formbook | efb32e8c79329c608692e448b53fe5c09854871fe10c6ac09791776c8c964cf1

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

textview66547.exe
Size

1.3MB
MD5

734282c3d93555760ee7347318299aa1
SHA1

d17be364c71e18e647ad260f4d4f747996b7a753
SHA256

38b573288a18231b62b0fe72ca5ea36f6d20303ce7658d82487523488399955b
SHA512

e02b026077d13c57f4dfc6c74a06cd5f0d59213c37113e57b44915c97d20f767350feda8780d9138cde953430b88f9c20ec601cdeb3c4984483c9c4f446f9249
SSDEEP

24576:iAOcZXp0bR4ZPmjscttv8MnhoUkjPV99npuezy71oporahyR6:ofR4MQcttv8MhoUkj9fZe6GRU

Score

10^/10

formbook t01w discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t01w

Decoy

yeluzishiyanshi.com

thehardtech.xyz

arrowheadk8.site

zaulkunutila.xyz

lookastro.net

congregorecruitment.co.uk

darcyboo.uk

collettesbet.net

ltgpd.com

hiddenapphq.net

haxtrl.online

esenbook.com

jxzyyx.com

ulvabuyout.xyz

instashop.life

vazra.top

ewdvatcuce4.top

zhishi68.com

fabricsandfashion.com

hootcaster.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2960-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/552-77-0x0000000000400000-0x0000000000A1F000-memory.dmp	formbook
behavioral1/memory/552-82-0x0000000000400000-0x0000000000A1F000-memory.dmp	formbook
behavioral1/memory/2960-84-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3016-89-0x0000000000100000-0x000000000012F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2688	sogmqlr.pif

Loads dropped DLL 4 IoCs

pid	Process
1960	textview66547.exe
1960	textview66547.exe
1960	textview66547.exe
1960	textview66547.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2960	2688	sogmqlr.pif	32
PID 2688 set thread context of 552	2688	sogmqlr.pif	31
PID 552 set thread context of 1232	552	RegSvcs.exe	21
PID 2960 set thread context of 1232	2960	RegSvcs.exe	21
PID 552 set thread context of 1232	552	RegSvcs.exe	21
PID 2960 set thread context of 1232	2960	RegSvcs.exe	21
PID 3016 set thread context of 1232	3016	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	textview66547.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogmqlr.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
552	RegSvcs.exe
2960	RegSvcs.exe
552	RegSvcs.exe
2960	RegSvcs.exe
552	RegSvcs.exe
2960	RegSvcs.exe
3016	svchost.exe
1276	wininit.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
552	RegSvcs.exe
2960	RegSvcs.exe
552	RegSvcs.exe
2960	RegSvcs.exe
552	RegSvcs.exe
552	RegSvcs.exe
2960	RegSvcs.exe
2960	RegSvcs.exe
3016	svchost.exe
3016	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	RegSvcs.exe
Token: SeDebugPrivilege	2960	RegSvcs.exe
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	1276	wininit.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 1960 wrote to memory of 2688	1960	textview66547.exe	30
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 2960	2688	sogmqlr.pif	32
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 2688 wrote to memory of 552	2688	sogmqlr.pif	31
PID 552 wrote to memory of 3016	552	RegSvcs.exe	33
PID 552 wrote to memory of 3016	552	RegSvcs.exe	33
PID 552 wrote to memory of 3016	552	RegSvcs.exe	33
PID 552 wrote to memory of 3016	552	RegSvcs.exe	33
PID 3016 wrote to memory of 2732	3016	svchost.exe	34
PID 3016 wrote to memory of 2732	3016	svchost.exe	34
PID 3016 wrote to memory of 2732	3016	svchost.exe	34
PID 3016 wrote to memory of 2732	3016	svchost.exe	34
PID 2960 wrote to memory of 1276	2960	RegSvcs.exe	36
PID 2960 wrote to memory of 1276	2960	RegSvcs.exe	36
PID 2960 wrote to memory of 1276	2960	RegSvcs.exe	36
PID 2960 wrote to memory of 1276	2960	RegSvcs.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\textview66547.exe
  "C:\Users\Admin\AppData\Local\Temp\textview66547.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\5_86\sogmqlr.pif
    "C:\Users\Admin\5_86\sogmqlr.pif" eiifenbgm.fmk
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\SysWOW64\svchost.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\wininit.exe
        
        "C:\Windows\SysWOW64\wininit.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\5_86\cigds.jpg

Filesize
45KB

MD5
a85785f3dd5d27c21cdcf9deffb85b4f

SHA1
dc4615334c2f6a2dbdbd376de6e5b9fb4c400a66

SHA256
7a089d4a4c799ce9e9f5e75f89815f065af3f83a8a9ed73566844a8ea910f30d

SHA512
a9a4e3b41121f5a2412dcf05d4fd8162036590152838221dc8811e18fc47888a4d09a83894cfb00f593cb7cd9eed6f901b6fa523fd222bca170fbfd966e130ae

Download Submit
C:\Users\Admin\5_86\pdvraobar.okg

Filesize
370KB

MD5
f5e2ba30a45201d12f28c47cc71919cc

SHA1
1dd97af07f03e87f26bc6012cde97855e7ae40da

SHA256
d3f446c8cd06efa9b89bdcfe33d8b84831ab1e04353837d4de1348076ab3fd15

SHA512
3c81ab2c7c598c7f468bac9a0a8c0b64f6e66b67f1d5786ffa9b3f0926b1704c841850dde0bf68da58a429503bca5cb0b03a981287de68a845638f6399ece513

Download Submit
\Users\Admin\5_86\sogmqlr.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
memory/552-82-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/552-77-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/552-74-0x0000000000400000-0x0000000000A1F000-memory.dmp

Filesize
6.1MB

Download
memory/1232-83-0x0000000006C80000-0x0000000006D78000-memory.dmp

Filesize
992KB

Download
memory/1232-92-0x0000000007650000-0x000000000779F000-memory.dmp

Filesize
1.3MB

Download
memory/1276-86-0x00000000003F0000-0x000000000040A000-memory.dmp

Filesize
104KB

Download
memory/2960-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-85-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/3016-89-0x0000000000100000-0x000000000012F000-memory.dmp

Filesize
188KB

Download