Overview

overview

10

Static

static

3

FORMBOOK.exe

windows7-x64

10

FORMBOOK.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FORMBOOK.exe

  • Size

    1.4MB

  • MD5

    f2b788dd73b7ead8f3721782f2034fe4

  • SHA1

    f6dc7ba2b002c430f5693efdc79123f7e519bcb8

  • SHA256

    3c011d08f75514a4f4bcdd02314b903c546ad8f16186541f8f79661744100e5b

  • SHA512

    a6c0ace122fdc9897666a5520934b22523a53a2d2d0e1f586b3b8600a695d7f2f4327243e030934c126717b12cea534123d1cea47f9507c4241d1c2e31a16bc5

  • SSDEEP

    24576:ugZYp/WKU61KnS/IHqjQt6LBknxzqx2e4ZTq+9TrLZ7BO+m/7gnM:uQY5bdIJH6Umkx0kZR9y+q7gnM

Score
10/10
formbookoldiscoveryevasionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

formbook

Version

3.7

Campaign

ol

Decoy

strucewe.info

woodenboxescompany.com

advertisingstreaming.com

deyimeng.com

brightestcolorimaginable.com

magnusmaterial.net

juicyflights.co.uk

xtraincome4you.com

atxiao.net

iscreenuscream.com

mytmaps.com

kursbhp.online

dapurbundakreatif.com

beheartratemonitoringkey.live

vfullmovie.info

sueredman.com

protonpoetic.win

chungcusamsora-premier.com

wpexpert.store

edition62.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Formbook payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\FORMBOOK.exe
      "C:\Users\Admin\AppData\Local\Temp\FORMBOOK.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "NDODRC\NDODRC" /XML "C:\Users\Admin\AppData\Roaming\NDODRC\alllll.xml"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1812
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
      • C:\Users\Admin\AppData\Local\Temp\UUKAL.exe
        "C:\Users\Admin\AppData\Local\Temp\UUKAL.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram program = STcONaURjstoJeQ(uMqeEfSfaGeNmho("yJmAEIBBXdvRXSFRGegUiJnA")) name = STcONaURjstoJeQ(uMqeEfSfaGeNmho("XQ0V1bwVGZ0FQZ==")) mode = ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:4188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\log\pass.exe all
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4732
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /k systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:348
          • C:\Windows\SysWOW64\systeminfo.exe
            systeminfo
            5⤵
            • System Location Discovery: System Language Discovery
            • Gathers system information
            PID:2648
        • C:\Users\Admin\AppData\Roaming\log\AutoUpdate.exe
          C:\Users\Admin\AppData\Roaming\log\AutoUpdate.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /k HOSTNAME
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3940
            • C:\Windows\SysWOW64\HOSTNAME.EXE
              HOSTNAME
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2964
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3392
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DB1
    Filesize

    40KB

    MD5

    a182561a527f929489bf4b8f74f65cd7

    SHA1

    8cd6866594759711ea1836e86a5b7ca64ee8911f

    SHA256

    42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

    SHA512

    9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UUKAL.exe
    Filesize

    809KB

    MD5

    331540893e6ac4aee88da129642c4297

    SHA1

    50a2352759dffccc2aa62a514208d87562c939a4

    SHA256

    9ca3bb17941fb4b27a1d05db3a4e4c1c2d445482e04886af940fe6b39c937800

    SHA512

    ce8251f35c5ca226f764f0213220e22fa9de8337d72e2c48769f3eec3984f86d37ba59741f6de599ed20aebe32e260785bece205637602dbe3ed72bbeecfdc9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\autC8B0.tmp
    Filesize

    425KB

    MD5

    46721a3efbf419d488a9edb6d7455fc4

    SHA1

    953b089d25e49c49a60bd55b9932cb4f9692c3b9

    SHA256

    ec42ab441118c6e250c8599d0657c0cf4b4c0f12e0a1b007c238d6c912000b60

    SHA512

    2733463300a9fc2bbad76b4375f14cf228d65242f8b62bd759352ec6d6b35703b29c149846574f3a9de244fca6a645b0cc462c9b92e093b3618cf6988fa221eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\-22PQC0T\-22logim.jpeg
    Filesize

    85KB

    MD5

    619ae701c62994bdc4b48c54c8477cfc

    SHA1

    4619d6848c88cd795c7d0950f568d07f8dc24416

    SHA256

    fe95b1a5f1067aacbf9ea3ad7e0f8d9f62b28d5fb1083842f75044f6ac3139e5

    SHA512

    10f054379fec47065645a629c5b95e0c0d5bd254f37669f87279b7a23cc2fa7fe4d261038af5e366f8d3888dc7d9b7b1be44b9a683abbd1e2de30c66846daa0c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\-22PQC0T\-22logrg.ini
    Filesize

    38B

    MD5

    4aadf49fed30e4c9b3fe4a3dd6445ebe

    SHA1

    1e332822167c6f351b99615eada2c30a538ff037

    SHA256

    75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

    SHA512

    eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

    Download Submit

  • C:\Users\Admin\AppData\Roaming\-22PQC0T\-22logri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\-22PQC0T\-22logrv.ini
    Filesize

    872B

    MD5

    bbc41c78bae6c71e63cb544a6a284d94

    SHA1

    33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

    SHA256

    ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

    SHA512

    0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NDODRC\alllll.xml
    Filesize

    1KB

    MD5

    e40c1be40309e9ea39a206c5d4631b97

    SHA1

    3a14770ab3e0d19830f5e99997b493b2d3d0e9eb

    SHA256

    84af181e3c2da09264338c2b3b2fb4c8b2324363570d33c6a848c3a7ae325b43

    SHA512

    d611146758538d8474dbce7d0e34ddb4f1c56c36b837e78dfb2b39e878b52ce36a50a891a9158e8fa143283c1e6286a70eb5c61bb28ca078a9e4a51cfaee8cb3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\log\Info.txt
    Filesize

    2KB

    MD5

    8ecfd492c771b6a3c3ab3805f24fc5f4

    SHA1

    2ee1c46d21013f5e88934beb8c94a468798e850d

    SHA256

    d2cb8b4bed78631b475027a15321823f3420d9d5829d7a4ab027cdb3bfd7b7a3

    SHA512

    319b568a81f34a8ceac2cc00a5d6021ee41e6e85806cb197b3ae42a5f7113b756903b4797a3d5719d7930d37965ae9de62e2011147d0726981290e2a55981076

    Download Submit

  • memory/432-26-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-21-0x0000000075382000-0x0000000075383000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-0-0x0000000075382000-0x0000000075383000-memory.dmp

    Filesize

    4KB

    Download

  • memory/432-3-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-22-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-2-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/432-1-0x0000000075380000-0x0000000075931000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/816-67-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-103-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-117-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-115-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-56-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-113-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-68-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-70-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-111-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-73-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-109-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-107-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-105-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-97-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/816-95-0x0000000000FD0000-0x00000000010D5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1456-24-0x0000000001800000-0x0000000001B4A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1456-7-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1456-28-0x0000000001540000-0x0000000001554000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1456-27-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2212-46-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2212-45-0x0000000000EC0000-0x0000000000EE7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2556-23-0x0000000000D30000-0x0000000000EF5000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2556-47-0x0000000000D30000-0x0000000000EF5000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2556-58-0x0000000000D30000-0x0000000000EF5000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3520-36-0x0000000008640000-0x00000000087A9000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3520-72-0x00000000087B0000-0x0000000008878000-memory.dmp

    Filesize

    800KB

    Download

  • memory/3520-50-0x0000000008640000-0x00000000087A9000-memory.dmp

    Filesize

    1.4MB

    Download