formbook | 7d2d4bbbd494072b6e1f051442b494a0ad2e118684f7cbcb230e3138b2a05563

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
Size

1.1MB
MD5

ac2c24eeb56a0fc9e89d995c4b0d5c0f
SHA1

cb42fd2596ed3ef2f681de0919fb61293e785974
SHA256

985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd
SHA512

ff3a83e78a3677ca67ae22667c341add857f117c40509dbaa7eac2a1d85649b1eaf6317a440fbab7e86e1eff4e53d27a3564081ff320f6bafc24cdc58dcaa9a4
SSDEEP

24576:0AOcZ2i7g/0jTS8U1L3j5HUSIOg0+MkYG9:i7S9m/5HPnk

Score

10^/10

formbook mr06 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mr06

Decoy

dreamrose.shop

bamdadlive.com

avastfr.com

aishabolduc.design

nobulldownhill.com

navis.store

paintingsantaclarita.com

wdidfhqo9751ds.link

epilateurlaser.info

expertdoctor.xyz

jtfaqyxo.work

zrexvita.live

coloradomarketingfirm.com

prestigehospitality.solutions

bmayple.com

sea-food.online

mejor-proteccion-es.click

tophatlimitless.buzz

inailshickorycreek.com

tintash-sg.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2848-63-0x0000000000400000-0x0000000000B09000-memory.dmp	formbook
behavioral1/memory/2920-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1664-69-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2848-70-0x0000000000400000-0x0000000000B09000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2588	rpvrskeofd.exe

Loads dropped DLL 1 IoCs

pid	Process
2720	WScript.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2920	2588	rpvrskeofd.exe	33
PID 2588 set thread context of 2848	2588	rpvrskeofd.exe	32
PID 2920 set thread context of 1156	2920	RegSvcs.exe	21
PID 2848 set thread context of 1156	2848	RegSvcs.exe	21
PID 2848 set thread context of 1156	2848	RegSvcs.exe	21
PID 1664 set thread context of 1156	1664	raserver.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpvrskeofd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2920	RegSvcs.exe
2848	RegSvcs.exe
2920	RegSvcs.exe
2848	RegSvcs.exe
1664	raserver.exe
1664	raserver.exe
2848	RegSvcs.exe
2952	msdt.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe
1664	raserver.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
2920	RegSvcs.exe
2848	RegSvcs.exe
2920	RegSvcs.exe
2920	RegSvcs.exe
1664	raserver.exe
2848	RegSvcs.exe
2848	RegSvcs.exe
2848	RegSvcs.exe
1664	raserver.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	RegSvcs.exe
Token: SeDebugPrivilege	2848	RegSvcs.exe
Token: SeDebugPrivilege	1664	raserver.exe
Token: SeDebugPrivilege	2952	msdt.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2720	2640	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	30
PID 2640 wrote to memory of 2720	2640	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	30
PID 2640 wrote to memory of 2720	2640	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	30
PID 2640 wrote to memory of 2720	2640	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	30
PID 2720 wrote to memory of 2588	2720	WScript.exe	31
PID 2720 wrote to memory of 2588	2720	WScript.exe	31
PID 2720 wrote to memory of 2588	2720	WScript.exe	31
PID 2720 wrote to memory of 2588	2720	WScript.exe	31
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2920	2588	rpvrskeofd.exe	33
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 2588 wrote to memory of 2848	2588	rpvrskeofd.exe	32
PID 1156 wrote to memory of 1664	1156	Explorer.EXE	34
PID 1156 wrote to memory of 1664	1156	Explorer.EXE	34
PID 1156 wrote to memory of 1664	1156	Explorer.EXE	34
PID 1156 wrote to memory of 1664	1156	Explorer.EXE	34
PID 1664 wrote to memory of 480	1664	raserver.exe	35
PID 1664 wrote to memory of 480	1664	raserver.exe	35
PID 1664 wrote to memory of 480	1664	raserver.exe	35
PID 1664 wrote to memory of 480	1664	raserver.exe	35
PID 1156 wrote to memory of 2952	1156	Explorer.EXE	37
PID 1156 wrote to memory of 2952	1156	Explorer.EXE	37
PID 1156 wrote to memory of 2952	1156	Explorer.EXE	37
PID 1156 wrote to memory of 2952	1156	Explorer.EXE	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
  "C:\Users\Admin\AppData\Local\Temp\985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe
      "C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe" sopjge.daw
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:480
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7_63\dojcuiu.pdf

Filesize
40KB

MD5
9be1e7667aecfc2ea424c9e8ef7e48bc

SHA1
49351d60b77693beb7f0190fc8cf031a9d6d09e7

SHA256
89299ac18342245f35621f7e2bda7af823644d0ae52763aa29b646632db97fb8

SHA512
74b39c3824ab9d3cd330e4d12e83efe70588a52d4a2862a0e820c017336dd9cba4c0f24f14ff2d6044b901656165ea55dd243bc22f127a4c5b1c474920163ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_63\ubrce.gge

Filesize
370KB

MD5
66d443abc0d6d9da3a419a3a6a7f9085

SHA1
caf338699d99be174c33017bd751d3419fe668e6

SHA256
bb2f875ea6d8631cd2bdfb0fb2e9935310f6898c72698677bb55fb303dc52890

SHA512
272cb206198794fd6ba4bf966230450031ba00eb492ce96e63aeb8ef42c16ff04648577eb806edf96d9b0d0117db75b944a16d05f14fd44608713dd22d8de876

Download Submit
C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe

Filesize
27KB

MD5
3ac6a7f004a811c0346cca6937c20ad6

SHA1
fedd4cf52b30748c33e47e03cacef5797354b6e7

SHA256
41f54a5dcddafd9038dffb546a05f9c5c45b956b55f49c7ff12f78478fab749d

SHA512
c1be79f38f0d1993009c225de611fe4680f5875ce21b3e9d2d66ce38fb08068c964795324273161981c29d942639de7f6d4954c00917484b55cc79e18868ed3a

Download Submit
memory/1156-65-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1156-78-0x0000000007820000-0x0000000007964000-memory.dmp

Filesize
1.3MB

Download
memory/1664-68-0x0000000000CD0000-0x0000000000CEC000-memory.dmp

Filesize
112KB

Download
memory/1664-69-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2848-63-0x0000000000400000-0x0000000000B09000-memory.dmp

Filesize
7.0MB

Download
memory/2848-70-0x0000000000400000-0x0000000000B09000-memory.dmp

Filesize
7.0MB

Download
memory/2848-60-0x0000000000400000-0x0000000000B09000-memory.dmp

Filesize
7.0MB

Download
memory/2920-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-71-0x0000000000BB0000-0x0000000000CA4000-memory.dmp

Filesize
976KB

Download