formbook | 9cb9cd8ccb177fa649f6aa14cc3e0e8e426c4aafeb4a963de8ed47faafa1e2e0

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

textview355624.exe
Size

1.3MB
MD5

a482429d1a13c6d0f3a879a6673391c5
SHA1

17c069f52138457ea210670b831cf21c89c1f0af
SHA256

39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace
SHA512

ff54cc0abee1d9daeabe9de77ac3e704a0fb7944f4c0644664d10ac7cd813afba9b07c104e5943b4e1200a6b98ceadff90a473e4ff80cb7043adc25239c9bf70
SSDEEP

24576:rAOcZ8h2ftK23S4LMhWNUkjPV99npuezy71oporahO:tsCkNUkj9fZe6GJ

Score

10^/10

formbook t01w discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4408-51-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4408-54-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2668-59-0x00000000012E0000-0x000000000130F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	textview355624.exe

Executes dropped EXE 1 IoCs

pid	Process
4288	hrro.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 4408	4288	hrro.pif	85
PID 4408 set thread context of 3436	4408	RegSvcs.exe	56
PID 2668 set thread context of 3436	2668	systray.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	textview355624.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrro.pif

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4408	RegSvcs.exe
4408	RegSvcs.exe
4408	RegSvcs.exe
4408	RegSvcs.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe
2668	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4408	RegSvcs.exe
4408	RegSvcs.exe
4408	RegSvcs.exe
2668	systray.exe
2668	systray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	RegSvcs.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeDebugPrivilege	2668	systray.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4288	4512	textview355624.exe	82
PID 4512 wrote to memory of 4288	4512	textview355624.exe	82
PID 4512 wrote to memory of 4288	4512	textview355624.exe	82
PID 4288 wrote to memory of 1544	4288	hrro.pif	84
PID 4288 wrote to memory of 1544	4288	hrro.pif	84
PID 4288 wrote to memory of 1544	4288	hrro.pif	84
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 4288 wrote to memory of 4408	4288	hrro.pif	85
PID 3436 wrote to memory of 2668	3436	Explorer.EXE	86
PID 3436 wrote to memory of 2668	3436	Explorer.EXE	86
PID 3436 wrote to memory of 2668	3436	Explorer.EXE	86
PID 2668 wrote to memory of 2128	2668	systray.exe	87
PID 2668 wrote to memory of 2128	2668	systray.exe	87
PID 2668 wrote to memory of 2128	2668	systray.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\textview355624.exe
  "C:\Users\Admin\AppData\Local\Temp\textview355624.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\4_34\hrro.pif
    "C:\Users\Admin\4_34\hrro.pif" jhaimkn.tfj
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4408
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\4_34\fnuxmx.ppt

Filesize
43KB

MD5
6788d1ba47db8633247a05417c2df710

SHA1
f87c819f4485e0950f83b5c07dabdb37ba60b322

SHA256
4d195bc83ef70e6c751316d9cfdce9bfe540d83af89b9a74061c56c0cb62096d

SHA512
6a61ae3a3b7cd25c3c6bca300308907d2af9829afa2710c7da79274353a474375e3c5f7bef2f2cf0b3f84a83c52bb01d3ebb00cd5747ef09c571143d1a744a5f

Download Submit
C:\Users\Admin\4_34\hrro.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\Users\Admin\4_34\skdxl.ngs

Filesize
370KB

MD5
838d5ccd99ec803448d971922715b3df

SHA1
debc610b1938f2dc6feb76f18594ef24da90f2dc

SHA256
fcf7f9b105af57409f9bbcd184fda5abc73b7df7c2ac22d7f47a2a23fee97904

SHA512
85f9e1754e07cb6090e2563c4b0216ab1384ff1e2cbb475352b619adcc481cf7f43a8090e1ea7091b66e8c32b44e5459f0b12662bc0e9fc51a085f5436b85395

Download Submit
memory/2668-57-0x0000000000E60000-0x0000000000E66000-memory.dmp

Filesize
24KB

Download
memory/2668-59-0x00000000012E0000-0x000000000130F000-memory.dmp

Filesize
188KB

Download
memory/2668-58-0x0000000000E60000-0x0000000000E66000-memory.dmp

Filesize
24KB

Download
memory/3436-64-0x00000000086D0000-0x00000000087C7000-memory.dmp

Filesize
988KB

Download
memory/3436-60-0x00000000030E0000-0x00000000031C2000-memory.dmp

Filesize
904KB

Download
memory/3436-56-0x00000000030E0000-0x00000000031C2000-memory.dmp

Filesize
904KB

Download
memory/4408-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-55-0x0000000000FD0000-0x0000000000FE5000-memory.dmp

Filesize
84KB

Download
memory/4408-52-0x0000000001070000-0x00000000013BA000-memory.dmp

Filesize
3.3MB

Download