formbook | 398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48

General

Target

2e2eba416b6ec3efaace0621e8e229d2.exe
Size

333KB
MD5

2e2eba416b6ec3efaace0621e8e229d2
SHA1

c638e91299adc8ff3e0e21120e9417feed819861
SHA256

398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48
SHA512

eae1ceb02e8130b507041125c589e4ab2beea7e110abd600029b8f2a42beb6e1c14f0b1c3c4d654d715cf0c4dfe838740a83a09df3d2abbf5b2bd7c919282201

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.stepsaudio.com/mjl/

Decoy

assetscheck.com

domauritius.com

therealnotary.com

xcusehrreje.com

modernhub.info

ckr7.com

umbracreations.net

dikanji.com

gaonwale.com

behind-the-pink-door.com

xn--4dbaigbvbe5b1a.net

cbcsnesscity.com

db-mktdigital.com

jackaldenryan.com

china-xinkai.com

856380511.xyz

sonoraquwat.com

chinaiess.com

blockchainisgreat.com

yax98.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3624-119-0x0000000000400000-0x0000000000433000-memory.dmp	formbook
behavioral2/memory/3624-120-0x0000000000401190-mapping.dmp	formbook
behavioral2/memory/3624-121-0x0000000000400000-0x0000000000433000-memory.dmp	formbook
C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe	formbook
C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe	formbook
behavioral2/memory/3112-133-0x0000000002B30000-0x0000000002B5E000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

FB_E6AC.tmp.exeFB_E7C7.tmp.exe

pid process

3564 FB_E6AC.tmp.exe
3480 FB_E7C7.tmp.exe

pid	process
3564	FB_E6AC.tmp.exe
3480	FB_E7C7.tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_E7C7.tmp.execmmon32.exe

description	pid	process	target process
PID 3400 set thread context of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3480 set thread context of 2764	3480	FB_E7C7.tmp.exe	Explorer.EXE
PID 3112 set thread context of 2764	3112	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_E7C7.tmp.execmmon32.exe

pid	process
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3400	2e2eba416b6ec3efaace0621e8e229d2.exe
3480	FB_E7C7.tmp.exe
3480	FB_E7C7.tmp.exe
3480	FB_E7C7.tmp.exe
3480	FB_E7C7.tmp.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe
3112	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2764 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

FB_E7C7.tmp.execmmon32.exe

pid process

3480 FB_E7C7.tmp.exe
3480 FB_E7C7.tmp.exe
3480 FB_E7C7.tmp.exe
3112 cmmon32.exe
3112 cmmon32.exe

pid	process
2764	Explorer.EXE

pid	process
3480	FB_E7C7.tmp.exe
3480	FB_E7C7.tmp.exe
3480	FB_E7C7.tmp.exe
3112	cmmon32.exe
3112	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exeFB_E7C7.tmp.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	3400	2e2eba416b6ec3efaace0621e8e229d2.exe
Token: SeDebugPrivilege	3480	FB_E7C7.tmp.exe
Token: SeDebugPrivilege	3112	cmmon32.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2764 Explorer.EXE

pid	process
2764	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2e2eba416b6ec3efaace0621e8e229d2.exe2e2eba416b6ec3efaace0621e8e229d2.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3400 wrote to memory of 3748	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3748	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3748	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3300	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3300	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3300	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3400 wrote to memory of 3624	3400	2e2eba416b6ec3efaace0621e8e229d2.exe	2e2eba416b6ec3efaace0621e8e229d2.exe
PID 3624 wrote to memory of 3564	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E6AC.tmp.exe
PID 3624 wrote to memory of 3564	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E6AC.tmp.exe
PID 3624 wrote to memory of 3564	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E6AC.tmp.exe
PID 3624 wrote to memory of 3480	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E7C7.tmp.exe
PID 3624 wrote to memory of 3480	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E7C7.tmp.exe
PID 3624 wrote to memory of 3480	3624	2e2eba416b6ec3efaace0621e8e229d2.exe	FB_E7C7.tmp.exe
PID 2764 wrote to memory of 3112	2764	Explorer.EXE	cmmon32.exe
PID 2764 wrote to memory of 3112	2764	Explorer.EXE	cmmon32.exe
PID 2764 wrote to memory of 3112	2764	Explorer.EXE	cmmon32.exe
PID 3112 wrote to memory of 3096	3112	cmmon32.exe	cmd.exe
PID 3112 wrote to memory of 3096	3112	cmmon32.exe	cmd.exe
PID 3112 wrote to memory of 3096	3112	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
"C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
3⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
3⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
C:\Users\Admin\AppData\Local\Temp\2e2eba416b6ec3efaace0621e8e229d2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\FB_E6AC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_E6AC.tmp.exe"
4⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe"
3⤵
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_E6AC.tmp.exe
MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E6AC.tmp.exe
MD5
74bafb3e707c7b0c63938ac200f99c7f

SHA1
10c5506337845ed9bf25c73d2506f9c15ab8e608

SHA256
129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689

SHA512
5b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_E7C7.tmp.exe
MD5
b4e443daba6d844cfaba63ca17ff5a09

SHA1
b1d7f9c5c94858acfeb75b8bdfea38e3c4f01eb6

SHA256
852d3890ed7348734c5f18da1141075129468263b43f82cec8ac7b3e4b9145ac

SHA512
53a5f8b1feb147d671497f37032db0010c70d558f047f0370b4de1e825633c71f6ce123bb8b02ebd74e185b514efc48bd88cbbe9272416c34da9b68b4745e4b5

Download Submit
memory/2764-137-0x0000000005C70000-0x0000000005D7A000-memory.dmp

Filesize
1.0MB

Download
memory/2764-130-0x0000000005B00000-0x0000000005C64000-memory.dmp

Filesize
1.4MB

Download
memory/3096-134-0x0000000000000000-mapping.dmp

Download
memory/3112-136-0x00000000049D0000-0x0000000004A63000-memory.dmp

Filesize
588KB

Download
memory/3112-135-0x0000000004B50000-0x0000000004E70000-memory.dmp

Filesize
3.1MB

Download
memory/3112-131-0x0000000000000000-mapping.dmp

Download
memory/3112-132-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/3112-133-0x0000000002B30000-0x0000000002B5E000-memory.dmp

Filesize
184KB

Download
memory/3400-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3400-117-0x0000000004C00000-0x0000000004C46000-memory.dmp

Filesize
280KB

Download
memory/3400-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3400-116-0x0000000002650000-0x0000000002652000-memory.dmp

Filesize
8KB

Download
memory/3480-125-0x0000000000000000-mapping.dmp

Download
memory/3480-128-0x00000000012D0000-0x000000000137E000-memory.dmp

Filesize
696KB

Download
memory/3480-129-0x0000000001200000-0x0000000001214000-memory.dmp

Filesize
80KB

Download
memory/3564-122-0x0000000000000000-mapping.dmp

Download
memory/3624-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-120-0x0000000000401190-mapping.dmp

Download
memory/3624-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads