formbook | 55b920c636fdba7c4343d60801d4c0c2bfe29100131963407b85eed9e1a1ea4a

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

texttvieww321.exe
Size

1.3MB
MD5

7dd3986b7546f3f40d22a60aa2ff6023
SHA1

b47f96c5ae85a3ee7c571074208bfaa7a968f673
SHA256

919a696629c2c0dd9679be7630ada2b1e1173da3bce748980b07fa360872f727
SHA512

5d95b02b8c626912ede55080579032aeafa969d3a95f1842570c00e514bc5b0fb1b31825b393148bafad99f05406d97458d93e79cc12bbff91b6d2c9a151626d
SSDEEP

24576:iAOcZXp0wL/6dqr+LXTcpsBIUkjPV99npuezy71oporahr:ocb6EcjAsBIUkj9fZe6Gs

Score

10^/10

formbook t01w discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2872-75-0x0000000000400000-0x0000000000906000-memory.dmp	formbook
behavioral1/memory/2800-79-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2728	qhsgapmlc.pif

Loads dropped DLL 4 IoCs

pid	Process
2960	texttvieww321.exe
2960	texttvieww321.exe
2960	texttvieww321.exe
2960	texttvieww321.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2828	2728	qhsgapmlc.pif	32
PID 2728 set thread context of 2872	2728	qhsgapmlc.pif	31
PID 2872 set thread context of 1252	2872	RegSvcs.exe	21
PID 2800 set thread context of 1252	2800	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	texttvieww321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhsgapmlc.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2872	RegSvcs.exe
2872	RegSvcs.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe
2800	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2872	RegSvcs.exe
2872	RegSvcs.exe
2872	RegSvcs.exe
2800	svchost.exe
2800	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	RegSvcs.exe
Token: SeDebugPrivilege	2800	svchost.exe
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2960 wrote to memory of 2728	2960	texttvieww321.exe	30
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2828	2728	qhsgapmlc.pif	32
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 2728 wrote to memory of 2872	2728	qhsgapmlc.pif	31
PID 1252 wrote to memory of 2800	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2800	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2800	1252	Explorer.EXE	33
PID 1252 wrote to memory of 2800	1252	Explorer.EXE	33
PID 2800 wrote to memory of 2612	2800	svchost.exe	35
PID 2800 wrote to memory of 2612	2800	svchost.exe	35
PID 2800 wrote to memory of 2612	2800	svchost.exe	35
PID 2800 wrote to memory of 2612	2800	svchost.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\texttvieww321.exe
  "C:\Users\Admin\AppData\Local\Temp\texttvieww321.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\5_94\qhsgapmlc.pif
    "C:\5_94\qhsgapmlc.pif" ecpkjs.qsf
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2828
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5_94\qhsgapmlc.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\5_94\sbdrrq.icm

Filesize
42KB

MD5
74f0a1e094a0e4dfafddc8ffad0281c2

SHA1
6e301e6295a2a7073925a615dd0ab9493e08ab96

SHA256
e1c7a07ac5091d6e100c1adae42f1bc477fcc83964fc9d9480a6cfb92b3422d9

SHA512
285914c6200cf404b713d360dad52debd4e1b26d6a70d9a4047a5a04c1e0680054fe47bb428d930b5b11e10625ae7cf5e1b56b27559fe9e336c64bddc56add8c

Download Submit
C:\5_94\tvumqgrjj.ito

Filesize
370KB

MD5
4ca051baad26f8de38acaa35afc79a4b

SHA1
c30cba02cd6d2a74695fd64ebc843ba0af323b7f

SHA256
800dffba7fc8898f854898cb42293e2aad08b7e3d406e5e6898001a7b31d3568

SHA512
9e52ce4464bbed6450bef925dc77a3b7374d15ca47d855d8fde991763afd0c10c61c210039f515d18df42f01d8f4baa54094396d18ab73c3a06de88e4b2f3f12

Download Submit
memory/1252-77-0x0000000002F90000-0x0000000003090000-memory.dmp

Filesize
1024KB

Download
memory/1252-83-0x0000000006BA0000-0x0000000006C6E000-memory.dmp

Filesize
824KB

Download
memory/2800-78-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2800-79-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2828-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-72-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download
memory/2872-75-0x0000000000400000-0x0000000000906000-memory.dmp

Filesize
5.0MB

Download