formbook | 7d2d4bbbd494072b6e1f051442b494a0ad2e118684f7cbcb230e3138b2a05563

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
Size

1.1MB
MD5

ac2c24eeb56a0fc9e89d995c4b0d5c0f
SHA1

cb42fd2596ed3ef2f681de0919fb61293e785974
SHA256

985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd
SHA512

ff3a83e78a3677ca67ae22667c341add857f117c40509dbaa7eac2a1d85649b1eaf6317a440fbab7e86e1eff4e53d27a3564081ff320f6bafc24cdc58dcaa9a4
SSDEEP

24576:0AOcZ2i7g/0jTS8U1L3j5HUSIOg0+MkYG9:i7S9m/5HPnk

Score

10^/10

formbook mr06 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mr06

Decoy

dreamrose.shop

bamdadlive.com

avastfr.com

aishabolduc.design

nobulldownhill.com

navis.store

paintingsantaclarita.com

wdidfhqo9751ds.link

epilateurlaser.info

expertdoctor.xyz

jtfaqyxo.work

zrexvita.live

coloradomarketingfirm.com

prestigehospitality.solutions

bmayple.com

sea-food.online

mejor-proteccion-es.click

tophatlimitless.buzz

inailshickorycreek.com

tintash-sg.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4672-53-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3932-54-0x0000000000400000-0x00000000009B9000-memory.dmp	formbook
behavioral2/memory/4832-63-0x00000000006F0000-0x000000000071F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
5040	rpvrskeofd.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5040 set thread context of 4672	5040	rpvrskeofd.exe	85
PID 5040 set thread context of 3932	5040	rpvrskeofd.exe	84
PID 4672 set thread context of 3404	4672	RegSvcs.exe	56
PID 3932 set thread context of 3404	3932	RegSvcs.exe	56
PID 4832 set thread context of 3404	4832	rundll32.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpvrskeofd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3932	RegSvcs.exe
4672	RegSvcs.exe
4672	RegSvcs.exe
4672	RegSvcs.exe
4672	RegSvcs.exe
3932	RegSvcs.exe
3932	RegSvcs.exe
3932	RegSvcs.exe
4832	rundll32.exe
4832	rundll32.exe
4836	WWAHost.exe
4836	WWAHost.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe
4832	rundll32.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4672	RegSvcs.exe
3932	RegSvcs.exe
4672	RegSvcs.exe
4672	RegSvcs.exe
3932	RegSvcs.exe
3932	RegSvcs.exe
4832	rundll32.exe
4832	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4672	RegSvcs.exe
Token: SeDebugPrivilege	3932	RegSvcs.exe
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeDebugPrivilege	4832	rundll32.exe
Token: SeDebugPrivilege	4836	WWAHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2360	4908	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	82
PID 4908 wrote to memory of 2360	4908	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	82
PID 4908 wrote to memory of 2360	4908	985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe	82
PID 2360 wrote to memory of 5040	2360	WScript.exe	83
PID 2360 wrote to memory of 5040	2360	WScript.exe	83
PID 2360 wrote to memory of 5040	2360	WScript.exe	83
PID 5040 wrote to memory of 3932	5040	rpvrskeofd.exe	84
PID 5040 wrote to memory of 3932	5040	rpvrskeofd.exe	84
PID 5040 wrote to memory of 3932	5040	rpvrskeofd.exe	84
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 4672	5040	rpvrskeofd.exe	85
PID 5040 wrote to memory of 3932	5040	rpvrskeofd.exe	84
PID 5040 wrote to memory of 3932	5040	rpvrskeofd.exe	84
PID 3404 wrote to memory of 4832	3404	Explorer.EXE	86
PID 3404 wrote to memory of 4832	3404	Explorer.EXE	86
PID 3404 wrote to memory of 4832	3404	Explorer.EXE	86
PID 3404 wrote to memory of 4836	3404	Explorer.EXE	87
PID 3404 wrote to memory of 4836	3404	Explorer.EXE	87
PID 3404 wrote to memory of 4836	3404	Explorer.EXE	87
PID 4832 wrote to memory of 224	4832	rundll32.exe	88
PID 4832 wrote to memory of 224	4832	rundll32.exe	88
PID 4832 wrote to memory of 224	4832	rundll32.exe	88

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe
  "C:\Users\Admin\AppData\Local\Temp\985737716694171ca5cd45760d29ab6aebe57efcd2349bc5085ff13cdd365efd.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe
      "C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe" sopjge.daw
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7_63\dojcuiu.pdf

Filesize
40KB

MD5
9be1e7667aecfc2ea424c9e8ef7e48bc

SHA1
49351d60b77693beb7f0190fc8cf031a9d6d09e7

SHA256
89299ac18342245f35621f7e2bda7af823644d0ae52763aa29b646632db97fb8

SHA512
74b39c3824ab9d3cd330e4d12e83efe70588a52d4a2862a0e820c017336dd9cba4c0f24f14ff2d6044b901656165ea55dd243bc22f127a4c5b1c474920163ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_63\rpvrskeofd.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\7_63\ubrce.gge

Filesize
370KB

MD5
66d443abc0d6d9da3a419a3a6a7f9085

SHA1
caf338699d99be174c33017bd751d3419fe668e6

SHA256
bb2f875ea6d8631cd2bdfb0fb2e9935310f6898c72698677bb55fb303dc52890

SHA512
272cb206198794fd6ba4bf966230450031ba00eb492ce96e63aeb8ef42c16ff04648577eb806edf96d9b0d0117db75b944a16d05f14fd44608713dd22d8de876

Download Submit
C:\Users\Admin\AppData\Local\temp\7_63\ulvlicmcxk.vbe

Filesize
27KB

MD5
3ac6a7f004a811c0346cca6937c20ad6

SHA1
fedd4cf52b30748c33e47e03cacef5797354b6e7

SHA256
41f54a5dcddafd9038dffb546a05f9c5c45b956b55f49c7ff12f78478fab749d

SHA512
c1be79f38f0d1993009c225de611fe4680f5875ce21b3e9d2d66ce38fb08068c964795324273161981c29d942639de7f6d4954c00917484b55cc79e18868ed3a

Download Submit
memory/3404-68-0x00000000092B0000-0x0000000009435000-memory.dmp

Filesize
1.5MB

Download
memory/3932-54-0x0000000000400000-0x00000000009B9000-memory.dmp

Filesize
5.7MB

Download
memory/4672-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-59-0x0000000000A70000-0x0000000000A84000-memory.dmp

Filesize
80KB

Download
memory/4832-60-0x0000000000A70000-0x0000000000A84000-memory.dmp

Filesize
80KB

Download
memory/4832-63-0x00000000006F0000-0x000000000071F000-memory.dmp

Filesize
188KB

Download
memory/4836-57-0x00000000008B0000-0x000000000098C000-memory.dmp

Filesize
880KB

Download
memory/4836-58-0x00000000008B0000-0x000000000098C000-memory.dmp

Filesize
880KB

Download