formbook | b60cc5eef23df54a8527f68b650ded50b8fe732bfc36132fc32f90c7eb583d38

Analysis

max time kernel
148s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe
Size

461KB
MD5

bd53de78fae3410bc6a613d550b8b9a9
SHA1

74080b1789acb88b2cdb7cef3b06ef7bd9feaa90
SHA256

53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85
SHA512

b507beaaece7e84c6f7d854d1da525c2e6fa894ecb266ae7000a56dcfaee15382ef54f40f047757ea6c59d5c97b2372f32266f475bf300aa8e00d517fc774075
SSDEEP

6144:ntB5iXq4NYHjLS1hxr0pIHJyxq9ira1+1krWG/G/BH:tmx2HUhN0pIHqqwtYWG/Gd

Score

10^/10

formbook dmr discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dmr

Decoy

thietkewebngay.com

fdgre.com

silverbuzzer.com

d55105.com

ccc693.com

diptya.net

oleasalon.com

vjvtjkic.biz

edmsociety.com

siyahmaske.win

lmnp-occasion.com

platocosmos.com

fakua.top

albertabarricade.com

kakaninrecipes.com

bestsmokeapp.com

hotelsitaly.online

brewtopiaapp.com

1q1twoother.men

wwwmaharashtratimes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1640-205-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1640-208-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
1640	AddInProcess32.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe
1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YLU8IRPHEF = "C:\\Program Files (x86)\\Cnj80wbm\\igfx1b0l.exe"	wlanext.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1640 set thread context of 1388	1640	AddInProcess32.exe	21
PID 1812 set thread context of 1388	1812	wlanext.exe	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Cnj80wbm\igfx1b0l.exe	wlanext.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	1656	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe
1640	AddInProcess32.exe
1640	AddInProcess32.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1640	AddInProcess32.exe
1640	AddInProcess32.exe
1640	AddInProcess32.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe
1812	wlanext.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe
Token: SeDebugPrivilege	1640	AddInProcess32.exe
Token: SeDebugPrivilege	1812	wlanext.exe
Token: SeShutdownPrivilege	1388	Explorer.EXE
Token: SeShutdownPrivilege	1388	Explorer.EXE
Token: SeShutdownPrivilege	1388	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1656 wrote to memory of 1640	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	30
PID 1388 wrote to memory of 1812	1388	Explorer.EXE	31
PID 1388 wrote to memory of 1812	1388	Explorer.EXE	31
PID 1388 wrote to memory of 1812	1388	Explorer.EXE	31
PID 1388 wrote to memory of 1812	1388	Explorer.EXE	31
PID 1656 wrote to memory of 2232	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	32
PID 1656 wrote to memory of 2232	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	32
PID 1656 wrote to memory of 2232	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	32
PID 1656 wrote to memory of 2232	1656	53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe	32
PID 1812 wrote to memory of 1528	1812	wlanext.exe	33
PID 1812 wrote to memory of 1528	1812	wlanext.exe	33
PID 1812 wrote to memory of 1528	1812	wlanext.exe	33
PID 1812 wrote to memory of 1528	1812	wlanext.exe	33
PID 1812 wrote to memory of 2544	1812	wlanext.exe	35
PID 1812 wrote to memory of 2544	1812	wlanext.exe	35
PID 1812 wrote to memory of 2544	1812	wlanext.exe	35
PID 1812 wrote to memory of 2544	1812	wlanext.exe	35
PID 1812 wrote to memory of 2544	1812	wlanext.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe
  "C:\Users\Admin\AppData\Local\Temp\53e82df8699686a1b36c364f243e9f5f9436e454f4dbf1fafd655d4049764e85.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 2964
    3⤵
    - Program crash
    PID:2232
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\575MTR-W\575logim.jpeg

Filesize
69KB

MD5
d5cec2781059a2a875fd3f4f86205f40

SHA1
f1db4a7f216c18752f9390e2677c59a9e1cc4a7a

SHA256
2df4982075292b9dc8b1711860f3dce092f24fd247749e28a18a0bfc172baa5a

SHA512
f52afaf7c20ecff77127ac4479e13f0f87859bd51cf8f68fc5d9c6bfb8470079b8d75c0b8f64b174e98123581ffbcb07bf44eb86fd4d08baa234dd09cc7d3565

Download Submit
C:\Users\Admin\AppData\Roaming\575MTR-W\575logrf.ini

Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\575MTR-W\575logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\575MTR-W\575logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Filesize
41KB

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1388-227-0x0000000004490000-0x0000000004579000-memory.dmp

Filesize
932KB

Download
memory/1388-221-0x0000000004490000-0x0000000004579000-memory.dmp

Filesize
932KB

Download
memory/1388-216-0x0000000007510000-0x000000000769A000-memory.dmp

Filesize
1.5MB

Download
memory/1388-210-0x0000000007510000-0x000000000769A000-memory.dmp

Filesize
1.5MB

Download
memory/1640-208-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1640-209-0x0000000000150000-0x0000000000164000-memory.dmp

Filesize
80KB

Download
memory/1640-206-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/1640-205-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1656-54-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-12-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-50-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-48-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-46-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-44-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-42-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-40-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-38-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-36-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-34-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-32-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-30-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-28-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-26-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-24-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-22-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-20-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-18-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-16-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-14-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-52-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-11-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-10-0x0000000075360000-0x00000000753E0000-memory.dmp

Filesize
512KB

Download
memory/1656-191-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-193-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-194-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-195-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1656-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/1656-56-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-58-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-60-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-62-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-64-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-1-0x0000000001290000-0x000000000130A000-memory.dmp

Filesize
488KB

Download
memory/1656-215-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-66-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-68-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-70-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-72-0x00000000004B0000-0x00000000004D6000-memory.dmp

Filesize
152KB

Download
memory/1656-3-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-2-0x00000000004B0000-0x00000000004DC000-memory.dmp

Filesize
176KB

Download
memory/1812-213-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

Filesize
88KB

Download