formbook | 3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Resubmissions

10-11-2024 21:28

241110-1bhk6avgrr 10

Analysis

max time kernel
1800s
max time network
1831s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
Size

349KB
MD5

02a41eb01d841ddffe402fcfbb73bd0e
SHA1

932bdc88df3e0c3d0747ec3a53b9aaaf7365b88b
SHA256

0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca
SHA512

c6f42a2f012e320ffdb435e129bf2ab2b62bcea7af20ac10d60ccb11239ef02324845f4a74d2868a70db2715fe6dc9ff7e7c4a789e1bbdaaf3bbef07166e1773
SSDEEP

6144:FweEwTKu1gRtv6cWGqV/9zYTyOpMKbsAJRv31M0E2Jt:Mv6cxqV/GGOqKoAPv31M0/

Score

10^/10

formbook g28p discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral13/memory/2860-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral13/memory/2860-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral13/memory/2776-22-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2060	jazvc.exe
2860	jazvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
2060	jazvc.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2860	2060	jazvc.exe	33
PID 2860 set thread context of 1200	2860	jazvc.exe	21
PID 2776 set thread context of 1200	2776	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jazvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	jazvc.exe
2860	jazvc.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2060	jazvc.exe
2860	jazvc.exe
2860	jazvc.exe
2860	jazvc.exe
2776	cmstp.exe
2776	cmstp.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	jazvc.exe
Token: SeDebugPrivilege	2776	cmstp.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2060	2420	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	31
PID 2420 wrote to memory of 2060	2420	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	31
PID 2420 wrote to memory of 2060	2420	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	31
PID 2420 wrote to memory of 2060	2420	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	31
PID 2060 wrote to memory of 2860	2060	jazvc.exe	33
PID 2060 wrote to memory of 2860	2060	jazvc.exe	33
PID 2060 wrote to memory of 2860	2060	jazvc.exe	33
PID 2060 wrote to memory of 2860	2060	jazvc.exe	33
PID 2060 wrote to memory of 2860	2060	jazvc.exe	33
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 1200 wrote to memory of 2776	1200	Explorer.EXE	34
PID 2776 wrote to memory of 2888	2776	cmstp.exe	35
PID 2776 wrote to memory of 2888	2776	cmstp.exe	35
PID 2776 wrote to memory of 2888	2776	cmstp.exe	35
PID 2776 wrote to memory of 2888	2776	cmstp.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
  "C:\Users\Admin\AppData\Local\Temp\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\jazvc.exe
    "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\jazvc.exe
      "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2860
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prwmgrrucpx.tk

Filesize
185KB

MD5
3e68446ee827659a54689c739b5b8df7

SHA1
54fb7a3f640d405f96f362452eb8dc312b57a539

SHA256
f9659fed6df556d783c9cc34186b9c6e607c2123b8835d884dea8d6f92326878

SHA512
7f29e1d8cec74634c7491500f0da45e656d35a9ce01800e15a33c07fc9a69f36bdd8f8a2ff4e132e237ec75e71d46b45677d4d5da3213622365279acb606ac2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vinztiozf.ut

Filesize
5KB

MD5
9a1822801cfb30d974022d7e578bbe0f

SHA1
63094d8d3ea74e7831702d7ef0abf02c2fcca554

SHA256
39259efed3713a0f0840da9c7472792f11577b7e15cddb8976f9f75089be86b4

SHA512
448424a790df42901727c042c21981613dd5effb284004a170a65cce624038162a776f5c08ff88aa0a7c56de5aa1881fd737ea7e5c1be31719e19e3613206447

Download Submit
\Users\Admin\AppData\Local\Temp\jazvc.exe

Filesize
5KB

MD5
3c7874bebc12054686a69405bbf37d0b

SHA1
6a8054b9610e863eb76eb07c2b17695fc2d68b17

SHA256
ba5a34d1642ab08089790649f79121542bd59850a5be0bc10761d31bc9fa5517

SHA512
1fb9703c94f7fed61f45713e2df3623267e4e03aba82c85386f290a62350e1f953435f1093d94888174eac0dac34ad82115ce9e39a61da580b4cef05e849a0d9

Download Submit
memory/1200-16-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1200-17-0x0000000004CE0000-0x0000000004DD8000-memory.dmp

Filesize
992KB

Download
memory/1200-23-0x0000000004CE0000-0x0000000004DD8000-memory.dmp

Filesize
992KB

Download
memory/1200-28-0x00000000051F0000-0x0000000005286000-memory.dmp

Filesize
600KB

Download
memory/1200-29-0x00000000051F0000-0x0000000005286000-memory.dmp

Filesize
600KB

Download
memory/1200-31-0x00000000051F0000-0x0000000005286000-memory.dmp

Filesize
600KB

Download
memory/2060-8-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/2776-21-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/2776-20-0x0000000000A70000-0x0000000000A88000-memory.dmp

Filesize
96KB

Download
memory/2776-22-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2860-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download