formbook | e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
Size

448KB
MD5

7e35e387ee431ef08dfeec00552a6006
SHA1

3d67672311c989e58c18df87b92e671cc5100360
SHA256

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896
SHA512

de755174a1cd65c46b8969ea14044c06282ef8748ffc92b08d9130571b241a786618b91196b30354b85f5d2815a56c5fe246e9bc753be35e9d7122db8a1c8299
SSDEEP

6144:7Q3klTByZJvq7I3kv61Gn8UOFP0hEtUfv8AQDLv8mex0D9av1osh:s3YTEZJvqbOC8m688A4Err

Score

10^/10

formbook 45er rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4228-28-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4228-31-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1108-65-0x00000000005C0000-0x00000000005EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeRegAsm.execmmon32.exe

description	pid	process	target process
PID 3412 set thread context of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 4228 set thread context of 3536	4228	RegAsm.exe	Explorer.EXE
PID 1108 set thread context of 3536	1108	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Powershell.exee44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeRegAsm.execmmon32.exe

pid	process
2980	Powershell.exe
2980	Powershell.exe
3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
4228	RegAsm.exe
4228	RegAsm.exe
4228	RegAsm.exe
4228	RegAsm.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe
1108	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.execmmon32.exe

pid process

4228 RegAsm.exe
4228 RegAsm.exe
4228 RegAsm.exe
1108 cmmon32.exe
1108 cmmon32.exe

pid	process
4228	RegAsm.exe
4228	RegAsm.exe
4228	RegAsm.exe
1108	cmmon32.exe
1108	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Powershell.exee44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeRegAsm.exeExplorer.EXEcmmon32.exe

description	pid	process
Token: SeDebugPrivilege	2980	Powershell.exe
Token: SeDebugPrivilege	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
Token: SeDebugPrivilege	4228	RegAsm.exe
Token: SeShutdownPrivilege	3536	Explorer.EXE
Token: SeCreatePagefilePrivilege	3536	Explorer.EXE
Token: SeDebugPrivilege	1108	cmmon32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3536 Explorer.EXE
3536 Explorer.EXE
3536 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3536 Explorer.EXE
3536 Explorer.EXE
3536 Explorer.EXE

pid	process
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE

pid	process
3536	Explorer.EXE
3536	Explorer.EXE
3536	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3412 wrote to memory of 2980	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 3412 wrote to memory of 2980	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 3412 wrote to memory of 2980	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	Powershell.exe
PID 3412 wrote to memory of 3508	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 3508	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 3508	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3412 wrote to memory of 4228	3412	e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe	RegAsm.exe
PID 3536 wrote to memory of 1108	3536	Explorer.EXE	cmmon32.exe
PID 3536 wrote to memory of 1108	3536	Explorer.EXE	cmmon32.exe
PID 3536 wrote to memory of 1108	3536	Explorer.EXE	cmmon32.exe
PID 1108 wrote to memory of 1520	1108	cmmon32.exe	cmd.exe
PID 1108 wrote to memory of 1520	1108	cmmon32.exe	cmd.exe
PID 1108 wrote to memory of 1520	1108	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe
"C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\AppData\Local\Temp\e44f2c56314148dfe7f8e8ca016fd689f8fb72029a4c06b9020a322ba6ed1896.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_albcpzhy.oml.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1108-65-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1108-63-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/1108-64-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/2980-52-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/2980-7-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/2980-62-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2980-59-0x00000000078D0000-0x00000000078D8000-memory.dmp

Filesize
32KB

Download
memory/2980-8-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2980-9-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2980-10-0x00000000054D0000-0x0000000005AF8000-memory.dmp

Filesize
6.2MB

Download
memory/2980-11-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/2980-12-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2980-13-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2980-58-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/2980-23-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/2980-24-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/2980-57-0x00000000077F0000-0x0000000007804000-memory.dmp

Filesize
80KB

Download
memory/2980-56-0x00000000077E0000-0x00000000077EE000-memory.dmp

Filesize
56KB

Download
memory/2980-36-0x000000007F770000-0x000000007F780000-memory.dmp

Filesize
64KB

Download
memory/2980-25-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/2980-55-0x00000000077B0000-0x00000000077C1000-memory.dmp

Filesize
68KB

Download
memory/2980-54-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/2980-53-0x0000000007620000-0x000000000762A000-memory.dmp

Filesize
40KB

Download
memory/2980-51-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/2980-50-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/2980-49-0x00000000072B0000-0x0000000007353000-memory.dmp

Filesize
652KB

Download
memory/2980-37-0x0000000006840000-0x0000000006872000-memory.dmp

Filesize
200KB

Download
memory/2980-38-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

Filesize
304KB

Download
memory/2980-48-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/3412-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3412-6-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3412-5-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/3412-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/3412-1-0x0000000000700000-0x0000000000776000-memory.dmp

Filesize
472KB

Download
memory/3412-2-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3412-26-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/3412-35-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3412-4-0x0000000005160000-0x00000000051A6000-memory.dmp

Filesize
280KB

Download
memory/3412-27-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3536-33-0x0000000008C50000-0x0000000008DBB000-memory.dmp

Filesize
1.4MB

Download
memory/3536-70-0x0000000002F90000-0x000000000305B000-memory.dmp

Filesize
812KB

Download
memory/3536-67-0x0000000008C50000-0x0000000008DBB000-memory.dmp

Filesize
1.4MB

Download
memory/4228-29-0x0000000002F90000-0x00000000032DA000-memory.dmp

Filesize
3.3MB

Download
memory/4228-32-0x0000000001080000-0x0000000001094000-memory.dmp

Filesize
80KB

Download
memory/4228-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download