formbook | 60e69b5308fc3a7233d5fb4379625a028234b0df6194a898b973897a92377b89

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1102670247.exe
Size

1.2MB
MD5

698a3a3a5cbec27c26d77863e3d92d28
SHA1

ea49431ca823990a6a50c50a183a78a24b4c163b
SHA256

c8dbe8b8a92f18c8361b78167dd1f079d5d41b3a2e48065aad717ab07fc62027
SHA512

4859433c22450025831b750f26e8e584bea8ffdf07b4a59075585e134197f8b82768a9d37a0449ac5a33adda5dd39fa632d1db9ae2ebd8a6d47f9de1b9a42ec2
SSDEEP

24576:UAOcZXcxP6qa5JWwElvJpUNsUCl/NzyyRiP6n4G7/AybB6Tq2HR:CHF4JWw6vfjK6F7LdgRR

Score

10^/10

formbook mn21 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mn21

Decoy

h3k38c.icu

qbfstopp.com

butalip.xyz

hanghang.club

relativemotionsuspension.com

bjddjyfdc.com

patrichard.com

filyacat.com

mothertukker.co.uk

riescodesign.com

afierypulse.com

supplypartners.biz

ekkogroupmoment.com

ivnocup.com

lycyjzx.com

elbuensamaritanoinc.com

forzel.com

mykedairuncit.com

usuariosconsultasnet.store

idaparry.cfd

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2352-75-0x0000000000400000-0x00000000008A3000-memory.dmp	formbook
behavioral1/memory/2056-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2056-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2352-81-0x0000000000400000-0x00000000008A3000-memory.dmp	formbook
behavioral1/memory/1748-87-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2556	mplromwuvs.pif

Loads dropped DLL 4 IoCs

pid	Process
2324	1102670247.exe
2324	1102670247.exe
2324	1102670247.exe
2324	1102670247.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 2056	2556	mplromwuvs.pif	32
PID 2556 set thread context of 2352	2556	mplromwuvs.pif	31
PID 2056 set thread context of 1260	2056	RegSvcs.exe	21
PID 2352 set thread context of 1260	2352	RegSvcs.exe	21
PID 2056 set thread context of 1260	2056	RegSvcs.exe	21
PID 2352 set thread context of 1260	2352	RegSvcs.exe	21
PID 1748 set thread context of 1260	1748	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1102670247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mplromwuvs.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2056	RegSvcs.exe
2352	RegSvcs.exe
2056	RegSvcs.exe
2352	RegSvcs.exe
2056	RegSvcs.exe
2352	RegSvcs.exe
1748	wlanext.exe
2188	wuapp.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe
1748	wlanext.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2056	RegSvcs.exe
2352	RegSvcs.exe
2056	RegSvcs.exe
2352	RegSvcs.exe
2056	RegSvcs.exe
2056	RegSvcs.exe
2352	RegSvcs.exe
2352	RegSvcs.exe
1748	wlanext.exe
1748	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	RegSvcs.exe
Token: SeDebugPrivilege	2352	RegSvcs.exe
Token: SeDebugPrivilege	1748	wlanext.exe
Token: SeDebugPrivilege	2188	wuapp.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2324 wrote to memory of 2556	2324	1102670247.exe	30
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2056	2556	mplromwuvs.pif	32
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 2556 wrote to memory of 2352	2556	mplromwuvs.pif	31
PID 1260 wrote to memory of 1748	1260	Explorer.EXE	33
PID 1260 wrote to memory of 1748	1260	Explorer.EXE	33
PID 1260 wrote to memory of 1748	1260	Explorer.EXE	33
PID 1260 wrote to memory of 1748	1260	Explorer.EXE	33
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1260 wrote to memory of 2188	1260	Explorer.EXE	34
PID 1748 wrote to memory of 2648	1748	wlanext.exe	35
PID 1748 wrote to memory of 2648	1748	wlanext.exe	35
PID 1748 wrote to memory of 2648	1748	wlanext.exe	35
PID 1748 wrote to memory of 2648	1748	wlanext.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\1102670247.exe
  "C:\Users\Admin\AppData\Local\Temp\1102670247.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\1_38\mplromwuvs.pif
    "C:\1_38\mplromwuvs.pif" fujkexbdr.tvr
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2056
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1_38\aucnmrmgcp.gdc

Filesize
370KB

MD5
d8b6082faa90fb2c36026a13a5d579f6

SHA1
a0ef3245552b8605d774785782c983e299128096

SHA256
e2449d29f2482c3aba5f59d1da98711ce78118fec1f7cb9364d5fa8231940a99

SHA512
4b505f7b8c41b13c2cce662a0beb43ff60270dbfa2fe2245427c6e7b32d9357a7628185311b2f08c184d0cc15b097829c5dea9f6146f2b81d62889f1eb384bb3

Download Submit
C:\1_38\qecdq.icm

Filesize
42KB

MD5
6f4332f37e326e1cb6d36211106f8da0

SHA1
6073c10d1b1bbf9d512c12dcaa8024a0443fae98

SHA256
1692f8d9b05831dfcbfe25a2fab9f1dbc96ba548329bb707690b316a925d3027

SHA512
9a7e9d8f8502062503d0b0d25b17b5f6bcb2dcf6e95fd4430b6dafdc2a53a691e023d9e4a51cbeb66fa73c4f1caa241307b07ac4530ffff164d0ac2dde57cfa2

Download Submit
\1_38\mplromwuvs.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
memory/1260-77-0x0000000003FA0000-0x00000000040A0000-memory.dmp

Filesize
1024KB

Download
memory/1260-91-0x00000000080E0000-0x0000000008200000-memory.dmp

Filesize
1.1MB

Download
memory/1260-80-0x00000000056A0000-0x0000000005752000-memory.dmp

Filesize
712KB

Download
memory/1748-87-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1748-83-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2056-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2056-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-84-0x00000000013B0000-0x00000000013BB000-memory.dmp

Filesize
44KB

Download
memory/2352-75-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/2352-81-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/2352-72-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download