formbook | c1a148b353ceabecd13c5e1097efb20b13f0b46b2f15dd50bf906773a205d0e7

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inlaweed324456.exe
Size

216KB
MD5

aa9acee000034360ef72e014b05e775c
SHA1

2e424b2812e789a76315fe7ee2977c2fb802e568
SHA256

0d0f9826df61da68a73b28700102eb7c15f3d3dac4925b56b08a4c9ef89ab743
SHA512

1d881aed0cdfd9f7e0cb6a883040b763c07e9428627384984e23e65bd24e30897ed05881e106d1e55dd4b13a6d3b3682fb198299e53cc1b8d94aa28c420804fc
SSDEEP

3072:F14/IIhEDnmJ+xjJiGIykqSqbNjXGK86HBmx6k6qzUCa0lCVUyy+ZFsH5:FbUIZX58YQ8DqPa06UyjZF+5

Score

10^/10

formbook sn31 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn31

Decoy

matsuomatsuo.com

104wn.com

bolacorner.com

dawonderer.com

yourpamlano.xyz

mtzmx.icu

lepakzaparket.com

barmagli.com

danta.ltd

marumaru240.com

people-centeredhr.com

test-brew-inc.com

clairvoyantbusinesscoach.com

aforeignexchangeblog.com

erentekbilisim.com

gangqinqu123.net

defiguaranteebonds.com

thegioigaubong97.site

vaoiwin.info

vcwholeness.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2416-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2416-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2776-24-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3028	ughxrz.exe
2416	ughxrz.exe

Loads dropped DLL 3 IoCs

pid	Process
2368	inlaweed324456.exe
2368	inlaweed324456.exe
3028	ughxrz.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2416	3028	ughxrz.exe	31
PID 2416 set thread context of 1208	2416	ughxrz.exe	21
PID 2776 set thread context of 1208	2776	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlaweed324456.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ughxrz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2416	ughxrz.exe
2416	ughxrz.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe
2776	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2416	ughxrz.exe
2416	ughxrz.exe
2416	ughxrz.exe
2776	cmstp.exe
2776	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	ughxrz.exe
Token: SeDebugPrivilege	2776	cmstp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 3028	2368	inlaweed324456.exe	30
PID 2368 wrote to memory of 3028	2368	inlaweed324456.exe	30
PID 2368 wrote to memory of 3028	2368	inlaweed324456.exe	30
PID 2368 wrote to memory of 3028	2368	inlaweed324456.exe	30
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 3028 wrote to memory of 2416	3028	ughxrz.exe	31
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 1208 wrote to memory of 2776	1208	Explorer.EXE	51
PID 2776 wrote to memory of 2896	2776	cmstp.exe	53
PID 2776 wrote to memory of 2896	2776	cmstp.exe	53
PID 2776 wrote to memory of 2896	2776	cmstp.exe	53
PID 2776 wrote to memory of 2896	2776	cmstp.exe	53

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\inlaweed324456.exe
  "C:\Users\Admin\AppData\Local\Temp\inlaweed324456.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\ughxrz.exe
    C:\Users\Admin\AppData\Local\Temp\ughxrz.exe C:\Users\Admin\AppData\Local\Temp\kunwbqbivl
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\ughxrz.exe
      C:\Users\Admin\AppData\Local\Temp\ughxrz.exe C:\Users\Admin\AppData\Local\Temp\kunwbqbivl
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2416
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1544
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2168
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2112
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:264
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:580
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1508
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ughxrz.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dsi54bg0l05gki

Filesize
184KB

MD5
ab7b842a222f7f292b046687f4beeb8b

SHA1
c0ebb3975cb4fa454c535915f2277cbda26c20e3

SHA256
84e167d1ed138c82b3e90a332e4cce207da3cbe6763c2d1f93d51e6ab7d7b8d1

SHA512
5b212f17abdc3e5e35d70ac00e703a5d8664f569b0a07c3e143887016e58b104d251de6b0c136ec900bfe5c6047505d0c45014e8235e1b8992689a32cfbfefa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kunwbqbivl

Filesize
4KB

MD5
ebcbecf083bd04fdc4f19036eced42ce

SHA1
59ac3f77b1c64b6f0aed95404e8a5ca6bab762cb

SHA256
27eacff6815497d148c2661aae0883833a5b2df12ea05d573145b343c32f8e4c

SHA512
4e6de66ba7564822e273077772fccf1d82dd90a87ad58c1a14a99d9fbf9a229dfb2ebb9a35cff1ad56f0c0ccff39b42bf36daf57810e9f0402a0cac470928ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughxrz.exe

Filesize
4KB

MD5
86ec26587378d1a1ff33ce1aa2680fba

SHA1
577ba29772044952e70cfab3f9c08c06a4272314

SHA256
192fba7e71f2f2e0d53c8ac2b9a0ce20c489b8d8306e44cd025fa0fd3bfc5229

SHA512
e0c309435494918579379c4c1ccfc8f03ab8bd474c1f142179d5050bc99693ba08ea2cdda88e22bf1e7c12ac634aa15ed08dfd4b5a78e464c33ac495bf9f4f60

Download Submit
memory/1208-19-0x0000000004F60000-0x00000000050F6000-memory.dmp

Filesize
1.6MB

Download
memory/1208-25-0x0000000004F60000-0x00000000050F6000-memory.dmp

Filesize
1.6MB

Download
memory/2416-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-22-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/2776-23-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/2776-24-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/3028-12-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download