formbook | c4215902948729d99513b7969979667aca3d05d45300989448b52769163c990b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
Size

699KB
MD5

fbf01e7b1520736595417ae322402ecf
SHA1

235a8c1bc504e09dc7a0d48382d45392076dada0
SHA256

c4215902948729d99513b7969979667aca3d05d45300989448b52769163c990b
SHA512

ad2d158e3c133fdb9452c753513ad7f0b2daf7fca930f55108ade37d21ab37f8d5fba31e4b7efbd4c476f504efb3a5b3ce4686cb268dc0103471deb85de4d840
SSDEEP

12288:FMzQsCZBCotU1/Em1fo2vvOTbD9ZRPHc7iNkkcJLXjpZ+KdAAkkR:FbdUEefnvsDLpcGcJLTSYAm

Score

10^/10

formbook dd20 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd20

Decoy

unblurd.com

docu-zign.com

randijpaulsen.com

angsabet.com

sedatelynx.com

opiumcore.store

thelordismysaviormerch.com

mindstudio.support

waterbygraceteam.com

furnitureinspiredbythesea.com

amablanca.com

hespelerdental.com

arcalid.net

balajinursingbureau.online

caixias.shop

solingen-buergerstiftung.com

194916.top

6travel-insurance.xyz

xn--fiqp9b17y.xn--czr694b

syntixi.trade

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4808-9-0x0000000005100000-0x000000000510C000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly

resource	yara_rule
behavioral2/memory/4808-9-0x0000000005100000-0x000000000510C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2208-44-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2208-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4440-91-0x0000000000930000-0x000000000095F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4904 powershell.exe
3744 powershell.exe
3744 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe

pid	process
4904	powershell.exe
3744	powershell.exe
3744	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exeRegSvcs.exewlanext.exe

description	pid	process	target process
PID 4808 set thread context of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 2208 set thread context of 3364	2208	RegSvcs.exe	Explorer.EXE
PID 2208 set thread context of 3364	2208	RegSvcs.exe	Explorer.EXE
PID 4440 set thread context of 3364	4440	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4756 schtasks.exe

pid	process
4756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exepowershell.exepowershell.exeRegSvcs.exewlanext.exe

pid	process
4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
3744	powershell.exe
3744	powershell.exe
4904	powershell.exe
4904	powershell.exe
4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
3744	powershell.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
4904	powershell.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe
4440	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exewlanext.exe

pid process

2208 RegSvcs.exe
2208 RegSvcs.exe
2208 RegSvcs.exe
2208 RegSvcs.exe
4440 wlanext.exe
4440 wlanext.exe

pid	process
2208	RegSvcs.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
2208	RegSvcs.exe
4440	wlanext.exe
4440	wlanext.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exepowershell.exepowershell.exeRegSvcs.exeExplorer.EXEwlanext.exe

description	pid	process
Token: SeDebugPrivilege	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2208	RegSvcs.exe
Token: SeShutdownPrivilege	3364	Explorer.EXE
Token: SeCreatePagefilePrivilege	3364	Explorer.EXE
Token: SeShutdownPrivilege	3364	Explorer.EXE
Token: SeCreatePagefilePrivilege	3364	Explorer.EXE
Token: SeDebugPrivilege	4440	wlanext.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3364 Explorer.EXE

pid	process
3364	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exeRegSvcs.exewlanext.exe

description	pid	process	target process
PID 4808 wrote to memory of 3744	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 3744	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 3744	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 4904	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 4904	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 4904	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	powershell.exe
PID 4808 wrote to memory of 4756	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	schtasks.exe
PID 4808 wrote to memory of 4756	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	schtasks.exe
PID 4808 wrote to memory of 4756	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	schtasks.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 4808 wrote to memory of 2208	4808	2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe	RegSvcs.exe
PID 2208 wrote to memory of 4440	2208	RegSvcs.exe	wlanext.exe
PID 2208 wrote to memory of 4440	2208	RegSvcs.exe	wlanext.exe
PID 2208 wrote to memory of 4440	2208	RegSvcs.exe	wlanext.exe
PID 4440 wrote to memory of 2064	4440	wlanext.exe	cmd.exe
PID 4440 wrote to memory of 2064	4440	wlanext.exe	cmd.exe
PID 4440 wrote to memory of 2064	4440	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3364

C:\Users\Admin\AppData\Local\Temp\2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-06-24_fbf01e7b1520736595417ae322402ecf_hiddentear.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VsAqHSKubQRZuY.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsAqHSKubQRZuY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79F3.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
489830bd05cc51da9f8f5bfd5360df28

SHA1
885d7586e5d8fc33e12e2f785012540832dc135d

SHA256
ba517eb01e31a922f28a49f335243d62cc43cfe3de4fba5c5d6b4452fbc56efa

SHA512
b39287745dfdb260c3cc7f37a814e8bdbe8fd055e9411a900b5077b4676ed05b1771dc35b1cb6363516e508515d530c37ae37262ed7482689dac58ebe679cceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjcb0czq.2o4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F3.tmp
Filesize
1KB

MD5
a9b5bd935d722cb88935cca8f8f80113

SHA1
4e6b90645415a2d685cfe253226c5ad66560ecf8

SHA256
a304549d66d3bc5a64ac1bbe32bccf0208bc70649b76678bfe2e92ca5465389d

SHA512
1008e59474534e435467067d5cd5e88da15a21135680305dcbf909c4ccd78f56d7797fc34fdb8853a50b1e9c43f50fd7385118d774b05ba58b1070497534024b

Download Submit
memory/2208-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-93-0x000000000AFB0000-0x000000000B0D2000-memory.dmp

Filesize
1.1MB

Download
memory/3744-20-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/3744-22-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3744-75-0x0000000007640000-0x000000000764A000-memory.dmp

Filesize
40KB

Download
memory/3744-65-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/3744-74-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/3744-16-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/3744-17-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3744-18-0x0000000005450000-0x0000000005A78000-memory.dmp

Filesize
6.2MB

Download
memory/3744-19-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3744-51-0x0000000075490000-0x00000000754DC000-memory.dmp

Filesize
304KB

Download
memory/3744-23-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3744-50-0x00000000072A0000-0x00000000072D2000-memory.dmp

Filesize
200KB

Download
memory/3744-21-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/3744-49-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/3744-61-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/3744-34-0x0000000005C70000-0x0000000005FC4000-memory.dmp

Filesize
3.3MB

Download
memory/3744-87-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/3744-62-0x00000000072E0000-0x0000000007383000-memory.dmp

Filesize
652KB

Download
memory/3744-48-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/4440-90-0x00000000004F0000-0x0000000000507000-memory.dmp

Filesize
92KB

Download
memory/4440-91-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download
memory/4440-89-0x00000000004F0000-0x0000000000507000-memory.dmp

Filesize
92KB

Download
memory/4808-46-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4808-7-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/4808-11-0x00000000060C0000-0x000000000615C000-memory.dmp

Filesize
624KB

Download
memory/4808-10-0x0000000005F30000-0x0000000005FA6000-memory.dmp

Filesize
472KB

Download
memory/4808-1-0x0000000000080000-0x0000000000132000-memory.dmp

Filesize
712KB

Download
memory/4808-9-0x0000000005100000-0x000000000510C000-memory.dmp

Filesize
48KB

Download
memory/4808-2-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/4808-3-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/4808-5-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4808-4-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/4808-6-0x0000000004D60000-0x0000000004DEE000-memory.dmp

Filesize
568KB

Download
memory/4808-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/4808-8-0x00000000050F0000-0x00000000050F8000-memory.dmp

Filesize
32KB

Download
memory/4904-81-0x0000000007C50000-0x0000000007C58000-memory.dmp

Filesize
32KB

Download
memory/4904-80-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/4904-79-0x0000000007B70000-0x0000000007B84000-memory.dmp

Filesize
80KB

Download
memory/4904-78-0x0000000007B60000-0x0000000007B6E000-memory.dmp

Filesize
56KB

Download
memory/4904-77-0x0000000007B30000-0x0000000007B41000-memory.dmp

Filesize
68KB

Download
memory/4904-76-0x0000000007BB0000-0x0000000007C46000-memory.dmp

Filesize
600KB

Download
memory/4904-63-0x0000000075490000-0x00000000754DC000-memory.dmp

Filesize
304KB

Download