formbook | 1d62ae45c62db87a620725b6ece3a6c5c32495a37a06038634002ff16e5365f3

General

Target

4b61202928df12bf9fd1aa7ae12cc743.exe
Size

463KB
MD5

4b61202928df12bf9fd1aa7ae12cc743
SHA1

83427d18ce784aa66b509fe9871d6c364558fe48
SHA256

1d62ae45c62db87a620725b6ece3a6c5c32495a37a06038634002ff16e5365f3
SHA512

d4724104ca4f5e5bf66c95b80a52a706050567ec787bad2f0a18ba7430ad6c08d42e7a83f305195a810eb2c9e8658e3b6f6394c5b7b55ac2d67380871487c419

Score

10^/10

formbook h4d0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3964-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3964-117-0x000000000041F130-mapping.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

4b61202928df12bf9fd1aa7ae12cc743.exe

pid process

2940 4b61202928df12bf9fd1aa7ae12cc743.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

4b61202928df12bf9fd1aa7ae12cc743.exe

description pid process target process

PID 2940 set thread context of 3964 2940 4b61202928df12bf9fd1aa7ae12cc743.exe 4b61202928df12bf9fd1aa7ae12cc743.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4b61202928df12bf9fd1aa7ae12cc743.exe

pid process

3964 4b61202928df12bf9fd1aa7ae12cc743.exe
3964 4b61202928df12bf9fd1aa7ae12cc743.exe

pid	process
2940	4b61202928df12bf9fd1aa7ae12cc743.exe

description	pid	process	target process
PID 2940 set thread context of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe

pid	process
3964	4b61202928df12bf9fd1aa7ae12cc743.exe
3964	4b61202928df12bf9fd1aa7ae12cc743.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4b61202928df12bf9fd1aa7ae12cc743.exe

description	pid	process	target process
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe
PID 2940 wrote to memory of 3964	2940	4b61202928df12bf9fd1aa7ae12cc743.exe	4b61202928df12bf9fd1aa7ae12cc743.exe

C:\Users\Admin\AppData\Local\Temp\4b61202928df12bf9fd1aa7ae12cc743.exe
"C:\Users\Admin\AppData\Local\Temp\4b61202928df12bf9fd1aa7ae12cc743.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\4b61202928df12bf9fd1aa7ae12cc743.exe
"C:\Users\Admin\AppData\Local\Temp\4b61202928df12bf9fd1aa7ae12cc743.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nslA0B6.tmp\ngxq.dll
MD5
07360e01d34fed4b32247f5273da6603

SHA1
5e38a5c226f89214a5e99798598601eb3ae495d9

SHA256
a6edc1489d37a5f597c9bb5996406ee67b5c86add49dbe3bd31f67fd1604d923

SHA512
b7487094a0788ff0e2e0f1e736d2ec2afcf81ce5c4e2d664243f54a469b93818faa28d1f6d1b12010d5957da7f1a4ce697cef7dc4f5fc63111e1f1c52ebc7d77

Download Submit
memory/3964-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-117-0x000000000041F130-mapping.dmp

Download
memory/3964-118-0x00000000009D0000-0x0000000000CF0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing