formbook | 200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc

General

Target

e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
Size

371KB
MD5

e6fb6a28bf4e2a128876d9f4bddcb0e5
SHA1

056ba8bbc6045576bfe8bc2526bf70942a3e4286
SHA256

200c25e3ad1dd6d924455a89035c1c677c7b319a89e3e9fac0499514175b67fc
SHA512

a9f8a7a28e07f7dcc4824c34ac89002d589eab2daa0244992fd7617f9db1cb32cc7791791fb6d4e8d8c58298514bc4d7a215a0b408dde24a65be68e68233045e

Score

10^/10

formbook h4d0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2220-116-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2220-117-0x000000000041F130-mapping.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

pid process

508 e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

description pid process target process

PID 508 set thread context of 2220 508 e6fb6a28bf4e2a128876d9f4bddcb0e5.exe e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

pid process

2220 e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
2220 e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

pid	process
508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

description	pid	process	target process
PID 508 set thread context of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

pid	process
2220	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
2220	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

description	pid	process	target process
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
PID 508 wrote to memory of 2220	508	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe	e6fb6a28bf4e2a128876d9f4bddcb0e5.exe

C:\Users\Admin\AppData\Local\Temp\e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
"C:\Users\Admin\AppData\Local\Temp\e6fb6a28bf4e2a128876d9f4bddcb0e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\e6fb6a28bf4e2a128876d9f4bddcb0e5.exe
"C:\Users\Admin\AppData\Local\Temp\e6fb6a28bf4e2a128876d9f4bddcb0e5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsz4DB0.tmp\utjmpu.dll
MD5
b7e8ffa9ce86abd88603e4318292b040

SHA1
84dbd2680588028ca54c16cb8dbe7068eab60c93

SHA256
c0281271f09f1af4345440699f1f17638116b8ccbb38bc101a739bde7b91101f

SHA512
fc158d351eb0e86b59ef44e7024d45f6ca3f229c81d7acbf7df39da4e92e12cac8bb045a0078272d5b86086f90a5a77c71240cfb19ceefaa51f93698b9b6f1f3

Download Submit
memory/2220-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-117-0x000000000041F130-mapping.dmp

Download
memory/2220-118-0x0000000000990000-0x0000000000CB0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing