formbook | 378dc7dc73eb893bd2d6878ca5c2da5cb1bb16bf0aee4e94352a4b7ca8da7832

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356363979-8832437294380 20241206 908376677.exe
Size

1.0MB
MD5

306861cd3f8c4a9c9a818c5348a14040
SHA1

5dfd78ad88a94078a38978984d81b3926f479ac7
SHA256

378dc7dc73eb893bd2d6878ca5c2da5cb1bb16bf0aee4e94352a4b7ca8da7832
SHA512

b4d8408be102dcd50adaa3de66f77c7a31a57ee615ec2bc1a1ec255246d93e6989c7f421bad384deb667a6bc90a1bafad5815b46b5306c47c075b1f355d32628
SSDEEP

12288:uVqi8tTaU9nxYoWo51/QZtAAm5WzgNYTpuXAyRavD7R5GHYG2ucIPC92:lbnKoWt6AzqQyGlGV9z

Score

10^/10

formbook na10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

na10

Decoy

tetheus.com

ventlikeyoumeanit.com

tintbliss.com

rinabet357.com

sapphireboutiqueusa.com

abc8bet6.com

xzcn3i7jb13cqei.buzz

pinktravelsnagpur.com

bt365038.com

rtpbossujang303.shop

osthirmaker.com

thelonelyteacup.com

rlc2019.com

couverture-charpente.com

productivagc.com

defendercarcare.com

abcentixdigital.com

petco.ltd

oypivh.top

micro.guru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2672-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2672-25-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2580-31-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1592 cmd.exe

pid	process
1592	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

356363979-8832437294380 20241206 908376677.exe356363979-8832437294380 20241206 908376677.exewlanext.exe

description	pid	process	target process
PID 3056 set thread context of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 2672 set thread context of 1196	2672	356363979-8832437294380 20241206 908376677.exe	Explorer.EXE
PID 2580 set thread context of 1196	2580	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

356363979-8832437294380 20241206 908376677.exe356363979-8832437294380 20241206 908376677.exewlanext.exe

pid	process
3056	356363979-8832437294380 20241206 908376677.exe
3056	356363979-8832437294380 20241206 908376677.exe
3056	356363979-8832437294380 20241206 908376677.exe
2672	356363979-8832437294380 20241206 908376677.exe
2672	356363979-8832437294380 20241206 908376677.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe
2580	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

356363979-8832437294380 20241206 908376677.exewlanext.exe

pid process

2672 356363979-8832437294380 20241206 908376677.exe
2672 356363979-8832437294380 20241206 908376677.exe
2672 356363979-8832437294380 20241206 908376677.exe
2580 wlanext.exe
2580 wlanext.exe

pid	process
2672	356363979-8832437294380 20241206 908376677.exe
2672	356363979-8832437294380 20241206 908376677.exe
2672	356363979-8832437294380 20241206 908376677.exe
2580	wlanext.exe
2580	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

356363979-8832437294380 20241206 908376677.exe356363979-8832437294380 20241206 908376677.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	3056	356363979-8832437294380 20241206 908376677.exe
Token: SeDebugPrivilege	2672	356363979-8832437294380 20241206 908376677.exe
Token: SeDebugPrivilege	2580	wlanext.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

356363979-8832437294380 20241206 908376677.exeExplorer.EXEwlanext.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe
"C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe
"C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe"
3⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe
"C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\356363979-8832437294380 20241206 908376677.exe"
3⤵
- Deletes itself
PID:1592

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-28-0x0000000005030000-0x000000000514C000-memory.dmp

Filesize
1.1MB

Download
memory/1196-34-0x0000000005030000-0x000000000514C000-memory.dmp

Filesize
1.1MB

Download
memory/1196-27-0x0000000000260000-0x0000000000360000-memory.dmp

Filesize
1024KB

Download
memory/2292-6-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2292-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-8-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2580-31-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/2580-29-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2580-30-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2672-26-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2672-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-23-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/2672-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-20-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-22-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-19-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-11-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-5-0x0000000000590000-0x0000000000596000-memory.dmp

Filesize
24KB

Download
memory/3056-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3056-18-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3056-4-0x0000000000570000-0x000000000058A000-memory.dmp

Filesize
104KB

Download
memory/3056-3-0x00000000046D0000-0x0000000004714000-memory.dmp

Filesize
272KB

Download
memory/3056-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-1-0x0000000000C00000-0x0000000000D08000-memory.dmp

Filesize
1.0MB

Download

description	pid	process	target process
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2292	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 3056 wrote to memory of 2672	3056	356363979-8832437294380 20241206 908376677.exe	356363979-8832437294380 20241206 908376677.exe
PID 1196 wrote to memory of 2580	1196	Explorer.EXE	wlanext.exe
PID 1196 wrote to memory of 2580	1196	Explorer.EXE	wlanext.exe
PID 1196 wrote to memory of 2580	1196	Explorer.EXE	wlanext.exe
PID 1196 wrote to memory of 2580	1196	Explorer.EXE	wlanext.exe
PID 2580 wrote to memory of 1592	2580	wlanext.exe	cmd.exe
PID 2580 wrote to memory of 1592	2580	wlanext.exe	cmd.exe
PID 2580 wrote to memory of 1592	2580	wlanext.exe	cmd.exe
PID 2580 wrote to memory of 1592	2580	wlanext.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads