formbook | eadea737742084d7776c7a6fa0ff4dd6dd3cfe7459fc7e4fbe87b5c2c18c39f6

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
30/12/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Items for new project-6109.exe
Size

519KB
MD5

7b2b82719683d8edaf37ec6bd895976f
SHA1

bda795d0e7993179ab7606142ea445d9d73872e9
SHA256

f500da8f49bd849bb4f6aa7644458bc0473a47e8ce91a09df137906b429e2ee8
SHA512

79b9eea7f65ff9a0410842d1b09a5dd550c8573044d016adb1539f646b86c7212b436133f0b991f0e72c7b14a0f8b08f7df64dd938359953270979955e6625ba
SSDEEP

12288:LCZhz3tD005nQeOEPEbEiX4FuQWout8FVNLpA:LCZhjC0I2DJUQjFVN

Score

10^/10

formbook wk31 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wk31

Decoy

soroban.xyz

irfirstaid.com

irsaycollection.com

thebardownstairsasheville.com

facebookmeta.business

paypalsupportclient.com

metaversusfacebook.com

litakparuikamazon.com

rivianmotorcompany.com

metaversepro.us

ikramfamilypractice.com

bitcoinfuturesetfs.online

5donline.com

rosemount.us

nicole-steinfort.com

performanceautorepairsj.com

scrabblecheats.us

kjg67amazon.com

formerlyknownasfacebook.com

youtubeandgooglepay.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2884-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2884-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2884-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2688-28-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2884	3008	Items for new project-6109.exe	34
PID 2884 set thread context of 1176	2884	Items for new project-6109.exe	21
PID 2884 set thread context of 1176	2884	Items for new project-6109.exe	21
PID 2688 set thread context of 1176	2688	svchost.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Items for new project-6109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Items for new project-6109.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3008	Items for new project-6109.exe
3008	Items for new project-6109.exe
3008	Items for new project-6109.exe
3008	Items for new project-6109.exe
3008	Items for new project-6109.exe
3008	Items for new project-6109.exe
2884	Items for new project-6109.exe
2884	Items for new project-6109.exe
2884	Items for new project-6109.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe
2688	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2884	Items for new project-6109.exe
2884	Items for new project-6109.exe
2884	Items for new project-6109.exe
2884	Items for new project-6109.exe
2688	svchost.exe
2688	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	Items for new project-6109.exe
Token: SeDebugPrivilege	2884	Items for new project-6109.exe
Token: SeDebugPrivilege	2688	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2808	3008	Items for new project-6109.exe	31
PID 3008 wrote to memory of 2808	3008	Items for new project-6109.exe	31
PID 3008 wrote to memory of 2808	3008	Items for new project-6109.exe	31
PID 3008 wrote to memory of 2808	3008	Items for new project-6109.exe	31
PID 3008 wrote to memory of 2864	3008	Items for new project-6109.exe	32
PID 3008 wrote to memory of 2864	3008	Items for new project-6109.exe	32
PID 3008 wrote to memory of 2864	3008	Items for new project-6109.exe	32
PID 3008 wrote to memory of 2864	3008	Items for new project-6109.exe	32
PID 3008 wrote to memory of 2868	3008	Items for new project-6109.exe	33
PID 3008 wrote to memory of 2868	3008	Items for new project-6109.exe	33
PID 3008 wrote to memory of 2868	3008	Items for new project-6109.exe	33
PID 3008 wrote to memory of 2868	3008	Items for new project-6109.exe	33
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 3008 wrote to memory of 2884	3008	Items for new project-6109.exe	34
PID 2884 wrote to memory of 2688	2884	Items for new project-6109.exe	35
PID 2884 wrote to memory of 2688	2884	Items for new project-6109.exe	35
PID 2884 wrote to memory of 2688	2884	Items for new project-6109.exe	35
PID 2884 wrote to memory of 2688	2884	Items for new project-6109.exe	35
PID 2688 wrote to memory of 2772	2688	svchost.exe	36
PID 2688 wrote to memory of 2772	2688	svchost.exe	36
PID 2688 wrote to memory of 2772	2688	svchost.exe	36
PID 2688 wrote to memory of 2772	2688	svchost.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1176
- C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe
  "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe
    "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
    3⤵
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe
    "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe
    "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe
    "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\Items for new project-6109.exe"
        5⤵
        Deletes itself
        System Location Discovery: System Language Discovery
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-17-0x0000000003C70000-0x0000000003D70000-memory.dmp

Filesize
1024KB

Download
memory/1176-29-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1176-27-0x0000000005120000-0x0000000005220000-memory.dmp

Filesize
1024KB

Download
memory/1176-22-0x0000000004F80000-0x000000000511C000-memory.dmp

Filesize
1.6MB

Download
memory/1176-23-0x0000000005120000-0x0000000005220000-memory.dmp

Filesize
1024KB

Download
memory/1176-18-0x0000000004F80000-0x000000000511C000-memory.dmp

Filesize
1.6MB

Download
memory/2688-28-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2688-26-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2688-24-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2884-13-0x0000000000BA0000-0x0000000000EA3000-memory.dmp

Filesize
3.0MB

Download
memory/2884-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-21-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2884-16-0x00000000001E0000-0x00000000001F5000-memory.dmp

Filesize
84KB

Download
memory/2884-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-6-0x0000000004F30000-0x0000000004F84000-memory.dmp

Filesize
336KB

Download
memory/3008-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/3008-12-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-5-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-4-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3008-2-0x0000000074EC0000-0x00000000755AE000-memory.dmp

Filesize
6.9MB

Download
memory/3008-1-0x0000000000270000-0x00000000002F8000-memory.dmp

Filesize
544KB

Download