formbook | 6be92b0d491f6d5d7f65e01a3336aac1155f091ad6def08b541e07b68eda3bb4

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Comfirmation.exe
Size

772KB
MD5

86c532b1132630146227a27f3179d897
SHA1

8bd4224bf2079d60e6fef9e40ab7bc1ea391315a
SHA256

6be92b0d491f6d5d7f65e01a3336aac1155f091ad6def08b541e07b68eda3bb4
SHA512

4272bb687f400e0adcf8a5c2b48d7d4a5d4a46e5cde9b2f5d4cba50030842bb8ff0b14658308fd059730a2e4c8acdffabc5da510b9679c530ab944e50ef7896a
SSDEEP

12288:Dvdi9wecl9iWse2abS7m3hoV1QicvYxJqd4trX0ir31DPyKI:DI9weFW+abrh2UAP7RXRrlDPyKI

Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2808-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2652-28-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
2740	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2404 set thread context of 2808	2404	Payment Comfirmation.exe	37
PID 2808 set thread context of 1204	2808	RegSvcs.exe	21
PID 2652 set thread context of 1204	2652	netsh.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Comfirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2404	Payment Comfirmation.exe
2404	Payment Comfirmation.exe
2892	powershell.exe
2808	RegSvcs.exe
2740	powershell.exe
2808	RegSvcs.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe
2652	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2808	RegSvcs.exe
2808	RegSvcs.exe
2808	RegSvcs.exe
2652	netsh.exe
2652	netsh.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	Payment Comfirmation.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2808	RegSvcs.exe
Token: SeDebugPrivilege	2652	netsh.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2892	2404	Payment Comfirmation.exe	31
PID 2404 wrote to memory of 2892	2404	Payment Comfirmation.exe	31
PID 2404 wrote to memory of 2892	2404	Payment Comfirmation.exe	31
PID 2404 wrote to memory of 2892	2404	Payment Comfirmation.exe	31
PID 2404 wrote to memory of 2740	2404	Payment Comfirmation.exe	33
PID 2404 wrote to memory of 2740	2404	Payment Comfirmation.exe	33
PID 2404 wrote to memory of 2740	2404	Payment Comfirmation.exe	33
PID 2404 wrote to memory of 2740	2404	Payment Comfirmation.exe	33
PID 2404 wrote to memory of 2804	2404	Payment Comfirmation.exe	34
PID 2404 wrote to memory of 2804	2404	Payment Comfirmation.exe	34
PID 2404 wrote to memory of 2804	2404	Payment Comfirmation.exe	34
PID 2404 wrote to memory of 2804	2404	Payment Comfirmation.exe	34
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 2404 wrote to memory of 2808	2404	Payment Comfirmation.exe	37
PID 1204 wrote to memory of 2652	1204	Explorer.EXE	38
PID 1204 wrote to memory of 2652	1204	Explorer.EXE	38
PID 1204 wrote to memory of 2652	1204	Explorer.EXE	38
PID 1204 wrote to memory of 2652	1204	Explorer.EXE	38
PID 2652 wrote to memory of 2592	2652	netsh.exe	39
PID 2652 wrote to memory of 2592	2652	netsh.exe	39
PID 2652 wrote to memory of 2592	2652	netsh.exe	39
PID 2652 wrote to memory of 2592	2652	netsh.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\Payment Comfirmation.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Comfirmation.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Comfirmation.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RocLTyIPaHuYP.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RocLTyIPaHuYP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB.tmp

Filesize
1KB

MD5
71b2306303ee3fab058f09fa2cf89c48

SHA1
b8bd131c71b969b96d9ce48c8a664c03befcff08

SHA256
76c3749fc754f17eea9533050edf5af91d819e32c129ae6ab2963472ac6c9589

SHA512
2ce7437fad783fb1b869e712205acf6b97518553027e9afff262e11d141bc7e97173e6fd42565fded65873d5d81d8cd3133853d9940c44ec6781ea76831f7f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
915be1d4d1c3082b15e0d684eea48f37

SHA1
dfb142f0bbc214accdfdaa13c18b1b90ae8145ef

SHA256
59ebcce3730f0f1172c37be618263d0d9c6405f49254aac69d388da130fb15fa

SHA512
e2024e3297b55b00836c96331bc8455ec6d2adad42bdad6c92216d895c5ea5e0761d1d7ccca7a30f1e7ee6e77cedbfa1e0297248582a7600ce77c9d6405f4850

Download Submit
memory/2404-4-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/2404-26-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/2404-5-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-6-0x00000000005B0000-0x0000000000628000-memory.dmp

Filesize
480KB

Download
memory/2404-2-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/2404-1-0x0000000000DB0000-0x0000000000E78000-memory.dmp

Filesize
800KB

Download
memory/2404-3-0x0000000000650000-0x000000000066E000-memory.dmp

Filesize
120KB

Download
memory/2652-28-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2652-27-0x0000000001250000-0x000000000126B000-memory.dmp

Filesize
108KB

Download
memory/2808-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download