formbook | 4873fc7cab19439ccbc5cfffcc818ed55cd682cd5475889c7062476a877438ce

General

Target

038159.exe
Size

251KB
MD5

f89aeda946171325b3cc41db4e0c7356
SHA1

83da10df168a7801bef8257fcbdc23bf18f0d15c
SHA256

5beadd0ecc9f1407dab89746630fddf7362dd00323e6a5e5413a0c286e2ee583
SHA512

229332eb6bec4208a2eb9055237ee5ac83a9da577ce04f2a0a9bad2c6c113b815ff60876d265f344d10d36d20da3bb4444ef2c8896fe9dc6005bac73a3c902ab

Score

10^/10

formbook w6ya rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w6ya

C2

http://www.truth-capturemachine.com/w6ya/

Decoy

auden-audio.com

zombieodyssey.com

hdpthg.com

toddtechnical.com

njsdgz.com

yieldfarm.world

guardsveirfynews.net

atmamandir.info

eskisehirtostcusu.online

arrozz.net

v99king.win

jaxonboxing.com

morganevans.net

syandeg.com

valleyofplants.com

corsosportorico.com

tak.support

blacktgpc.com

herdpetshop.com

iifkvhns.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2328-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2328-117-0x000000000041F150-mapping.dmp	formbook
behavioral2/memory/3380-125-0x0000000003290000-0x00000000032BF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

038159.exe

pid process

2432 038159.exe

pid	process
2432	038159.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

038159.exe038159.exewlanext.exe

description	pid	process	target process
PID 2432 set thread context of 2328	2432	038159.exe	038159.exe
PID 2328 set thread context of 3032	2328	038159.exe	Explorer.EXE
PID 3380 set thread context of 3032	3380	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

038159.exewlanext.exe

pid	process
2328	038159.exe
2328	038159.exe
2328	038159.exe
2328	038159.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe
3380	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3032 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

038159.exewlanext.exe

pid process

2328 038159.exe
2328 038159.exe
2328 038159.exe
3380 wlanext.exe
3380 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

038159.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2328 038159.exe
Token: SeDebugPrivilege 3380 wlanext.exe

pid	process
3032	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2328	038159.exe
Token: SeDebugPrivilege	3380	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

038159.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 2432 wrote to memory of 2328	2432	038159.exe	038159.exe
PID 3032 wrote to memory of 3380	3032	Explorer.EXE	wlanext.exe
PID 3032 wrote to memory of 3380	3032	Explorer.EXE	wlanext.exe
PID 3032 wrote to memory of 3380	3032	Explorer.EXE	wlanext.exe
PID 3380 wrote to memory of 824	3380	wlanext.exe	cmd.exe
PID 3380 wrote to memory of 824	3380	wlanext.exe	cmd.exe
PID 3380 wrote to memory of 824	3380	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\038159.exe
"C:\Users\Admin\AppData\Local\Temp\038159.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\038159.exe
"C:\Users\Admin\AppData\Local\Temp\038159.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\038159.exe"
3⤵
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nskAB45.tmp\jaqxzro.dll
MD5
1e8aa5fcc0f7de7a0836081dd9efff05

SHA1
48317ef5f587f52fd34b42164dfb893dcde95e1b

SHA256
5389af7b3d0f5a3496cd2aa538a6ee01fd5a9bd1a8fcf3b9411f4112313d43af

SHA512
addd27d8923bf5d3f7d87e3eb2f6138d05532aa7c9340fde2f998a84fa87f227b63cd515176940de099d4f8dc46d1ab7467f4e347e266d0ef128d7337d79ea16

Download Submit
memory/824-124-0x0000000000000000-mapping.dmp

Download
memory/2328-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-117-0x000000000041F150-mapping.dmp

Download
memory/2328-120-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2328-119-0x0000000000A60000-0x0000000000D80000-memory.dmp

Filesize
3.1MB

Download
memory/3032-121-0x0000000004D30000-0x0000000004EC3000-memory.dmp

Filesize
1.6MB

Download
memory/3032-128-0x0000000002530000-0x0000000002696000-memory.dmp

Filesize
1.4MB

Download
memory/3380-122-0x0000000000000000-mapping.dmp

Download
memory/3380-126-0x00000000034E0000-0x0000000003800000-memory.dmp

Filesize
3.1MB

Download
memory/3380-125-0x0000000003290000-0x00000000032BF000-memory.dmp

Filesize
188KB

Download
memory/3380-127-0x0000000003800000-0x0000000003893000-memory.dmp

Filesize
588KB

Download
memory/3380-123-0x0000000000930000-0x0000000000947000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads