formbook | e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
Size

448KB
MD5

7e35e387ee431ef08dfeec00552a6006
SHA1

3d67672311c989e58c18df87b92e671cc5100360
SHA256

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896
SHA512

de755174a1cd65c46b8969ea14044c06282ef8748ffc92b08d9130571b241a786618b91196b30354b85f5d2815a56c5fe246e9bc753be35e9d7122db8a1c8299
SSDEEP

6144:7Q3klTByZJvq7I3kv61Gn8UOFP0hEtUfv8AQDLv8mex0D9av1osh:s3YTEZJvqbOC8m688A4Err

Score

10^/10

formbook 45er rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2640-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2640-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2464-25-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeRegAsm.execontrol.exe

description	pid	process	target process
PID 2196 set thread context of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2640 set thread context of 1224	2640	RegAsm.exe	Explorer.EXE
PID 2464 set thread context of 1224	2464	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Powershell.exeRegAsm.execontrol.exe

pid	process
2520	Powershell.exe
2640	RegAsm.exe
2640	RegAsm.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe
2464	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.execontrol.exe

pid process

2640 RegAsm.exe
2640 RegAsm.exe
2640 RegAsm.exe
2464 control.exe
2464 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Powershell.exeRegAsm.execontrol.exe

description pid process

Token: SeDebugPrivilege 2520 Powershell.exe
Token: SeDebugPrivilege 2640 RegAsm.exe
Token: SeDebugPrivilege 2464 control.exe

pid	process
2640	RegAsm.exe
2640	RegAsm.exe
2640	RegAsm.exe
2464	control.exe
2464	control.exe

description	pid	process
Token: SeDebugPrivilege	2520	Powershell.exe
Token: SeDebugPrivilege	2640	RegAsm.exe
Token: SeDebugPrivilege	2464	control.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 2196 wrote to memory of 2520	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 2196 wrote to memory of 2520	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 2196 wrote to memory of 2520	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 2196 wrote to memory of 2520	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 2196 wrote to memory of 2640	2196	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 1224 wrote to memory of 2464	1224	Explorer.EXE	control.exe
PID 1224 wrote to memory of 2464	1224	Explorer.EXE	control.exe
PID 1224 wrote to memory of 2464	1224	Explorer.EXE	control.exe
PID 1224 wrote to memory of 2464	1224	Explorer.EXE	control.exe
PID 2464 wrote to memory of 2936	2464	control.exe	cmd.exe
PID 2464 wrote to memory of 2936	2464	control.exe	cmd.exe
PID 2464 wrote to memory of 2936	2464	control.exe	cmd.exe
PID 2464 wrote to memory of 2936	2464	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
"C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2936

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-20-0x00000000031D0000-0x00000000032D0000-memory.dmp

Filesize
1024KB

Download
memory/2196-11-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2196-1-0x0000000000E60000-0x0000000000ED6000-memory.dmp

Filesize
472KB

Download
memory/2196-2-0x0000000000800000-0x0000000000846000-memory.dmp

Filesize
280KB

Download
memory/2196-3-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2196-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2196-22-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/2464-25-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2464-23-0x0000000000E10000-0x0000000000E2F000-memory.dmp

Filesize
124KB

Download
memory/2520-7-0x0000000070540000-0x0000000070AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-21-0x0000000070540000-0x0000000070AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-10-0x0000000070540000-0x0000000070AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-9-0x0000000070540000-0x0000000070AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-8-0x0000000070540000-0x0000000070AEB000-memory.dmp

Filesize
5.7MB

Download
memory/2520-6-0x0000000070541000-0x0000000070542000-memory.dmp

Filesize
4KB

Download
memory/2640-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2640-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads