formbook | e6e88a66deba0d9ed4021c491814969707034b0d459bb3144870d98b083131ba

Analysis

max time kernel
300s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rlxJk85y4E3Cu8R.exe
Size

797KB
MD5

4be5e463d0add883315a162191a36a4d
SHA1

2a23189d3da383aa49c07ca7e05bb943813662a1
SHA256

812d0912e299dbe0eff0078fcced87ffe5762b103a974dd19cdbb4c21294a193
SHA512

415a570ea23d12ca8d5f1d597f8373ffc4e57d05145c2a0666519a8b53852c2bd62895a7569abb2aeb8b5109434afe056129aa48124d0b10e147eab5a0c07435
SSDEEP

12288:DuEcsm04vbBoaGoE80Dir+hOsh79T3C8yG3ZAmwIDH2yZPZ6b1ID:1ct04+sE8wir+0s0wZ7D61ID

Score

10^/10

formbook sx01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sx01

Decoy

r-salessolutions.xyz

jdh1.info

olar-panel-jobs-93084.bond

aebrasil.shop

oshua-xaaaa.buzz

xzkm.shop

nitedviplumbing.net

nnevateknoloji.xyz

rg-a.biz

indow-replacement-34091.bond

uyersagent3percent.net

ostbag.net

ibosolv.net

ahve.today

ophotshotjobs.today

emoreez.art

ift-chairs-94905.bond

okerdom-e.best

stagr.fun

irtyf-ingrancher.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2696-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2696-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2320-23-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2696 set thread context of 1192	2696	rlxJk85y4E3Cu8R.exe	21
PID 2320 set thread context of 1192	2320	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rlxJk85y4E3Cu8R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	rlxJk85y4E3Cu8R.exe
2860	rlxJk85y4E3Cu8R.exe
2860	rlxJk85y4E3Cu8R.exe
2860	rlxJk85y4E3Cu8R.exe
2860	rlxJk85y4E3Cu8R.exe
2860	rlxJk85y4E3Cu8R.exe
2696	rlxJk85y4E3Cu8R.exe
2696	rlxJk85y4E3Cu8R.exe
2608	powershell.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2696	rlxJk85y4E3Cu8R.exe
2696	rlxJk85y4E3Cu8R.exe
2696	rlxJk85y4E3Cu8R.exe
2320	wlanext.exe
2320	wlanext.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	rlxJk85y4E3Cu8R.exe
Token: SeDebugPrivilege	2696	rlxJk85y4E3Cu8R.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2320	wlanext.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2608	2860	rlxJk85y4E3Cu8R.exe	30
PID 2860 wrote to memory of 2608	2860	rlxJk85y4E3Cu8R.exe	30
PID 2860 wrote to memory of 2608	2860	rlxJk85y4E3Cu8R.exe	30
PID 2860 wrote to memory of 2608	2860	rlxJk85y4E3Cu8R.exe	30
PID 2860 wrote to memory of 316	2860	rlxJk85y4E3Cu8R.exe	31
PID 2860 wrote to memory of 316	2860	rlxJk85y4E3Cu8R.exe	31
PID 2860 wrote to memory of 316	2860	rlxJk85y4E3Cu8R.exe	31
PID 2860 wrote to memory of 316	2860	rlxJk85y4E3Cu8R.exe	31
PID 2860 wrote to memory of 2756	2860	rlxJk85y4E3Cu8R.exe	33
PID 2860 wrote to memory of 2756	2860	rlxJk85y4E3Cu8R.exe	33
PID 2860 wrote to memory of 2756	2860	rlxJk85y4E3Cu8R.exe	33
PID 2860 wrote to memory of 2756	2860	rlxJk85y4E3Cu8R.exe	33
PID 2860 wrote to memory of 2752	2860	rlxJk85y4E3Cu8R.exe	34
PID 2860 wrote to memory of 2752	2860	rlxJk85y4E3Cu8R.exe	34
PID 2860 wrote to memory of 2752	2860	rlxJk85y4E3Cu8R.exe	34
PID 2860 wrote to memory of 2752	2860	rlxJk85y4E3Cu8R.exe	34
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 2860 wrote to memory of 2696	2860	rlxJk85y4E3Cu8R.exe	35
PID 1192 wrote to memory of 2320	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2320	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2320	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2320	1192	Explorer.EXE	36
PID 2320 wrote to memory of 1716	2320	wlanext.exe	37
PID 2320 wrote to memory of 1716	2320	wlanext.exe	37
PID 2320 wrote to memory of 1716	2320	wlanext.exe	37
PID 2320 wrote to memory of 1716	2320	wlanext.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe
  "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe
    "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe
    "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe
    "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe
    "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rlxJk85y4E3Cu8R.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-18-0x0000000006510000-0x0000000006641000-memory.dmp

Filesize
1.2MB

Download
memory/1192-25-0x0000000006510000-0x0000000006641000-memory.dmp

Filesize
1.2MB

Download
memory/1192-15-0x00000000044B0000-0x00000000046B0000-memory.dmp

Filesize
2.0MB

Download
memory/2320-23-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2320-22-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/2696-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-13-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/2696-17-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2860-5-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-19-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-6-0x0000000004F30000-0x0000000004FA6000-memory.dmp

Filesize
472KB

Download
memory/2860-4-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/2860-0-0x000000007410E000-0x000000007410F000-memory.dmp

Filesize
4KB

Download
memory/2860-3-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2860-2-0x0000000074100000-0x00000000747EE000-memory.dmp

Filesize
6.9MB

Download
memory/2860-1-0x0000000000190000-0x000000000025E000-memory.dmp

Filesize
824KB

Download