formbook | 60e69b5308fc3a7233d5fb4379625a028234b0df6194a898b973897a92377b89

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1102670247.exe
Size

1.2MB
MD5

698a3a3a5cbec27c26d77863e3d92d28
SHA1

ea49431ca823990a6a50c50a183a78a24b4c163b
SHA256

c8dbe8b8a92f18c8361b78167dd1f079d5d41b3a2e48065aad717ab07fc62027
SHA512

4859433c22450025831b750f26e8e584bea8ffdf07b4a59075585e134197f8b82768a9d37a0449ac5a33adda5dd39fa632d1db9ae2ebd8a6d47f9de1b9a42ec2
SSDEEP

24576:UAOcZXcxP6qa5JWwElvJpUNsUCl/NzyyRiP6n4G7/AybB6Tq2HR:CHF4JWw6vfjK6F7LdgRR

Score

10^/10

formbook mn21 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mn21

Decoy

h3k38c.icu

qbfstopp.com

butalip.xyz

hanghang.club

relativemotionsuspension.com

bjddjyfdc.com

patrichard.com

filyacat.com

mothertukker.co.uk

riescodesign.com

afierypulse.com

supplypartners.biz

ekkogroupmoment.com

ivnocup.com

lycyjzx.com

elbuensamaritanoinc.com

forzel.com

mykedairuncit.com

usuariosconsultasnet.store

idaparry.cfd

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2772-58-0x0000000000400000-0x0000000000A99000-memory.dmp	formbook
behavioral2/memory/2772-62-0x0000000000400000-0x0000000000A99000-memory.dmp	formbook
behavioral2/memory/2316-66-0x0000000000AD0000-0x0000000000AFF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1102670247.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	mplromwuvs.pif

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 1148	5004	mplromwuvs.pif	85
PID 5004 set thread context of 2772	5004	mplromwuvs.pif	84
PID 2772 set thread context of 3492	2772	RegSvcs.exe	56
PID 2316 set thread context of 3492	2316	help.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4876	1148	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1102670247.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mplromwuvs.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2772	RegSvcs.exe
2772	RegSvcs.exe
2772	RegSvcs.exe
2772	RegSvcs.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe
2316	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2772	RegSvcs.exe
2772	RegSvcs.exe
2772	RegSvcs.exe
2316	help.exe
2316	help.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	RegSvcs.exe
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeDebugPrivilege	2316	help.exe
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE
Token: SeShutdownPrivilege	3492	Explorer.EXE
Token: SeCreatePagefilePrivilege	3492	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 5004	3024	1102670247.exe	82
PID 3024 wrote to memory of 5004	3024	1102670247.exe	82
PID 3024 wrote to memory of 5004	3024	1102670247.exe	82
PID 5004 wrote to memory of 2772	5004	mplromwuvs.pif	84
PID 5004 wrote to memory of 2772	5004	mplromwuvs.pif	84
PID 5004 wrote to memory of 2772	5004	mplromwuvs.pif	84
PID 5004 wrote to memory of 1148	5004	mplromwuvs.pif	85
PID 5004 wrote to memory of 1148	5004	mplromwuvs.pif	85
PID 5004 wrote to memory of 1148	5004	mplromwuvs.pif	85
PID 5004 wrote to memory of 1148	5004	mplromwuvs.pif	85
PID 5004 wrote to memory of 2772	5004	mplromwuvs.pif	84
PID 5004 wrote to memory of 2772	5004	mplromwuvs.pif	84
PID 3492 wrote to memory of 2316	3492	Explorer.EXE	88
PID 3492 wrote to memory of 2316	3492	Explorer.EXE	88
PID 3492 wrote to memory of 2316	3492	Explorer.EXE	88
PID 2316 wrote to memory of 2564	2316	help.exe	90
PID 2316 wrote to memory of 2564	2316	help.exe	90
PID 2316 wrote to memory of 2564	2316	help.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\1102670247.exe
  "C:\Users\Admin\AppData\Local\Temp\1102670247.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\1_38\mplromwuvs.pif
    "C:\1_38\mplromwuvs.pif" fujkexbdr.tvr
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 80
        5⤵
        Program crash
        
        PID:4876
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1148 -ip 1148
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1_38\aucnmrmgcp.gdc

Filesize
370KB

MD5
d8b6082faa90fb2c36026a13a5d579f6

SHA1
a0ef3245552b8605d774785782c983e299128096

SHA256
e2449d29f2482c3aba5f59d1da98711ce78118fec1f7cb9364d5fa8231940a99

SHA512
4b505f7b8c41b13c2cce662a0beb43ff60270dbfa2fe2245427c6e7b32d9357a7628185311b2f08c184d0cc15b097829c5dea9f6146f2b81d62889f1eb384bb3

Download Submit
C:\1_38\mplromwuvs.pif

Filesize
801KB

MD5
dae073ff3ec1441bd6dd60a1c84bca94

SHA1
ffe7f1c111bd4e52877b6fa7cf078b3c7487b95a

SHA256
3dc837914c42318fc2133b9d8455e14a86981b67898080791d1dcdc7b31b28d5

SHA512
104fd5255b5716887eb510469626c9b1613e8a66f24b32c22ff26c190243658bf1ac6699ac04b9a903f2cd192719eb84c0c34b2143ba4206bf1f0874dfd33466

Download Submit
C:\1_38\qecdq.icm

Filesize
42KB

MD5
6f4332f37e326e1cb6d36211106f8da0

SHA1
6073c10d1b1bbf9d512c12dcaa8024a0443fae98

SHA256
1692f8d9b05831dfcbfe25a2fab9f1dbc96ba548329bb707690b316a925d3027

SHA512
9a7e9d8f8502062503d0b0d25b17b5f6bcb2dcf6e95fd4430b6dafdc2a53a691e023d9e4a51cbeb66fa73c4f1caa241307b07ac4530ffff164d0ac2dde57cfa2

Download Submit
memory/2316-64-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/2316-66-0x0000000000AD0000-0x0000000000AFF000-memory.dmp

Filesize
188KB

Download
memory/2316-65-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

Filesize
28KB

Download
memory/2772-58-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/2772-62-0x0000000000400000-0x0000000000A99000-memory.dmp

Filesize
6.6MB

Download
memory/2772-60-0x00000000015F0000-0x000000000193A000-memory.dmp

Filesize
3.3MB

Download
memory/2772-61-0x0000000001500000-0x0000000001514000-memory.dmp

Filesize
80KB

Download
memory/3492-63-0x00000000027F0000-0x0000000002933000-memory.dmp

Filesize
1.3MB

Download
memory/3492-67-0x00000000027F0000-0x0000000002933000-memory.dmp

Filesize
1.3MB

Download
memory/3492-71-0x0000000008790000-0x00000000088F5000-memory.dmp

Filesize
1.4MB

Download