-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2948-23-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	02-016.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 2948	2032	02-016.exe	92
PID 2948 set thread context of 3340	2948	02-016.exe	56
PID 2948 set thread context of 3340	2948	02-016.exe	56
PID 2748 set thread context of 3340	2748	svchost.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02-016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2032	02-016.exe
2032	02-016.exe
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2948	02-016.exe
2748	svchost.exe
2748	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	02-016.exe
Token: SeDebugPrivilege	2948	02-016.exe
Token: SeDebugPrivilege	2748	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3212	2032	02-016.exe	89
PID 2032 wrote to memory of 3212	2032	02-016.exe	89
PID 2032 wrote to memory of 3212	2032	02-016.exe	89
PID 2032 wrote to memory of 1400	2032	02-016.exe	91
PID 2032 wrote to memory of 1400	2032	02-016.exe	91
PID 2032 wrote to memory of 1400	2032	02-016.exe	91
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 2032 wrote to memory of 2948	2032	02-016.exe	92
PID 3340 wrote to memory of 2748	3340	Explorer.EXE	96
PID 3340 wrote to memory of 2748	3340	Explorer.EXE	96
PID 3340 wrote to memory of 2748	3340	Explorer.EXE	96
PID 2748 wrote to memory of 3932	2748	svchost.exe	97
PID 2748 wrote to memory of 3932	2748	svchost.exe	97
PID 2748 wrote to memory of 3932	2748	svchost.exe	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\02-016.exe
  "C:\Users\Admin\AppData\Local\Temp\02-016.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPFWxIEmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE35B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\02-016.exe
    "{path}"
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\02-016.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1888
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\02-016.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE35B.tmp

Filesize
1KB

MD5
75c27c81b61b87f5590346a619643ec8

SHA1
4adca3bbbf5d9e46dbcfe28121345e09834d88c6

SHA256
09d4a948de42304cf5765b751ce0d07048f59c8e6da2534784c6ae2d8bc3368c

SHA512
99df992eb712033445849fa8a5ff2b4393ead8a3c23dc336c333157f7a759d9729c61fcb24e4aedeac3937f258fbab0693c9dda2b80bd7617c06b46a1b958a42

Download Submit
memory/2032-6-0x0000000007B70000-0x0000000007C0C000-memory.dmp

Filesize
624KB

Download
memory/2032-8-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2032-3-0x0000000004C80000-0x0000000004D12000-memory.dmp

Filesize
584KB

Download
memory/2032-4-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2032-5-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/2032-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2032-7-0x0000000004DD0000-0x0000000004DD8000-memory.dmp

Filesize
32KB

Download
memory/2032-2-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/2032-9-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2032-10-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/2032-1-0x0000000000180000-0x000000000023E000-memory.dmp

Filesize
760KB

Download
memory/2032-16-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/2748-27-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/2748-29-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/2948-17-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/2948-20-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

Filesize
80KB

Download
memory/2948-24-0x0000000002DC0000-0x0000000002DD4000-memory.dmp

Filesize
80KB

Download
memory/2948-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2948-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3340-21-0x0000000008920000-0x0000000008A9B000-memory.dmp

Filesize
1.5MB

Download
memory/3340-25-0x0000000008AA0000-0x0000000008BEB000-memory.dmp

Filesize
1.3MB

Download
memory/3340-26-0x0000000008920000-0x0000000008A9B000-memory.dmp

Filesize
1.5MB

Download
memory/3340-30-0x0000000008AA0000-0x0000000008BEB000-memory.dmp

Filesize
1.3MB

Download
memory/3340-33-0x0000000009150000-0x00000000092A5000-memory.dmp

Filesize
1.3MB

Download
memory/3340-35-0x0000000009150000-0x00000000092A5000-memory.dmp

Filesize
1.3MB

Download
memory/3340-36-0x0000000009150000-0x00000000092A5000-memory.dmp

Filesize
1.3MB

Download