formbook | eeea861b682bed10d258c2287131d406994d8ee0aa3976fe613f69c9dffe2969

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe
Size

770KB
MD5

cf6c56346d93fc10443e9261c797746f
SHA1

1702b84ce180e96d166834cdbd83ed71a8f16aea
SHA256

98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c
SHA512

228f275ea0c886ae74ecea22eca47535998c4d69284348db110f699a368d971ad7a16f8aa3b1fdfea98866082d8bfdf8fe144bc4ebea26d32a42d062d6fe30dd
SSDEEP

12288:U5Vko2KEJCq7MD0WnFTXQ0ixKIQK+uBLcnC76n1lT2L5m3bVpHlEkOi5:7JJH7+FnVCQL+LW5LT21m37HlEnG

Score

10^/10

formbook p0t9 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p0t9

Decoy

marketplacewins.com

boymeetsmilf.com

ruhuplus.com

adultescortnft.com

app683.icu

viade.store

businesscardadvertiser.com

5649tk.com

daoguo456.com

digitalservice.pro

muabannothienuy.com

geneseeampwyoming.com

olliejay00.com

pristineintegrity.info

jimdeyux0kopgnhsldig.club

eadsscale.club

iwelim.space

s29x.club

brysonhajee.com

trainership.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2660-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2012-27-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2660 set thread context of 1224	2660	vbc.exe	21
PID 2660 set thread context of 1224	2660	vbc.exe	21
PID 2012 set thread context of 1224	2012	wuapp.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2660	vbc.exe
2660	vbc.exe
2660	vbc.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe
2012	wuapp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2660	vbc.exe
2660	vbc.exe
2660	vbc.exe
2660	vbc.exe
2012	wuapp.exe
2012	wuapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	vbc.exe
Token: SeDebugPrivilege	2012	wuapp.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 2308 wrote to memory of 2660	2308	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	31
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 1224 wrote to memory of 2012	1224	Explorer.EXE	55
PID 2012 wrote to memory of 2544	2012	wuapp.exe	56
PID 2012 wrote to memory of 2544	2012	wuapp.exe	56
PID 2012 wrote to memory of 2544	2012	wuapp.exe	56
PID 2012 wrote to memory of 2544	2012	wuapp.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe
  "C:\Users\Admin\AppData\Local\Temp\98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2556
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2588
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2632
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2976
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2156
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1624
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1092
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1112
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:484
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1784
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2524
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-19-0x0000000006B60000-0x0000000006C6D000-memory.dmp

Filesize
1.1MB

Download
memory/1224-28-0x0000000007800000-0x0000000007967000-memory.dmp

Filesize
1.4MB

Download
memory/1224-24-0x0000000007800000-0x0000000007967000-memory.dmp

Filesize
1.4MB

Download
memory/1224-23-0x0000000006B60000-0x0000000006C6D000-memory.dmp

Filesize
1.1MB

Download
memory/2012-27-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2012-26-0x0000000000D40000-0x0000000000D4B000-memory.dmp

Filesize
44KB

Download
memory/2012-25-0x0000000000D40000-0x0000000000D4B000-memory.dmp

Filesize
44KB

Download
memory/2308-14-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-7-0x0000000004440000-0x0000000004474000-memory.dmp

Filesize
208KB

Download
memory/2308-1-0x0000000000F60000-0x0000000001026000-memory.dmp

Filesize
792KB

Download
memory/2308-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-3-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2308-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2308-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2308-6-0x00000000053B0000-0x0000000005464000-memory.dmp

Filesize
720KB

Download
memory/2660-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-22-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/2660-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-18-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/2660-15-0x0000000000C10000-0x0000000000F13000-memory.dmp

Filesize
3.0MB

Download
memory/2660-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-12-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download