formbook | 9cb9cd8ccb177fa649f6aa14cc3e0e8e426c4aafeb4a963de8ed47faafa1e2e0

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

textview355624.exe
Size

1.3MB
MD5

a482429d1a13c6d0f3a879a6673391c5
SHA1

17c069f52138457ea210670b831cf21c89c1f0af
SHA256

39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace
SHA512

ff54cc0abee1d9daeabe9de77ac3e704a0fb7944f4c0644664d10ac7cd813afba9b07c104e5943b4e1200a6b98ceadff90a473e4ff80cb7043adc25239c9bf70
SSDEEP

24576:rAOcZ8h2ftK23S4LMhWNUkjPV99npuezy71oporahO:tsCkNUkj9fZe6GJ

Score

10^/10

formbook t01w discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2224-69-0x0000000000400000-0x0000000000906000-memory.dmp	formbook
behavioral1/memory/2724-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2684-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2584	hrro.pif

Loads dropped DLL 4 IoCs

pid	Process
2140	textview355624.exe
2140	textview355624.exe
2140	textview355624.exe
2140	textview355624.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2724	2584	hrro.pif	33
PID 2584 set thread context of 2224	2584	hrro.pif	32
PID 2724 set thread context of 1208	2724	RegSvcs.exe	21
PID 2224 set thread context of 1208	2224	RegSvcs.exe	21
PID 2684 set thread context of 1208	2684	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	textview355624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrro.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2724	RegSvcs.exe
2224	RegSvcs.exe
2724	RegSvcs.exe
2224	RegSvcs.exe
2684	wlanext.exe
2688	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe
2684	wlanext.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2724	RegSvcs.exe
2224	RegSvcs.exe
2724	RegSvcs.exe
2724	RegSvcs.exe
2224	RegSvcs.exe
2224	RegSvcs.exe
2684	wlanext.exe
2684	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	RegSvcs.exe
Token: SeDebugPrivilege	2224	RegSvcs.exe
Token: SeDebugPrivilege	2684	wlanext.exe
Token: SeDebugPrivilege	2688	wlanext.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2140 wrote to memory of 2584	2140	textview355624.exe	30
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2724	2584	hrro.pif	33
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 2584 wrote to memory of 2224	2584	hrro.pif	32
PID 1208 wrote to memory of 2688	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2688	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2688	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2688	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2684	1208	Explorer.EXE	35
PID 1208 wrote to memory of 2684	1208	Explorer.EXE	35
PID 1208 wrote to memory of 2684	1208	Explorer.EXE	35
PID 1208 wrote to memory of 2684	1208	Explorer.EXE	35
PID 2684 wrote to memory of 2764	2684	wlanext.exe	36
PID 2684 wrote to memory of 2764	2684	wlanext.exe	36
PID 2684 wrote to memory of 2764	2684	wlanext.exe	36
PID 2684 wrote to memory of 2764	2684	wlanext.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\textview355624.exe
  "C:\Users\Admin\AppData\Local\Temp\textview355624.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\4_34\hrro.pif
    "C:\Users\Admin\4_34\hrro.pif" jhaimkn.tfj
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\4_34\fnuxmx.ppt

Filesize
43KB

MD5
6788d1ba47db8633247a05417c2df710

SHA1
f87c819f4485e0950f83b5c07dabdb37ba60b322

SHA256
4d195bc83ef70e6c751316d9cfdce9bfe540d83af89b9a74061c56c0cb62096d

SHA512
6a61ae3a3b7cd25c3c6bca300308907d2af9829afa2710c7da79274353a474375e3c5f7bef2f2cf0b3f84a83c52bb01d3ebb00cd5747ef09c571143d1a744a5f

Download Submit
C:\Users\Admin\4_34\skdxl.ngs

Filesize
370KB

MD5
838d5ccd99ec803448d971922715b3df

SHA1
debc610b1938f2dc6feb76f18594ef24da90f2dc

SHA256
fcf7f9b105af57409f9bbcd184fda5abc73b7df7c2ac22d7f47a2a23fee97904

SHA512
85f9e1754e07cb6090e2563c4b0216ab1384ff1e2cbb475352b619adcc481cf7f43a8090e1ea7091b66e8c32b44e5459f0b12662bc0e9fc51a085f5436b85395

Download Submit
\Users\Admin\4_34\hrro.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
memory/1208-82-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/1208-72-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2224-69-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/2224-66-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/2684-73-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2684-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2688-74-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2724-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download