formbook | c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991

General

Target

b0fd06d3d98801c819d319e2238b4759.exe
Size

298KB
MD5

b0fd06d3d98801c819d319e2238b4759
SHA1

f6b1491a483af1a0aad7dbdcec83580d6bb90023
SHA256

c6d0861ae7de13673ba678e5460d94433a6a873d461015070cc95fe174015991
SHA512

8546bbe82af1543de2b688838e728396821f2c989e0417aedae6d6fce5374c5df5b5c9a00e6a214e7d9bb40d7c8cb6c05b0d52e631e6d6535037bb8e5fad0395

Score

10^/10

formbook h4d0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h4d0

Decoy

onlinefinejewelry.com

samstringermusic.com

beam-lettings.info

optimumcoin.xyz

fasa.xyz

creativedime.com

eihncuz.online

griffin2008.top

europcarlive.com

jxhcar.com

museumsshop.international

bonolaboral-lnterbank.com

kelebandis.xyz

hiddenlakeranch.net

carelessyouth.com

jfkilfoil.store

potok-it-ua.site

magdulemediation.com

shakadal.xyz

coastconstructionfl.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/964-56-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

pid process

1756 b0fd06d3d98801c819d319e2238b4759.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

description pid process target process

PID 1756 set thread context of 964 1756 b0fd06d3d98801c819d319e2238b4759.exe b0fd06d3d98801c819d319e2238b4759.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

pid process

964 b0fd06d3d98801c819d319e2238b4759.exe

pid	process
1756	b0fd06d3d98801c819d319e2238b4759.exe

description	pid	process	target process
PID 1756 set thread context of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe

pid	process
964	b0fd06d3d98801c819d319e2238b4759.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b0fd06d3d98801c819d319e2238b4759.exe

description	pid	process	target process
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe
PID 1756 wrote to memory of 964	1756	b0fd06d3d98801c819d319e2238b4759.exe	b0fd06d3d98801c819d319e2238b4759.exe

C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe
"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe
"C:\Users\Admin\AppData\Local\Temp\b0fd06d3d98801c819d319e2238b4759.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnE86D.tmp\nscqlwemhn.dll
MD5
311cd318e47257d49a0d0a81bb4da7e2

SHA1
e3c81cb5cc9f791ea21c0ba61ce57d32c3feb478

SHA256
2f2b20327889a4f434e5e41e6353596b0afc21d3221814d261c90f1c48cd7b9a

SHA512
d477c040b87a62568e30d99b6a6dfcb906af47158eac09cf2ec7c8ebe340c846edec1d4a55b6dd5bf1133453a6956770b90aee4576f3ba3110077e1dd1563def

Download Submit
memory/964-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-57-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1756-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing