formbook | e2a79d9566fe26bb36b8600c268f2eda5f66f17cd2241ed5bdcab62dc2622aa8

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION.exe
Size

660KB
MD5

e34a83c5086e9cbe2047a34ca0cd3809
SHA1

2c1ab68a80193670c27ded0af13b4eef244ee15d
SHA256

e2a79d9566fe26bb36b8600c268f2eda5f66f17cd2241ed5bdcab62dc2622aa8
SHA512

1ec0e58a191b9e8ffa26b89f90472e79eaaee29282f8c1fdea7e4af78dc57700c63b505a6b441e1271001f150c2061e5628aa1730b9c1808a9c270770fe008fa
SSDEEP

12288:XbeXOyvWCP0a4j6I9IpcBTP2VTjI/jhA6aTsnYPrYIPxk:LeXRvzPI9OyTO4opjYGe

Score

10^/10

formbook dn13 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2716-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2696-31-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3024	powershell.exe
2796	powershell.exe

Deletes itself 1 IoCs

pid	Process
1476	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2716	2084	QUOTATION.exe	37
PID 2716 set thread context of 1200	2716	QUOTATION.exe	21
PID 2696 set thread context of 1200	2696	msiexec.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QUOTATION.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2084	QUOTATION.exe
2084	QUOTATION.exe
2716	QUOTATION.exe
2716	QUOTATION.exe
2796	powershell.exe
3024	powershell.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2716	QUOTATION.exe
2716	QUOTATION.exe
2716	QUOTATION.exe
2696	msiexec.exe
2696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	QUOTATION.exe
Token: SeDebugPrivilege	2716	QUOTATION.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2696	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 3024	2084	QUOTATION.exe	31
PID 2084 wrote to memory of 3024	2084	QUOTATION.exe	31
PID 2084 wrote to memory of 3024	2084	QUOTATION.exe	31
PID 2084 wrote to memory of 3024	2084	QUOTATION.exe	31
PID 2084 wrote to memory of 2796	2084	QUOTATION.exe	33
PID 2084 wrote to memory of 2796	2084	QUOTATION.exe	33
PID 2084 wrote to memory of 2796	2084	QUOTATION.exe	33
PID 2084 wrote to memory of 2796	2084	QUOTATION.exe	33
PID 2084 wrote to memory of 2896	2084	QUOTATION.exe	34
PID 2084 wrote to memory of 2896	2084	QUOTATION.exe	34
PID 2084 wrote to memory of 2896	2084	QUOTATION.exe	34
PID 2084 wrote to memory of 2896	2084	QUOTATION.exe	34
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 2084 wrote to memory of 2716	2084	QUOTATION.exe	37
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 1200 wrote to memory of 2696	1200	Explorer.EXE	38
PID 2696 wrote to memory of 1476	2696	msiexec.exe	39
PID 2696 wrote to memory of 1476	2696	msiexec.exe	39
PID 2696 wrote to memory of 1476	2696	msiexec.exe	39
PID 2696 wrote to memory of 1476	2696	msiexec.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
  "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eqfYhYJdrAHiB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eqfYhYJdrAHiB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE917.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE917.tmp

Filesize
1KB

MD5
1b25552f052fe6bb348f1c1d7c701c9a

SHA1
d1b032f742d94b5ee493d7635a4bc94db738cf2b

SHA256
5cc36e76f9168205e5bd2f1e357c94a1fae8c44e68087182614d339e0f55d49e

SHA512
9bf02b009a0de77bc52550238cf058cb45543edc752919a16d636de057f94af921fff287016ebd002ad7a9ce013e5fd320e354b6a2b2c723326abe27b0d7196f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VPF48MWGKUL8V825L69T.temp

Filesize
7KB

MD5
30e8d5ec53d5ff909ede947404042931

SHA1
0b6276c571a4f221cab85b5be888bf29f9354b2a

SHA256
1114c58fa40c7210e7d94c79f8d546e248899396d1fceb368d5a97b96aff90f8

SHA512
1b6675eeebcff93bd96ed58fde7b2a2482c2daab39b120f4b7e708bfb48e058cec17b4f640c0a9908170534a6ca9ac74bb061a194caece599c4f4e2866e32e46

Download Submit
memory/1200-27-0x0000000003020000-0x0000000003120000-memory.dmp

Filesize
1024KB

Download
memory/2084-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2084-25-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-5-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-6-0x0000000005D10000-0x0000000005D88000-memory.dmp

Filesize
480KB

Download
memory/2084-3-0x0000000000600000-0x000000000061C000-memory.dmp

Filesize
112KB

Download
memory/2084-2-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-1-0x00000000013B0000-0x000000000145C000-memory.dmp

Filesize
688KB

Download
memory/2084-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/2696-28-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2696-30-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2696-31-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2716-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download