formbook | 9cb300d1428eed7efc3bc596f27927b48500e1bbc21d583ca135880e0a024670

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YUDD7CDakVsH65f.exe
Size

580KB
MD5

c67b00d2aa41d4c8f86debd0b74cbb19
SHA1

309f175346d432b9cb43a93c7898a79feec6714d
SHA256

73052c6ab3fb230ab01c3c4def27f0fb76759602217ffef157b7004b6fe8f406
SHA512

635cfeb79725f7105b258fbcd7e360ccdb3f9e5dad17ad7c7be27788d53aabbad5c0a718b8b0373b2bb22378dc41a4c417b6e2ed211fc246d1cace64b4d39034
SSDEEP

12288:V7P/iFIsPAb/z/mdh7z0g5+FabkcfaZdHky+WZARwHf6/qyAC3zjq/fCcN2ufq/+:pPkIKybUd7+845ZdaWZiwHf6/pAM+3RP

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4300-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4300-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4300-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5000-25-0x0000000001120000-0x000000000114F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

YUDD7CDakVsH65f.exeYUDD7CDakVsH65f.execscript.exe

description	pid	process	target process
PID 536 set thread context of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 4300 set thread context of 3432	4300	YUDD7CDakVsH65f.exe	Explorer.EXE
PID 4300 set thread context of 3432	4300	YUDD7CDakVsH65f.exe	Explorer.EXE
PID 5000 set thread context of 3432	5000	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

YUDD7CDakVsH65f.exeYUDD7CDakVsH65f.execscript.exe

pid	process
536	YUDD7CDakVsH65f.exe
536	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe
5000	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

YUDD7CDakVsH65f.execscript.exe

pid process

4300 YUDD7CDakVsH65f.exe
4300 YUDD7CDakVsH65f.exe
4300 YUDD7CDakVsH65f.exe
4300 YUDD7CDakVsH65f.exe
5000 cscript.exe
5000 cscript.exe

pid	process
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
4300	YUDD7CDakVsH65f.exe
5000	cscript.exe
5000	cscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

YUDD7CDakVsH65f.exeYUDD7CDakVsH65f.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	536	YUDD7CDakVsH65f.exe
Token: SeDebugPrivilege	4300	YUDD7CDakVsH65f.exe
Token: SeDebugPrivilege	5000	cscript.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE

pid	process
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE

pid	process
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE

pid	process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

YUDD7CDakVsH65f.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 536 wrote to memory of 2272	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 2272	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 2272	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 536 wrote to memory of 4300	536	YUDD7CDakVsH65f.exe	YUDD7CDakVsH65f.exe
PID 3432 wrote to memory of 5000	3432	Explorer.EXE	cscript.exe
PID 3432 wrote to memory of 5000	3432	Explorer.EXE	cscript.exe
PID 3432 wrote to memory of 5000	3432	Explorer.EXE	cscript.exe
PID 5000 wrote to memory of 4116	5000	cscript.exe	cmd.exe
PID 5000 wrote to memory of 4116	5000	cscript.exe	cmd.exe
PID 5000 wrote to memory of 4116	5000	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe
"C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe
"C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe"
3⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe
"C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\YUDD7CDakVsH65f.exe"
3⤵
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
1⤵
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-8-0x0000000005010000-0x000000000501C000-memory.dmp

Filesize
48KB

Download
memory/536-13-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/536-9-0x0000000005E60000-0x0000000005ED6000-memory.dmp

Filesize
472KB

Download
memory/536-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/536-4-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/536-5-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/536-6-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/536-7-0x0000000005000000-0x0000000005008000-memory.dmp

Filesize
32KB

Download
memory/536-2-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/536-1-0x0000000000150000-0x00000000001E6000-memory.dmp

Filesize
600KB

Download
memory/536-0-0x000000007521E000-0x000000007521F000-memory.dmp

Filesize
4KB

Download
memory/536-10-0x0000000008590000-0x000000000862C000-memory.dmp

Filesize
624KB

Download
memory/3432-28-0x0000000008A90000-0x0000000008B74000-memory.dmp

Filesize
912KB

Download
memory/3432-30-0x0000000008910000-0x0000000008A81000-memory.dmp

Filesize
1.4MB

Download
memory/3432-33-0x0000000008A90000-0x0000000008B74000-memory.dmp

Filesize
912KB

Download
memory/3432-29-0x0000000008A90000-0x0000000008B74000-memory.dmp

Filesize
912KB

Download
memory/3432-18-0x0000000008690000-0x0000000008837000-memory.dmp

Filesize
1.7MB

Download
memory/3432-22-0x0000000008910000-0x0000000008A81000-memory.dmp

Filesize
1.4MB

Download
memory/3432-26-0x0000000008690000-0x0000000008837000-memory.dmp

Filesize
1.7MB

Download
memory/4300-17-0x0000000000FB0000-0x0000000000FC5000-memory.dmp

Filesize
84KB

Download
memory/4300-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-21-0x0000000001030000-0x0000000001045000-memory.dmp

Filesize
84KB

Download
memory/4300-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-14-0x0000000001330000-0x000000000167A000-memory.dmp

Filesize
3.3MB

Download
memory/4300-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-24-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/5000-23-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/5000-25-0x0000000001120000-0x000000000114F000-memory.dmp

Filesize
188KB

Download