formbook | e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order List.xls.exe
Size

448KB
MD5

7e35e387ee431ef08dfeec00552a6006
SHA1

3d67672311c989e58c18df87b92e671cc5100360
SHA256

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896
SHA512

de755174a1cd65c46b8969ea14044c06282ef8748ffc92b08d9130571b241a786618b91196b30354b85f5d2815a56c5fe246e9bc753be35e9d7122db8a1c8299
SSDEEP

6144:7Q3klTByZJvq7I3kv61Gn8UOFP0hEtUfv8AQDLv8mex0D9av1osh:s3YTEZJvqbOC8m688A4Err

Score

10^/10

formbook 45er rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/724-27-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/724-32-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4040-68-0x0000000001000000-0x000000000102F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

48 4040 rundll32.exe

flow	pid	process
48	4040	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order List.xls.exeRegAsm.exerundll32.exe

description	pid	process	target process
PID 1428 set thread context of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 724 set thread context of 3524	724	RegAsm.exe	Explorer.EXE
PID 4040 set thread context of 3524	4040	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Powershell.exeRegAsm.exerundll32.exe

pid	process
4828	Powershell.exe
4828	Powershell.exe
724	RegAsm.exe
724	RegAsm.exe
724	RegAsm.exe
724	RegAsm.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe
4040	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.exerundll32.exe

pid process

724 RegAsm.exe
724 RegAsm.exe
724 RegAsm.exe
4040 rundll32.exe
4040 rundll32.exe

pid	process
724	RegAsm.exe
724	RegAsm.exe
724	RegAsm.exe
4040	rundll32.exe
4040	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Powershell.exeRegAsm.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	4828	Powershell.exe
Token: SeDebugPrivilege	724	RegAsm.exe
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeDebugPrivilege	4040	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3524 Explorer.EXE

pid	process
3524	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order List.xls.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1428 wrote to memory of 4828	1428	Purchase Order List.xls.exe	Powershell.exe
PID 1428 wrote to memory of 4828	1428	Purchase Order List.xls.exe	Powershell.exe
PID 1428 wrote to memory of 4828	1428	Purchase Order List.xls.exe	Powershell.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 1428 wrote to memory of 724	1428	Purchase Order List.xls.exe	RegAsm.exe
PID 3524 wrote to memory of 4040	3524	Explorer.EXE	rundll32.exe
PID 3524 wrote to memory of 4040	3524	Explorer.EXE	rundll32.exe
PID 3524 wrote to memory of 4040	3524	Explorer.EXE	rundll32.exe
PID 4040 wrote to memory of 2900	4040	rundll32.exe	cmd.exe
PID 4040 wrote to memory of 2900	4040	rundll32.exe	cmd.exe
PID 4040 wrote to memory of 2900	4040	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\AppData\Local\Temp\Purchase Order List.xls.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3952

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gasrdbe.3z0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/724-30-0x0000000002DC0000-0x000000000310A000-memory.dmp

Filesize
3.3MB

Download
memory/724-33-0x0000000002D50000-0x0000000002D64000-memory.dmp

Filesize
80KB

Download
memory/724-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-5-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/1428-4-0x0000000005510000-0x0000000005556000-memory.dmp

Filesize
280KB

Download
memory/1428-1-0x0000000000AB0000-0x0000000000B26000-memory.dmp

Filesize
472KB

Download
memory/1428-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1428-26-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1428-25-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download
memory/1428-3-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/1428-36-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1428-6-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1428-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/3524-34-0x0000000003040000-0x000000000310D000-memory.dmp

Filesize
820KB

Download
memory/3524-70-0x0000000003040000-0x000000000310D000-memory.dmp

Filesize
820KB

Download
memory/3524-73-0x00000000090F0000-0x0000000009212000-memory.dmp

Filesize
1.1MB

Download
memory/4040-64-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/4040-67-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/4040-68-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/4828-29-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/4828-53-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/4828-17-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-14-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4828-13-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4828-12-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4828-37-0x000000007FC00000-0x000000007FC10000-memory.dmp

Filesize
64KB

Download
memory/4828-38-0x0000000007890000-0x00000000078C2000-memory.dmp

Filesize
200KB

Download
memory/4828-40-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/4828-39-0x000000006FE70000-0x000000006FEBC000-memory.dmp

Filesize
304KB

Download
memory/4828-50-0x0000000006E80000-0x0000000006E9E000-memory.dmp

Filesize
120KB

Download
memory/4828-51-0x0000000007970000-0x0000000007A13000-memory.dmp

Filesize
652KB

Download
memory/4828-52-0x00000000082A0000-0x000000000891A000-memory.dmp

Filesize
6.5MB

Download
memory/4828-28-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/4828-54-0x0000000007C70000-0x0000000007C7A000-memory.dmp

Filesize
40KB

Download
memory/4828-55-0x0000000007E80000-0x0000000007F16000-memory.dmp

Filesize
600KB

Download
memory/4828-56-0x0000000007E00000-0x0000000007E11000-memory.dmp

Filesize
68KB

Download
memory/4828-57-0x0000000007E30000-0x0000000007E3E000-memory.dmp

Filesize
56KB

Download
memory/4828-58-0x0000000007E40000-0x0000000007E54000-memory.dmp

Filesize
80KB

Download
memory/4828-59-0x0000000007F40000-0x0000000007F5A000-memory.dmp

Filesize
104KB

Download
memory/4828-60-0x0000000007F20000-0x0000000007F28000-memory.dmp

Filesize
32KB

Download
memory/4828-63-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-11-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-10-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-9-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4828-8-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/4828-7-0x0000000002F20000-0x0000000002F56000-memory.dmp

Filesize
216KB

Download