formbook | 06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
Size

689KB
MD5

543fb196348fc3dc47731e7480b55476
SHA1

2bce42c91d767bef6cb05f511c54e73e5d06dff9
SHA256

06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c
SHA512

1deed8d33159c1fd02534de98a6411fa9c129b4aea1d941d1e8dae002f48edcaed73ce38c49598e9997097ffd828d02a53661a19b4e6530198de62bd28296748
SSDEEP

12288:RiFtTLMIhPTv0IWZIf+KLlukv4XA7mDiO6FFIGnWq:RWTbhPzaIZLMxA7mDiOKQ

Score

10^/10

formbook g10y discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g10y

Decoy

oofingpro.xyz

sertc.xyz

toaas.xyz

appysnacks.store

julio.tech

nfluencer-marketing-67952.bond

rginine888.store

haampion-slotss.bet

anicajet.xyz

lumber-jobs-91014.bond

eartsandco.store

ctualiza.icu

iso23.vip

udihebohofficial.boats

lackt.xyz

ymonejohnsonart.online

dereji.info

msqdhccc3.shop

auptstadttarif.online

overebyvibes.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2576-19-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2072-24-0x00000000000D0000-0x00000000000FE000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2576 set thread context of 1196	2576	RegSvcs.exe	21
PID 2072 set thread context of 1196	2072	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
2796	powershell.exe
2576	RegSvcs.exe
2576	RegSvcs.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe
2072	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2576	RegSvcs.exe
2576	RegSvcs.exe
2576	RegSvcs.exe
2072	wlanext.exe
2072	wlanext.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2576	RegSvcs.exe
Token: SeDebugPrivilege	2072	wlanext.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2796	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	30
PID 2228 wrote to memory of 2796	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	30
PID 2228 wrote to memory of 2796	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	30
PID 2228 wrote to memory of 2796	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	30
PID 2228 wrote to memory of 2728	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	32
PID 2228 wrote to memory of 2728	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	32
PID 2228 wrote to memory of 2728	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	32
PID 2228 wrote to memory of 2728	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	32
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2540	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	34
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 2228 wrote to memory of 2576	2228	06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe	35
PID 1196 wrote to memory of 2072	1196	Explorer.EXE	36
PID 1196 wrote to memory of 2072	1196	Explorer.EXE	36
PID 1196 wrote to memory of 2072	1196	Explorer.EXE	36
PID 1196 wrote to memory of 2072	1196	Explorer.EXE	36
PID 2072 wrote to memory of 2880	2072	wlanext.exe	37
PID 2072 wrote to memory of 2880	2072	wlanext.exe	37
PID 2072 wrote to memory of 2880	2072	wlanext.exe	37
PID 2072 wrote to memory of 2880	2072	wlanext.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe
  "C:\Users\Admin\AppData\Local\Temp\06d1d5e5a8e641a62df3b3282dc437d24d48a31cc60f691c760023429788ec6c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\TLeKXiBgFhviuk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TLeKXiBgFhviuk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AA0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3AA0.tmp

Filesize
1KB

MD5
9e0e2aa3e117b74b4233b38f310e2ba7

SHA1
1f595b1797aba7fb79fcae753301c15c6563d89f

SHA256
8528aeab97218e55a6f91e8ddc4c2e6a3f6505b39bb7ff849ae2a324521ba14a

SHA512
44d2708501d39b481a034edca056a39144ee32968885274c795b3abb6fc2109e6eb9137b88a33c6ab72400024b69b1cb946423eac3409e58763546e7a6e4fae6

Download Submit
memory/1196-22-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/2072-24-0x00000000000D0000-0x00000000000FE000-memory.dmp

Filesize
184KB

Download
memory/2072-23-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/2228-20-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-5-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-6-0x0000000000250000-0x00000000002C8000-memory.dmp

Filesize
480KB

Download
memory/2228-4-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2228-3-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/2228-2-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-1-0x0000000001010000-0x00000000010C2000-memory.dmp

Filesize
712KB

Download
memory/2576-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download