formbook | 08b37186bf5900314ff26172bfc0f2ff35a2f61ec2bd1be1e2c7031af9bf5358

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
Size

1.1MB
MD5

c078c87514cfd7cae5d932325fad4625
SHA1

40ff7130fe87f96a133f41aea4eb9ff75be6a5dd
SHA256

742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8
SHA512

355f0badda14c4fa19fddf3419dc7994fb08c45f3657cdf7a7e208005c6c26b2f01f0df85031148e01031a32e6ae1ca1b76658e7b69b293670293bc2757c2e15
SSDEEP

24576:gMTzqeqLpLGq1hhh2czxF8Uo8J6Iti5lcIIoIhI:1TzqDDr24oUt6Iti5lcIIoIhI

Score

10^/10

formbook su4h discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

su4h

Decoy

dopestartalentsearch.com

xeneln.info

jan-stollenwerk.com

footjet.com

globfun.com

drygoodsnola.com

cartayamedpsy.net

morganamelia.com

renoportapotty.com

cybertrucksclub.com

sl367.com

bandwagonpresents.com

npaczambia.com

infocom.management

gm0451.com

coloring-page.info

jibkokmaket.com

stickynoteplot.com

remonmikan.com

mcalweeimports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4392-6-0x0000000000400000-0x0000000000459000-memory.dmp	formbook
behavioral2/memory/4392-9-0x0000000000400000-0x0000000000459000-memory.dmp	formbook
behavioral2/memory/4392-16-0x0000000000400000-0x0000000000459000-memory.dmp	formbook
behavioral2/memory/3592-22-0x0000000000630000-0x000000000065F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 532 set thread context of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 4392 set thread context of 3460	4392	isoburn.exe	56
PID 4392 set thread context of 3460	4392	isoburn.exe	56
PID 3592 set thread context of 3460	3592	raserver.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isoburn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
4392	isoburn.exe
4392	isoburn.exe
4392	isoburn.exe
4392	isoburn.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
4392	isoburn.exe
4392	isoburn.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe
3592	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4392	isoburn.exe
4392	isoburn.exe
4392	isoburn.exe
4392	isoburn.exe
3592	raserver.exe
3592	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
Token: SeDebugPrivilege	4392	isoburn.exe
Token: SeDebugPrivilege	3592	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 532 wrote to memory of 4392	532	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	83
PID 4392 wrote to memory of 3592	4392	isoburn.exe	92
PID 4392 wrote to memory of 3592	4392	isoburn.exe	92
PID 4392 wrote to memory of 3592	4392	isoburn.exe	92
PID 3592 wrote to memory of 1476	3592	raserver.exe	93
PID 3592 wrote to memory of 1476	3592	raserver.exe	93
PID 3592 wrote to memory of 1476	3592	raserver.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
  "C:\Users\Admin\AppData\Local\Temp\742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\isoburn.exe
    "C:\Windows\SysWOW64\isoburn.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\SysWOW64\isoburn.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-0-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/532-1-0x0000000000900000-0x0000000000A14000-memory.dmp

Filesize
1.1MB

Download
memory/532-2-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/532-3-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/532-4-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/532-5-0x00000000055E0000-0x0000000005616000-memory.dmp

Filesize
216KB

Download
memory/532-14-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/532-13-0x0000000071D85000-0x0000000071D86000-memory.dmp

Filesize
4KB

Download
memory/3460-11-0x00000000025B0000-0x0000000002692000-memory.dmp

Filesize
904KB

Download
memory/3460-28-0x0000000007BF0000-0x0000000007C8B000-memory.dmp

Filesize
620KB

Download
memory/3460-26-0x0000000007BF0000-0x0000000007C8B000-memory.dmp

Filesize
620KB

Download
memory/3460-25-0x0000000007BF0000-0x0000000007C8B000-memory.dmp

Filesize
620KB

Download
memory/3460-18-0x0000000008140000-0x000000000828D000-memory.dmp

Filesize
1.3MB

Download
memory/3592-19-0x0000000000710000-0x000000000072F000-memory.dmp

Filesize
124KB

Download
memory/3592-22-0x0000000000630000-0x000000000065F000-memory.dmp

Filesize
188KB

Download
memory/3592-21-0x0000000000710000-0x000000000072F000-memory.dmp

Filesize
124KB

Download
memory/4392-6-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4392-17-0x0000000002DC0000-0x0000000002DD4000-memory.dmp

Filesize
80KB

Download
memory/4392-16-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4392-10-0x0000000000D00000-0x0000000000D14000-memory.dmp

Filesize
80KB

Download
memory/4392-7-0x0000000001180000-0x00000000014CA000-memory.dmp

Filesize
3.3MB

Download
memory/4392-9-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download