formbook | b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 3078.exe
Size

770KB
MD5

2c69ec0bd7c4c195a7b6e01274ca4ddf
SHA1

3346a47b05e495951316a54315716599f48a29f4
SHA256

b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29
SHA512

36efcc9dc6bf49507565053379348b1bd072b2452f73b5dc4fc4535d4772fe64ba2c3b838dfd11059cbca08165a4f47d895ca682cadbcc9b1169c8034054f24a
SSDEEP

12288:Ivdm+wecl9FXW/vsIUhg4/BkRPYHulQXIsbWGKhJHlu4JW:Ms+wegXWn4/BkRPLMJCjJF

Score

10^/10

formbook a01d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2344-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2988-29-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
2852	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2344	2828	Order 3078.exe	37
PID 2344 set thread context of 1232	2344	RegSvcs.exe	21
PID 2988 set thread context of 1232	2988	wininit.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 3078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2828	Order 3078.exe
2852	powershell.exe
2548	powershell.exe
2828	Order 3078.exe
2344	RegSvcs.exe
2344	RegSvcs.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe
2988	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2344	RegSvcs.exe
2344	RegSvcs.exe
2344	RegSvcs.exe
2988	wininit.exe
2988	wininit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	Order 3078.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2344	RegSvcs.exe
Token: SeDebugPrivilege	2988	wininit.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2548	2828	Order 3078.exe	31
PID 2828 wrote to memory of 2548	2828	Order 3078.exe	31
PID 2828 wrote to memory of 2548	2828	Order 3078.exe	31
PID 2828 wrote to memory of 2548	2828	Order 3078.exe	31
PID 2828 wrote to memory of 2852	2828	Order 3078.exe	33
PID 2828 wrote to memory of 2852	2828	Order 3078.exe	33
PID 2828 wrote to memory of 2852	2828	Order 3078.exe	33
PID 2828 wrote to memory of 2852	2828	Order 3078.exe	33
PID 2828 wrote to memory of 2720	2828	Order 3078.exe	35
PID 2828 wrote to memory of 2720	2828	Order 3078.exe	35
PID 2828 wrote to memory of 2720	2828	Order 3078.exe	35
PID 2828 wrote to memory of 2720	2828	Order 3078.exe	35
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 2828 wrote to memory of 2344	2828	Order 3078.exe	37
PID 1232 wrote to memory of 2988	1232	Explorer.EXE	38
PID 1232 wrote to memory of 2988	1232	Explorer.EXE	38
PID 1232 wrote to memory of 2988	1232	Explorer.EXE	38
PID 1232 wrote to memory of 2988	1232	Explorer.EXE	38
PID 2988 wrote to memory of 2420	2988	wininit.exe	39
PID 2988 wrote to memory of 2420	2988	wininit.exe	39
PID 2988 wrote to memory of 2420	2988	wininit.exe	39
PID 2988 wrote to memory of 2420	2988	wininit.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\Order 3078.exe
  "C:\Users\Admin\AppData\Local\Temp\Order 3078.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order 3078.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wETUwTixURT.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wETUwTixURT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3092.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3092.tmp

Filesize
1KB

MD5
50a694fec0d251e85469cde6d2fd83dc

SHA1
25a4a5c4726712895445bd69c9587c1c5aeb74f4

SHA256
e66aea144349e44832056a8d5ddb9cd9cfbcc2dc070e752c9a0e9bd66572cc04

SHA512
50267b99b5633480759d918ea88796eb51a7eebc59f78c1493614cbc5bdb58e5e1fb7151f7a6e6f5e13ed42dad4d347e96db9113b336607f879f0d43a2178b45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b841733b9df0404f37437a1b2a9b4b6f

SHA1
1698cad8be558ea5e27106bca408e58f3c7cdb0f

SHA256
fd2d68b041d5bf6b24d4077b2a7ab8bf32065a56841998771d06f54a51fe5569

SHA512
d510d6881b880512dc96890e170befea9d154521caa9b2c36ef6eea1e7c05deb938444733b7788d034ab54fe93b0a8d2d8e4ec654a2fac0b4b8153a49865350e

Download Submit
memory/1232-26-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2344-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2344-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-3-0x0000000000520000-0x000000000053E000-memory.dmp

Filesize
120KB

Download
memory/2828-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2828-6-0x0000000000280000-0x00000000002F8000-memory.dmp

Filesize
480KB

Download
memory/2828-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2828-27-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-1-0x0000000000EC0000-0x0000000000F86000-memory.dmp

Filesize
792KB

Download
memory/2988-28-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/2988-29-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download