formbook | af3c7e6a0a3a7820032073ec956416dd3f8c9248a485753403b95adf43a31c2e

Analysis

max time kernel
146s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankası Swift Mesajı.exe
Size

213KB
MD5

f2709d58d0876f2f996e3ed7f80e8a35
SHA1

4c86929c776b27a80de42113963e8ba309e67bb7
SHA256

66a3bd7fa8f6c6f0fbeb6afa6f5b13ae1c2e09600d17e49d94556f680f5a277b
SHA512

46aebb672626ea7924ab256782ce7a1c0de9b5ebf9da794e8edb886a187b47a719f79886f60849df46b37f5cff39250d208703339ce0c4e44f4fb6c40cabd9a7
SSDEEP

6144:HNeZmx8VObAOHDOScqKwgSTwB95PnbjbvLAZSOgAurZAm/qY:HNly4bfySXK5n5PbjbHRhZABY

Score

10^/10

formbook mh76 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2768-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2768-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2624-25-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
840	aqfvej.exe
2768	aqfvej.exe

Loads dropped DLL 5 IoCs

pid	Process
2828	Ziraat Bankası Swift Mesajı.exe
840	aqfvej.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 2768	840	aqfvej.exe	31
PID 2768 set thread context of 1200	2768	aqfvej.exe	21
PID 2624 set thread context of 1200	2624	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	840	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat Bankası Swift Mesajı.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqfvej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2768	aqfvej.exe
2768	aqfvej.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe
2624	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2768	aqfvej.exe
2768	aqfvej.exe
2768	aqfvej.exe
2624	wlanext.exe
2624	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	aqfvej.exe
Token: SeDebugPrivilege	2624	wlanext.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 840	2828	Ziraat Bankası Swift Mesajı.exe	30
PID 2828 wrote to memory of 840	2828	Ziraat Bankası Swift Mesajı.exe	30
PID 2828 wrote to memory of 840	2828	Ziraat Bankası Swift Mesajı.exe	30
PID 2828 wrote to memory of 840	2828	Ziraat Bankası Swift Mesajı.exe	30
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2768	840	aqfvej.exe	31
PID 840 wrote to memory of 2704	840	aqfvej.exe	32
PID 840 wrote to memory of 2704	840	aqfvej.exe	32
PID 840 wrote to memory of 2704	840	aqfvej.exe	32
PID 840 wrote to memory of 2704	840	aqfvej.exe	32
PID 1200 wrote to memory of 2624	1200	Explorer.EXE	51
PID 1200 wrote to memory of 2624	1200	Explorer.EXE	51
PID 1200 wrote to memory of 2624	1200	Explorer.EXE	51
PID 1200 wrote to memory of 2624	1200	Explorer.EXE	51
PID 2624 wrote to memory of 2992	2624	wlanext.exe	52
PID 2624 wrote to memory of 2992	2624	wlanext.exe	52
PID 2624 wrote to memory of 2992	2624	wlanext.exe	52
PID 2624 wrote to memory of 2992	2624	wlanext.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesajı.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankası Swift Mesajı.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\aqfvej.exe
    C:\Users\Admin\AppData\Local\Temp\aqfvej.exe C:\Users\Admin\AppData\Local\Temp\fjcyjuzs
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\aqfvej.exe
      C:\Users\Admin\AppData\Local\Temp\aqfvej.exe C:\Users\Admin\AppData\Local\Temp\fjcyjuzs
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 176
      4⤵
      Loads dropped DLL
      Program crash
      PID:2704
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2584
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2576
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2332
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2784
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\aqfvej.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqfvej.exe

Filesize
3KB

MD5
8762d96314aa376a765ea0ab07cb9637

SHA1
8e91d715bc8a617d2b2fe81dc0b6ffce1e3bafb5

SHA256
428ffb3962cd0c5758cf842792b131bcecb57a8014b42af2820395277b6a5574

SHA512
a366b2d2506852eb589aa2a1a3360413d48d6b081a23e131f4c6c12f9b65afa0db87d3d533da6d299c5a6f8903a76be1bc59a7235088ebe7b257daef67866b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\beld7guq4ljzd9cpcvnj

Filesize
185KB

MD5
0541e62058a30181328daabaa1dc5461

SHA1
3c33fba4f239b8ad2548bd28148c2115f3f96b6d

SHA256
4baf91256d2914b4025793c75b289506e4d55cc7e43950cb36ab38ba0fa20cbb

SHA512
86e741ea296a82ffee6f9eff9f839562193dbe98c27c02b4e994436921d01a655eb6e62ebad0de6fcfb2e1f523a46eea158829bb42be4265a89a523953b9e4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjcyjuzs

Filesize
5KB

MD5
ea2566be86b911ef935da116381a18fd

SHA1
6354439aa86fedec7b189b20d57aa5855b4e29cb

SHA256
b1729caa538284e20ce3b45f7c8cf05706530933048ad10246bbdb303d3249a2

SHA512
d5b503bca1285c0a557f6d0384577352437d274be28f0796543056b8f60771b11535806be51bbb1d2efb3ebc29fb0392e65ad5e70cc6f65d0f2f1f049673a758

Download Submit
memory/840-8-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/1200-19-0x00000000050E0000-0x000000000525D000-memory.dmp

Filesize
1.5MB

Download
memory/1200-26-0x00000000050E0000-0x000000000525D000-memory.dmp

Filesize
1.5MB

Download
memory/1200-31-0x0000000009E40000-0x0000000009F9B000-memory.dmp

Filesize
1.4MB

Download
memory/2624-22-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/2624-24-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/2624-25-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2768-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download