formbook | 43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b

General

Target

43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
Size

1.5MB
MD5

a6131e5376fda93069da7f836440bea1
SHA1

9d46081281d1dd4f080d5f0f7c5a78343fff760d
SHA256

43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b
SHA512

fd0844814954831cd0785b3c74bf9cc08060126003f4c7db49c6af71ac82528d7b9967fe1eb66e74ccd51c0f311b9c640b675799ed1c17472fca6cfce8f537c0

Score

10^/10

formbook oh75 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

honeyglowpro2.com

tharrisondotblog.com

pandareadyhosting707.xyz

getitnow-superdeals.com

s6rtkh.xyz

clearwatermind.com

njjiaxincs.com

cwatereg.com

jmhifctds.xyz

getmybusinesscredit.com

695w12tg.xyz

thefeatur.com

sieuvoucher.com

biggamepick6.com

vezhe.com

7fy5.info

promiskuitives-leben.com

haghverdi.xyz

cothamnhung.com

shanghaitimeout.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1240-82-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1240-83-0x000000000041F0F0-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe

description	pid	process	target process
PID 944 set thread context of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

1812 ipconfig.exe
1472 ipconfig.exe

pid	process
1812	ipconfig.exe
1472	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe

pid	process
460	powershell.exe
812	powershell.exe
744	powershell.exe
760	powershell.exe
944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
1240	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exepowershell.exepowershell.exe

description	pid	process	target process
PID 944 wrote to memory of 460	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 460	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 460	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 460	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 460 wrote to memory of 1812	460	powershell.exe	ipconfig.exe
PID 460 wrote to memory of 1812	460	powershell.exe	ipconfig.exe
PID 460 wrote to memory of 1812	460	powershell.exe	ipconfig.exe
PID 460 wrote to memory of 1812	460	powershell.exe	ipconfig.exe
PID 944 wrote to memory of 812	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 812	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 812	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 812	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 744	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 744	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 744	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 744	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 744 wrote to memory of 1472	744	powershell.exe	ipconfig.exe
PID 744 wrote to memory of 1472	744	powershell.exe	ipconfig.exe
PID 744 wrote to memory of 1472	744	powershell.exe	ipconfig.exe
PID 744 wrote to memory of 1472	744	powershell.exe	ipconfig.exe
PID 944 wrote to memory of 760	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 760	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 760	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 760	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	powershell.exe
PID 944 wrote to memory of 1932	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1932	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1932	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1932	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
PID 944 wrote to memory of 1240	944	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe	43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe

C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
"C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbABlAGEAcwBlAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /release
3⤵
- Gathers network information
PID:1812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQBwAGMAbwBuAGYAaQBnACAALwByAGUAbgBlAHcA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /renew
3⤵
- Gathers network information
PID:1472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAuADUA
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
2⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
C:\Users\Admin\AppData\Local\Temp\43be4008732481434fc9a4f2bf3ceab8a9c467b0ea0acde7d701a82b3083396b.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1240

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0b1e8ff938931f8035e1fd1d0ed25ebb

SHA1
622a3ed8bdb4d28b2875cd1e0f51023c6e914abf

SHA256
d0f89abc9536ce3c4f842c57aa4e25a287f2a1ea2cee4f886636f7fc76c33b58

SHA512
4562813c31d08a43038b77f630c55dc188f8f432e2f8a8b05466e25cea10a8386e5854d825ef095d40ff4fc2f33af18c178eb1d04b87aaa4c55728a1b1296ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0b1e8ff938931f8035e1fd1d0ed25ebb

SHA1
622a3ed8bdb4d28b2875cd1e0f51023c6e914abf

SHA256
d0f89abc9536ce3c4f842c57aa4e25a287f2a1ea2cee4f886636f7fc76c33b58

SHA512
4562813c31d08a43038b77f630c55dc188f8f432e2f8a8b05466e25cea10a8386e5854d825ef095d40ff4fc2f33af18c178eb1d04b87aaa4c55728a1b1296ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0b1e8ff938931f8035e1fd1d0ed25ebb

SHA1
622a3ed8bdb4d28b2875cd1e0f51023c6e914abf

SHA256
d0f89abc9536ce3c4f842c57aa4e25a287f2a1ea2cee4f886636f7fc76c33b58

SHA512
4562813c31d08a43038b77f630c55dc188f8f432e2f8a8b05466e25cea10a8386e5854d825ef095d40ff4fc2f33af18c178eb1d04b87aaa4c55728a1b1296ec3

Download Submit
memory/460-56-0x0000000000000000-mapping.dmp

Download
memory/460-59-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/460-61-0x0000000001BF2000-0x0000000001BF4000-memory.dmp

Filesize
8KB

Download
memory/460-60-0x0000000001BF1000-0x0000000001BF2000-memory.dmp

Filesize
4KB

Download
memory/744-73-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/744-70-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x0000000000000000-mapping.dmp

Download
memory/812-67-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/812-69-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/812-68-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/812-64-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x00000000008D0000-0x0000000000A60000-memory.dmp

Filesize
1.6MB

Download
memory/944-57-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/944-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/944-79-0x0000000004CD0000-0x0000000004D3E000-memory.dmp

Filesize
440KB

Download
memory/944-53-0x00000000008D0000-0x0000000000A60000-memory.dmp

Filesize
1.6MB

Download
memory/1240-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-83-0x000000000041F0F0-mapping.dmp

Download
memory/1240-84-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1472-74-0x0000000000000000-mapping.dmp

Download
memory/1812-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads