formbook | 780c4d3a33c89cd911190c17d7ba3ad69e5ddc66396762e4bef8ff67bd45b7b5

Analysis

max time kernel
145s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lhDCR5RvXwLbWQu.exe
Size

903KB
MD5

66bbfd82c0b1bdd60dca1d71945b42c2
SHA1

467d4125a380f1672983c51f1a4706f039b890af
SHA256

780c4d3a33c89cd911190c17d7ba3ad69e5ddc66396762e4bef8ff67bd45b7b5
SHA512

ca85a5e898139ad5e437a66c99baee9c8408773a214d37df02bad4388f8d5ab30cb240985b8869c1e36d971c9615da236e90de20d3a3e091b13caded01fa2bbf
SSDEEP

12288:4SiJkBoxXIFykQzrAVZK3B6xNYUCSPGnsV9nJyJ+XwrwILkz4ZTyrhbjjq5jCkj4:37wWg4NtCSPGGkUNW2rJjq5uM4

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3508-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3508-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3508-22-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4452-27-0x0000000000260000-0x000000000028F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

lhDCR5RvXwLbWQu.exelhDCR5RvXwLbWQu.execscript.exe

description	pid	process	target process
PID 1828 set thread context of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 3508 set thread context of 3520	3508	lhDCR5RvXwLbWQu.exe	Explorer.EXE
PID 3508 set thread context of 3520	3508	lhDCR5RvXwLbWQu.exe	Explorer.EXE
PID 4452 set thread context of 3520	4452	cscript.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

lhDCR5RvXwLbWQu.exelhDCR5RvXwLbWQu.execscript.exe

pid	process
1828	lhDCR5RvXwLbWQu.exe
1828	lhDCR5RvXwLbWQu.exe
1828	lhDCR5RvXwLbWQu.exe
1828	lhDCR5RvXwLbWQu.exe
1828	lhDCR5RvXwLbWQu.exe
1828	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe
4452	cscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

lhDCR5RvXwLbWQu.execscript.exe

pid process

3508 lhDCR5RvXwLbWQu.exe
3508 lhDCR5RvXwLbWQu.exe
3508 lhDCR5RvXwLbWQu.exe
3508 lhDCR5RvXwLbWQu.exe
4452 cscript.exe
4452 cscript.exe

pid	process
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
3508	lhDCR5RvXwLbWQu.exe
4452	cscript.exe
4452	cscript.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

lhDCR5RvXwLbWQu.exelhDCR5RvXwLbWQu.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1828	lhDCR5RvXwLbWQu.exe
Token: SeDebugPrivilege	3508	lhDCR5RvXwLbWQu.exe
Token: SeDebugPrivilege	4452	cscript.exe
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE
Token: SeShutdownPrivilege	3520	Explorer.EXE
Token: SeCreatePagefilePrivilege	3520	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3520 Explorer.EXE

pid	process
3520	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

lhDCR5RvXwLbWQu.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1828 wrote to memory of 4060	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 4060	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 4060	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2356	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2356	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2356	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2116	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2116	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 2116	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 1828 wrote to memory of 3508	1828	lhDCR5RvXwLbWQu.exe	lhDCR5RvXwLbWQu.exe
PID 3520 wrote to memory of 4452	3520	Explorer.EXE	cscript.exe
PID 3520 wrote to memory of 4452	3520	Explorer.EXE	cscript.exe
PID 3520 wrote to memory of 4452	3520	Explorer.EXE	cscript.exe
PID 4452 wrote to memory of 3252	4452	cscript.exe	cmd.exe
PID 4452 wrote to memory of 3252	4452	cscript.exe	cmd.exe
PID 4452 wrote to memory of 3252	4452	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3520

C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe
"C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe
"C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
3⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe
"C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
3⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe
"C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe
"C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1012

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1876

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2992

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1744

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3784

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lhDCR5RvXwLbWQu.exe"
3⤵
PID:3252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-15-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1828-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/1828-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/1828-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/1828-4-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/1828-5-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/1828-6-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1828-7-0x0000000005E50000-0x000000000637C000-memory.dmp

Filesize
5.2MB

Download
memory/1828-8-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/1828-9-0x0000000004FB0000-0x0000000004FB8000-memory.dmp

Filesize
32KB

Download
memory/1828-10-0x00000000050E0000-0x00000000050EC000-memory.dmp

Filesize
48KB

Download
memory/1828-11-0x00000000088C0000-0x0000000008944000-memory.dmp

Filesize
528KB

Download
memory/1828-12-0x0000000008DC0000-0x0000000008E36000-memory.dmp

Filesize
472KB

Download
memory/1828-1-0x0000000000190000-0x0000000000278000-memory.dmp

Filesize
928KB

Download
memory/3508-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-16-0x00000000012B0000-0x00000000015FA000-memory.dmp

Filesize
3.3MB

Download
memory/3508-19-0x0000000001240000-0x0000000001255000-memory.dmp

Filesize
84KB

Download
memory/3508-23-0x0000000001700000-0x0000000001715000-memory.dmp

Filesize
84KB

Download
memory/3508-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-20-0x0000000008380000-0x00000000084C1000-memory.dmp

Filesize
1.3MB

Download
memory/3520-35-0x0000000002770000-0x0000000002853000-memory.dmp

Filesize
908KB

Download
memory/3520-28-0x0000000008380000-0x00000000084C1000-memory.dmp

Filesize
1.3MB

Download
memory/3520-30-0x0000000002770000-0x0000000002853000-memory.dmp

Filesize
908KB

Download
memory/3520-31-0x000000000A1D0000-0x000000000A367000-memory.dmp

Filesize
1.6MB

Download
memory/3520-32-0x0000000002770000-0x0000000002853000-memory.dmp

Filesize
908KB

Download
memory/3520-24-0x000000000A1D0000-0x000000000A367000-memory.dmp

Filesize
1.6MB

Download
memory/4452-25-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/4452-26-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/4452-27-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download