formbook | 408e418404d842718d88720c6706d3a0a07f40f0e04159091ea31c7333c2f958

Analysis

max time kernel
145s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Project Execution Order - (PO 546788) (PO 546789).exe
Size

38KB
MD5

246238533bb596d52737946aaf4b4d37
SHA1

8c350aff45dbb05c1d61eb885a13b591544b70fa
SHA256

531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f
SHA512

8e5a0bd7a5dce0bf1927ade856aec94f2cb6ee611a832f8178fa7ede5199614b137cb8a5cb001b5d34afd9a8a0628967e68d3759e4b323ea887c59f2b8dda98e
SSDEEP

384:fsNjci832cy7jQNDy1SXNh2xEPICOVvHX9RL7D6p05iVXXXtXXXXXXtX41hoJOuy:vHwL7D6Shho16G+SIp1b5tPeWTU

Score

10^/10

formbook 45er agilenet execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/636-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/636-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5044-31-0x0000000000CD0000-0x0000000000CFF000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/3364-1-0x0000000000840000-0x0000000000850000-memory.dmp agile_net

resource	yara_rule
behavioral2/memory/3364-1-0x0000000000840000-0x0000000000850000-memory.dmp	agile_net

Suspicious use of SetThreadContext 2 IoCs

Processes:

Project Execution Order - (PO 546788) (PO 546789).exeProject Execution Order - (PO 546788) (PO 546789).exe

description	pid	process	target process
PID 3364 set thread context of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 636 set thread context of 3332	636	Project Execution Order - (PO 546788) (PO 546789).exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

856 Powershell.exe

pid	process
856	Powershell.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Project Execution Order - (PO 546788) (PO 546789).exeProject Execution Order - (PO 546788) (PO 546789).exewlanext.exe

pid	process
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
3364	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe
5044	wlanext.exe
5044	wlanext.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Project Execution Order - (PO 546788) (PO 546789).exe

pid process

636 Project Execution Order - (PO 546788) (PO 546789).exe
636 Project Execution Order - (PO 546788) (PO 546789).exe
636 Project Execution Order - (PO 546788) (PO 546789).exe

pid	process
636	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe
636	Project Execution Order - (PO 546788) (PO 546789).exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Project Execution Order - (PO 546788) (PO 546789).exeProject Execution Order - (PO 546788) (PO 546789).exePowershell.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	3364	Project Execution Order - (PO 546788) (PO 546789).exe
Token: SeDebugPrivilege	636	Project Execution Order - (PO 546788) (PO 546789).exe
Token: SeDebugPrivilege	856	Powershell.exe
Token: SeDebugPrivilege	5044	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Project Execution Order - (PO 546788) (PO 546789).exeExplorer.EXE

description	pid	process	target process
PID 3364 wrote to memory of 856	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Powershell.exe
PID 3364 wrote to memory of 856	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Powershell.exe
PID 3364 wrote to memory of 856	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Powershell.exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3364 wrote to memory of 636	3364	Project Execution Order - (PO 546788) (PO 546789).exe	Project Execution Order - (PO 546788) (PO 546789).exe
PID 3332 wrote to memory of 5044	3332	Explorer.EXE	wlanext.exe
PID 3332 wrote to memory of 5044	3332	Explorer.EXE	wlanext.exe
PID 3332 wrote to memory of 5044	3332	Explorer.EXE	wlanext.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe
"C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Project Execution Order - (PO 546788) (PO 546789).exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe
"C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Project Execution Order - (PO 546788) (PO 546789).exe"
3⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4jljp5o4.tnh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/636-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-22-0x00000000017A0000-0x00000000017B4000-memory.dmp

Filesize
80KB

Download
memory/636-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-19-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/856-38-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/856-32-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/856-30-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/856-29-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

Filesize
136KB

Download
memory/856-24-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/856-39-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/856-41-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/856-13-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/856-14-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/856-15-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/856-16-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/3332-23-0x00000000083E0000-0x000000000856C000-memory.dmp

Filesize
1.5MB

Download
memory/3332-46-0x00000000083E0000-0x000000000856C000-memory.dmp

Filesize
1.5MB

Download
memory/3364-8-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/3364-7-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/3364-11-0x00000000068F0000-0x000000000698C000-memory.dmp

Filesize
624KB

Download
memory/3364-10-0x0000000000E10000-0x0000000000E58000-memory.dmp

Filesize
288KB

Download
memory/3364-9-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/3364-25-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/3364-1-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/3364-2-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/3364-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/3364-12-0x0000000006990000-0x00000000069F6000-memory.dmp

Filesize
408KB

Download
memory/3364-3-0x0000000005260000-0x00000000052F2000-memory.dmp

Filesize
584KB

Download
memory/3364-6-0x0000000005300000-0x0000000005376000-memory.dmp

Filesize
472KB

Download
memory/3364-5-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/3364-4-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/5044-31-0x0000000000CD0000-0x0000000000CFF000-memory.dmp

Filesize
188KB

Download
memory/5044-26-0x0000000000C20000-0x0000000000C37000-memory.dmp

Filesize
92KB

Download
memory/5044-28-0x0000000000C20000-0x0000000000C37000-memory.dmp

Filesize
92KB

Download