formbook | c704ff6e66d4cb482ffd311662801623feec535ab93efdc3a722f28ea61781c6

Resubmissions

27-06-2024 10:22

240627-mee3jsyeqj 10

27-06-2024 10:18

240627-mcbmcayejj 3

Analysis

max time kernel
147s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fisses242.exe
Size

851KB
MD5

96f5ba27b0197df599f8b3c6a7857649
SHA1

06d21d98d5ff65532104e073d0cb95444a091cf2
SHA256

3ad893089224a6d72a8050457a2d0a3053781e1527c869ce68ce11831f0c81e7
SHA512

36803717cc7546210e63ac78705faa6966370278729d34fb33a1dab171599b6c16b41735697919cfe3aa3c84aa8a19f3139866c53cfe165cf195d39d31a64d8d
SSDEEP

12288:XcIjd3nQIQsk3na+QiH64keTjXmCSXaIVrfllStkVymDqos1ySIpkAtiN:XcIjUna3iFTT+awllSyMCqNNMi

Score

10^/10

formbook ch25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ch25

Decoy

alexandermartin.shop

nojku.xyz

vrbroadband.com

ahlinih.autos

lwkyg.com

clinicasantacruz.net

sdsuihe.com

salaryforex.com

educationvibrance.com

d49wy.rest

9vl6q6hi.asia

profabsystem.online

takleforcreators.com

alphaextract.xyz

glam55.com

78032.asia

wsmh66.com

dgcustomerfirst100.shop

13445.xyz

office-27.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1384-29-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/1384-32-0x0000000000400000-0x0000000001654000-memory.dmp	formbook
behavioral2/memory/4000-39-0x00000000008B0000-0x00000000008DF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

Fisses242.exe

pid process

2164 Fisses242.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Fisses242.exe

pid process

1384 Fisses242.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Fisses242.exeFisses242.exe

pid process

2164 Fisses242.exe
1384 Fisses242.exe

pid	process
2164	Fisses242.exe

pid	process
2164	Fisses242.exe
1384	Fisses242.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Fisses242.exeFisses242.exesystray.exe

description	pid	process	target process
PID 2164 set thread context of 1384	2164	Fisses242.exe	Fisses242.exe
PID 1384 set thread context of 3424	1384	Fisses242.exe	Explorer.EXE
PID 4000 set thread context of 3424	4000	systray.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

Fisses242.exe

description ioc process

File opened for modification C:\Windows\reassigned\sandi.ini Fisses242.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\reassigned\sandi.ini	Fisses242.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Fisses242.exesystray.exe

pid	process
1384	Fisses242.exe
1384	Fisses242.exe
1384	Fisses242.exe
1384	Fisses242.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe
4000	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Fisses242.exeFisses242.exesystray.exe

pid process

2164 Fisses242.exe
1384 Fisses242.exe
1384 Fisses242.exe
1384 Fisses242.exe
4000 systray.exe
4000 systray.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Fisses242.exesystray.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1384 Fisses242.exe
Token: SeDebugPrivilege 4000 systray.exe
Token: SeShutdownPrivilege 3424 Explorer.EXE
Token: SeCreatePagefilePrivilege 3424 Explorer.EXE

pid	process
2164	Fisses242.exe
1384	Fisses242.exe
1384	Fisses242.exe
1384	Fisses242.exe
4000	systray.exe
4000	systray.exe

description	pid	process
Token: SeDebugPrivilege	1384	Fisses242.exe
Token: SeDebugPrivilege	4000	systray.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Fisses242.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2164 wrote to memory of 1384	2164	Fisses242.exe	Fisses242.exe
PID 2164 wrote to memory of 1384	2164	Fisses242.exe	Fisses242.exe
PID 2164 wrote to memory of 1384	2164	Fisses242.exe	Fisses242.exe
PID 2164 wrote to memory of 1384	2164	Fisses242.exe	Fisses242.exe
PID 2164 wrote to memory of 1384	2164	Fisses242.exe	Fisses242.exe
PID 3424 wrote to memory of 4000	3424	Explorer.EXE	systray.exe
PID 3424 wrote to memory of 4000	3424	Explorer.EXE	systray.exe
PID 3424 wrote to memory of 4000	3424	Explorer.EXE	systray.exe
PID 4000 wrote to memory of 2664	4000	systray.exe	cmd.exe
PID 4000 wrote to memory of 2664	4000	systray.exe	cmd.exe
PID 4000 wrote to memory of 2664	4000	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\Fisses242.exe
"C:\Users\Admin\AppData\Local\Temp\Fisses242.exe"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\Fisses242.exe
"C:\Users\Admin\AppData\Local\Temp\Fisses242.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Fisses242.exe"
3⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nspEADF.tmp\System.dll
Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/1384-31-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/1384-26-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1384-32-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1384-38-0x0000000077AA1000-0x0000000077BC1000-memory.dmp

Filesize
1.1MB

Download
memory/1384-28-0x0000000077B45000-0x0000000077B46000-memory.dmp

Filesize
4KB

Download
memory/1384-29-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1384-30-0x0000000035E90000-0x00000000361DA000-memory.dmp

Filesize
3.3MB

Download
memory/1384-27-0x0000000077B28000-0x0000000077B29000-memory.dmp

Filesize
4KB

Download
memory/2164-25-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2164-24-0x0000000077AA1000-0x0000000077BC1000-memory.dmp

Filesize
1.1MB

Download
memory/3424-48-0x00000000080A0000-0x000000000814F000-memory.dmp

Filesize
700KB

Download
memory/3424-41-0x0000000008540000-0x000000000860A000-memory.dmp

Filesize
808KB

Download
memory/3424-43-0x00000000080A0000-0x000000000814F000-memory.dmp

Filesize
700KB

Download
memory/3424-45-0x00000000080A0000-0x000000000814F000-memory.dmp

Filesize
700KB

Download
memory/3424-33-0x0000000008540000-0x000000000860A000-memory.dmp

Filesize
808KB

Download
memory/4000-37-0x0000000000B50000-0x0000000000B56000-memory.dmp

Filesize
24KB

Download
memory/4000-36-0x0000000000B50000-0x0000000000B56000-memory.dmp

Filesize
24KB

Download
memory/4000-39-0x00000000008B0000-0x00000000008DF000-memory.dmp

Filesize
188KB

Download