formbook | 11d8b7816c187d751da9c34ed7f37f335f177409b116581078864912c705cc2c

Analysis

max time kernel
448s
max time network
434s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14/01/2025, 15:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

COMPROBANTE FAC PAG 1312025pdf.zip
Size

630KB
MD5

7ffa7bd8790d363f6ce75a196fbfaaa3
SHA1

24988819575beb787dcc8ea750fc7a34212d66d8
SHA256

f74672bff56ee501992e93951a793b71e7850902a4f25a00616129aa5cad1edc
SHA512

63d5972b6a5d4a203fbc622cdf09a423f6d8f179200d2b3727945454a01e03981747b051a4b85999837d00f7b9601dad7db6f282ec3feb0377e6f3f00073fc28
SSDEEP

12288:QXICvZqhH4xGcIKho8cGZOLmBE6tlNuyoisvbXC0AOIUPR7GIzixVx:kIQLGcPhwGZmmBE6XNnRejH1GIzkT

Score

10^/10

formbook x07y discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

x07y

Decoy

oksa.life

utecak.shop

200mzeus.store

hopsphereviral.store

g6fqz07uyhlgwxf.shop

ntentwicket.asia

ele88.buzz

3233.pizza

ataract-surgery-54329.bond

utsidetheguardrails.net

lkpiou.xyz

nline-gaming-56806.bond

arehouse-inventory-23414.bond

sphalt-jobs-98701.bond

p82520.icu

hetopgraded.shop

okoresmi.life

su41k7v.xyz

lwaset.net

onitoring-devices-18459.bond

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral3/memory/2808-54-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/2808-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/2504-89-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral3/memory/2056-94-0x0000000000320000-0x000000000034F000-memory.dmp	formbook
behavioral3/memory/2068-95-0x0000000001080000-0x00000000010AF000-memory.dmp	formbook

Executes dropped EXE 3 IoCs

pid	Process
4144	COMPROBANTE FAC PAG 1312025pdf.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x00280000000461b3-4.dat	autoit_exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4144 set thread context of 2808	4144	COMPROBANTE FAC PAG 1312025pdf.exe	87
PID 2668 set thread context of 2504	2668	COMPROBANTE FAC PAG 1312025pdf.exe	86
PID 2808 set thread context of 3652	2808	svchost.exe	57
PID 2504 set thread context of 3652	2504	svchost.exe	57
PID 4188 set thread context of 2056	4188	COMPROBANTE FAC PAG 1312025pdf.exe	94
PID 2056 set thread context of 3652	2056	svchost.exe	57
PID 2808 set thread context of 3652	2808	svchost.exe	57
PID 2504 set thread context of 3652	2504	svchost.exe	57
PID 2056 set thread context of 3652	2056	svchost.exe	57
PID 2068 set thread context of 3652	2068	control.exe	57

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3116	2668	WerFault.exe	85
2992	4144	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COMPROBANTE FAC PAG 1312025pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COMPROBANTE FAC PAG 1312025pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COMPROBANTE FAC PAG 1312025pdf.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2028	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	svchost.exe
2504	svchost.exe
2808	svchost.exe
2504	svchost.exe
2808	svchost.exe
2808	svchost.exe
2504	svchost.exe
2504	svchost.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2056	svchost.exe
2056	svchost.exe
2056	svchost.exe
2056	svchost.exe
2808	svchost.exe
2808	svchost.exe
2504	svchost.exe
2504	svchost.exe
2576	7zFM.exe
2576	7zFM.exe
2068	control.exe
2068	control.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
3396	control.exe
3396	control.exe
2056	svchost.exe
2056	svchost.exe
2068	control.exe
2068	control.exe
2576	7zFM.exe
2576	7zFM.exe
2028	ipconfig.exe
2028	ipconfig.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe
2068	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2576	7zFM.exe

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
4144	COMPROBANTE FAC PAG 1312025pdf.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
2808	svchost.exe
2504	svchost.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
2056	svchost.exe
2808	svchost.exe
2504	svchost.exe
2808	svchost.exe
2808	svchost.exe
2504	svchost.exe
2504	svchost.exe
2056	svchost.exe
2068	control.exe
2056	svchost.exe
2056	svchost.exe
2068	control.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	2576	7zFM.exe
Token: 35	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeDebugPrivilege	2808	svchost.exe
Token: SeDebugPrivilege	2504	svchost.exe
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeSecurityPrivilege	2576	7zFM.exe
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeDebugPrivilege	2056	svchost.exe
Token: SeDebugPrivilege	2068	control.exe
Token: SeDebugPrivilege	3396	control.exe
Token: SeDebugPrivilege	2028	ipconfig.exe
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE
Token: SeShutdownPrivilege	3652	Explorer.EXE
Token: SeCreatePagefilePrivilege	3652	Explorer.EXE

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2576	7zFM.exe
2576	7zFM.exe
2576	7zFM.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
4144	COMPROBANTE FAC PAG 1312025pdf.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
4144	COMPROBANTE FAC PAG 1312025pdf.exe
2576	7zFM.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
3652	Explorer.EXE
3652	Explorer.EXE
3652	Explorer.EXE

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2668	COMPROBANTE FAC PAG 1312025pdf.exe
4144	COMPROBANTE FAC PAG 1312025pdf.exe
2668	COMPROBANTE FAC PAG 1312025pdf.exe
4144	COMPROBANTE FAC PAG 1312025pdf.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
4188	COMPROBANTE FAC PAG 1312025pdf.exe
3652	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 4144	2576	7zFM.exe	83
PID 2576 wrote to memory of 4144	2576	7zFM.exe	83
PID 2576 wrote to memory of 4144	2576	7zFM.exe	83
PID 2576 wrote to memory of 2668	2576	7zFM.exe	85
PID 2576 wrote to memory of 2668	2576	7zFM.exe	85
PID 2576 wrote to memory of 2668	2576	7zFM.exe	85
PID 2668 wrote to memory of 2504	2668	COMPROBANTE FAC PAG 1312025pdf.exe	86
PID 2668 wrote to memory of 2504	2668	COMPROBANTE FAC PAG 1312025pdf.exe	86
PID 2668 wrote to memory of 2504	2668	COMPROBANTE FAC PAG 1312025pdf.exe	86
PID 4144 wrote to memory of 2808	4144	COMPROBANTE FAC PAG 1312025pdf.exe	87
PID 4144 wrote to memory of 2808	4144	COMPROBANTE FAC PAG 1312025pdf.exe	87
PID 4144 wrote to memory of 2808	4144	COMPROBANTE FAC PAG 1312025pdf.exe	87
PID 4144 wrote to memory of 2808	4144	COMPROBANTE FAC PAG 1312025pdf.exe	87
PID 2668 wrote to memory of 2504	2668	COMPROBANTE FAC PAG 1312025pdf.exe	86
PID 2576 wrote to memory of 4188	2576	7zFM.exe	93
PID 2576 wrote to memory of 4188	2576	7zFM.exe	93
PID 2576 wrote to memory of 4188	2576	7zFM.exe	93
PID 4188 wrote to memory of 2056	4188	COMPROBANTE FAC PAG 1312025pdf.exe	94
PID 4188 wrote to memory of 2056	4188	COMPROBANTE FAC PAG 1312025pdf.exe	94
PID 4188 wrote to memory of 2056	4188	COMPROBANTE FAC PAG 1312025pdf.exe	94
PID 4188 wrote to memory of 2056	4188	COMPROBANTE FAC PAG 1312025pdf.exe	94
PID 3652 wrote to memory of 2068	3652	Explorer.EXE	95
PID 3652 wrote to memory of 2068	3652	Explorer.EXE	95
PID 3652 wrote to memory of 2068	3652	Explorer.EXE	95
PID 3652 wrote to memory of 3396	3652	Explorer.EXE	96
PID 3652 wrote to memory of 3396	3652	Explorer.EXE	96
PID 3652 wrote to memory of 3396	3652	Explorer.EXE	96
PID 2068 wrote to memory of 3648	2068	control.exe	97
PID 2068 wrote to memory of 3648	2068	control.exe	97
PID 2068 wrote to memory of 3648	2068	control.exe	97
PID 3652 wrote to memory of 2028	3652	Explorer.EXE	99
PID 3652 wrote to memory of 2028	3652	Explorer.EXE	99
PID 3652 wrote to memory of 2028	3652	Explorer.EXE	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMPROBANTE FAC PAG 1312025pdf.zip"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\7zO01A2D5B8\COMPROBANTE FAC PAG 1312025pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01A2D5B8\COMPROBANTE FAC PAG 1312025pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO01A2D5B8\COMPROBANTE FAC PAG 1312025pdf.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 752
      4⤵
      Program crash
      PID:2992
- - C:\Users\Admin\AppData\Local\Temp\7zO01A954B8\COMPROBANTE FAC PAG 1312025pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01A954B8\COMPROBANTE FAC PAG 1312025pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO01A954B8\COMPROBANTE FAC PAG 1312025pdf.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 752
      4⤵
      Program crash
      PID:3116
- - C:\Users\Admin\AppData\Local\Temp\7zO01A00E59\COMPROBANTE FAC PAG 1312025pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO01A00E59\COMPROBANTE FAC PAG 1312025pdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO01A00E59\COMPROBANTE FAC PAG 1312025pdf.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2056
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2668 -ip 2668
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4144 -ip 4144
1⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO01A2D5B8\COMPROBANTE FAC PAG 1312025pdf.exe

Filesize
1.0MB

MD5
e4ae748b24c33178f1203895c632daef

SHA1
9e6bd03f721da74a1412f80ed5615c14ef85434e

SHA256
920dba5848da51e0cd39ced7ef38fd1640e9aa0142b75a5a957ef7abf879a298

SHA512
f0e9ee3d27fb29918d5b12f4aa48d66f6fe7ca13081ee1e011ecdac22506b6f45b0095a3c6655d398a9e02a84f7c56441c341a3c37fb432956f5fbde2d5154d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
28KB

MD5
017bf24c72430cb225cd5fa0f6afb9cf

SHA1
6796bb649d92c8d238ce271464acc3151d53d3d4

SHA256
9efb4011bc30794c3f0419eda834b4deb1f448f9ee073162d58948e7de87744b

SHA512
e56b867af93ae0fa3e43e1da027e149a2237f6ac386a2ae83db133679d73eba327566255717b30d5b0dc008b396691364df59d7919ff513cb4424cee46a8fe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut16E9.tmp

Filesize
178KB

MD5
256ae74d4b0b6e50eefbbee02b86b5e2

SHA1
48c6de0a8b23a020dd1cd33b2a214fc17d8e1004

SHA256
4cb5650adb8222b9c1c2846a4ee5519d4199bc8a64a47a66f0a22825a29972e7

SHA512
5b6ad3053e35dd7c62a3f5f9f3748d4b97b32eea7646a0928838024186cc6c85eeb732437013468c11a6465458e0c4ad3cd930d4a67c85aeea2e8112f2957958

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut170A.tmp

Filesize
9KB

MD5
1797600c46e136de8e946112803ca1f7

SHA1
ae6b74e40ff3c133a0984b309cebcc1d794f533e

SHA256
c874ef11d4fa5dc12454c4c519c89a5c9d8d954b917ebf23cb2b94894938a5a9

SHA512
5cbd3f2bda47e1bac225a3f8067b44ecd0e1c07209dabc803fa3f8feb9f42046883f8b176afa6e3f1597cb7313616e0874c8248c5c5add7ba974da1e94982541

Download Submit
C:\Users\Admin\AppData\Local\Temp\dews

Filesize
185KB

MD5
86b9899ab8b6a3980f9f140c0a79745b

SHA1
d30db7f90b547b6127c51a3f1c6804e7f2460ee0

SHA256
feb5389db0635de41259270d257b6c1595802e7e250c2d57e5caf712ebd94ae7

SHA512
e66cb1314af8416c1a3fcd7cc11ebcd33b36986d6a1923dd3debf5caa2e673e272c9564881a9ce0db92cab8e8e271b9baf19a0dbc9dc567630b9270eb88324a7

Download Submit
memory/2028-96-0x0000000000270000-0x000000000027B000-memory.dmp

Filesize
44KB

Download
memory/2056-94-0x0000000000320000-0x000000000034F000-memory.dmp

Filesize
188KB

Download
memory/2068-95-0x0000000001080000-0x00000000010AF000-memory.dmp

Filesize
188KB

Download
memory/2068-91-0x0000000000480000-0x00000000004A7000-memory.dmp

Filesize
156KB

Download
memory/2504-89-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/2808-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-90-0x0000000000480000-0x00000000004A7000-memory.dmp

Filesize
156KB

Download
memory/3652-100-0x0000000009350000-0x000000000948A000-memory.dmp

Filesize
1.2MB

Download