formbook | b7a39ea606be29b9f2eaeb54f87762ec72b48fbd40ccef586057e0d987a4b545

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe
Size

273KB
MD5

e549341d5f45d8ac49bd6e75d4d72d35
SHA1

f25f8f48778b995e408bd84f58800ad1c7a7328f
SHA256

51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882
SHA512

3e37e90128974062766a2de3bf4647853da2d04a407a37ea3b55107a3cb18315e2929aedce12871361447bfd0d4c58c56bba098b0cd4b332c541271cb2410437
SSDEEP

6144://UFQEmfXkLoIeTB/CEj4kCK8ASHLeqe6z22p7h9guq/xG:XUiEmfULagEj4kb89njZguq/s

Score

10^/10

formbook i3tw discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i3tw

Decoy

016XYOaa546POq6CaRVpEfQ=

6WCLUcRz6K7qTqIK

bIa/9uWTepQa6eQd

32urdxWXgrknUIeDYktb

EojfLVA0GyB2mYgMgzdT

jFbHYJhPwpebnHjAY0pZ

gxSusEwA30uVtrErCrQ=

EeJOmOn63OaCHIw=

r3K0jTvKtOR4EV3q1dOdHgYVCLVG

6LEakplWzoSSLXZH3t6XDQ==

MThmlLavncxvAo1f3t6XDQ==

SqUmLs+BeJfa69kp7qSmIfuU5K3ZMg==

GuIYfF0o7zGPJY4=

AEd4Wd7JRsdzBX9dPgO7KNJY6NX2Sga4

E1SDU8MxGoZaPFgn9w==

cIq96QyWC/k1XDBRTR9FQOaLosd4Og==

/zRZMuaxmZnX291wZQCXhiq1his=

+47IMmwvk2jyx7MA

IGKz6DH4iraNLQ==

Kh1gHpxbw0MDkwSyaOqjKgTlK69R

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 2816 set thread context of 1256	2816	cvtres.exe	21
PID 2816 set thread context of 1256	2816	cvtres.exe	21
PID 648 set thread context of 1256	648	help.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2816	cvtres.exe
2816	cvtres.exe
2816	cvtres.exe
2816	cvtres.exe
2816	cvtres.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe
648	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2816	cvtres.exe
2816	cvtres.exe
2816	cvtres.exe
2816	cvtres.exe
648	help.exe
648	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	cvtres.exe
Token: SeDebugPrivilege	648	help.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1804 wrote to memory of 2816	1804	51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe	31
PID 1256 wrote to memory of 648	1256	Explorer.EXE	51
PID 1256 wrote to memory of 648	1256	Explorer.EXE	51
PID 1256 wrote to memory of 648	1256	Explorer.EXE	51
PID 1256 wrote to memory of 648	1256	Explorer.EXE	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe
  "C:\Users\Admin\AppData\Local\Temp\51411372b243457824f813704098d411028c9041a6510ddf74be80cfa94b1882.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2028
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2576
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2700
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-25-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/648-24-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/648-23-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1256-21-0x0000000006740000-0x000000000688F000-memory.dmp

Filesize
1.3MB

Download
memory/1256-22-0x0000000007060000-0x00000000071EA000-memory.dmp

Filesize
1.5MB

Download
memory/1256-17-0x0000000006740000-0x000000000688F000-memory.dmp

Filesize
1.3MB

Download
memory/1256-26-0x0000000007060000-0x00000000071EA000-memory.dmp

Filesize
1.5MB

Download
memory/1804-3-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1804-10-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

Filesize
4KB

Download
memory/1804-12-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-2-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1804-1-0x0000000000960000-0x00000000009A8000-memory.dmp

Filesize
288KB

Download
memory/2816-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-14-0x0000000000C10000-0x0000000000F13000-memory.dmp

Filesize
3.0MB

Download
memory/2816-20-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2816-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-16-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/2816-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download