formbook | d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5

General

Target

5fc986129c3d833b1c7e5ba6ff3678bc.exe
Size

214KB
MD5

5fc986129c3d833b1c7e5ba6ff3678bc
SHA1

2ace6bc0488df9b8592e25be3de38e6c9a0c16da
SHA256

d02d076842cc94fa6612b13ff0d2f77e1ff9150d22607cfe3962da4234cf4ed5
SHA512

7f496926ea5026eda78532c001ce21e6f9f6ec4474ee995909a53f106def291cd7338072e56b29b7844ea43dc83fcd3eb6f8e36d2db5d8d5e0281059d60f9043

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1956-63-0x000000000041F150-mapping.dmp	formbook
behavioral1/memory/2000-73-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

rysgtozci.exerysgtozci.exe

pid process

644 rysgtozci.exe
1956 rysgtozci.exe
Loads dropped DLL 2 IoCs

Processes:

5fc986129c3d833b1c7e5ba6ff3678bc.exerysgtozci.exe

pid process

948 5fc986129c3d833b1c7e5ba6ff3678bc.exe
644 rysgtozci.exe

pid	process
644	rysgtozci.exe
1956	rysgtozci.exe

pid	process
948	5fc986129c3d833b1c7e5ba6ff3678bc.exe
644	rysgtozci.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rysgtozci.exerysgtozci.exerundll32.exe

description	pid	process	target process
PID 644 set thread context of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 1956 set thread context of 1204	1956	rysgtozci.exe	Explorer.EXE
PID 2000 set thread context of 1204	2000	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

rysgtozci.exerundll32.exe

pid	process
1956	rysgtozci.exe
1956	rysgtozci.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe
2000	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

rysgtozci.exerundll32.exe

pid process

1956 rysgtozci.exe
1956 rysgtozci.exe
1956 rysgtozci.exe
2000 rundll32.exe
2000 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rysgtozci.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1956 rysgtozci.exe
Token: SeDebugPrivilege 2000 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1204 Explorer.EXE
1204 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1956	rysgtozci.exe
Token: SeDebugPrivilege	2000	rundll32.exe

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

pid	process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5fc986129c3d833b1c7e5ba6ff3678bc.exerysgtozci.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 948 wrote to memory of 644	948	5fc986129c3d833b1c7e5ba6ff3678bc.exe	rysgtozci.exe
PID 948 wrote to memory of 644	948	5fc986129c3d833b1c7e5ba6ff3678bc.exe	rysgtozci.exe
PID 948 wrote to memory of 644	948	5fc986129c3d833b1c7e5ba6ff3678bc.exe	rysgtozci.exe
PID 948 wrote to memory of 644	948	5fc986129c3d833b1c7e5ba6ff3678bc.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 644 wrote to memory of 1956	644	rysgtozci.exe	rysgtozci.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 1204 wrote to memory of 2000	1204	Explorer.EXE	rundll32.exe
PID 2000 wrote to memory of 1800	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1800	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1800	2000	rundll32.exe	cmd.exe
PID 2000 wrote to memory of 1800	2000	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\5fc986129c3d833b1c7e5ba6ff3678bc.exe
"C:\Users\Admin\AppData\Local\Temp\5fc986129c3d833b1c7e5ba6ff3678bc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe C:\Users\Admin\AppData\Local\Temp\wduqqtzg
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe C:\Users\Admin\AppData\Local\Temp\wduqqtzg
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe"
3⤵
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ptcgl43g463vgbr58
Filesize
184KB

MD5
b5b1c1f4818202956b29108fb25dec20

SHA1
7e74a79237d3090b0dbac83b2c038d849fde6382

SHA256
d0da793571aa99c98e2afca3be0f3d6850aabbacf2aca4eeab8013e4ebf77a67

SHA512
8ecd3fe32528d30c76c47763db6723cd69d2d8842fefcc7b3f12599b4f4f546c5ad4bd5c3c604f666fde36fd168945303414d54cd709df56fe96d08bbfe063e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe
Filesize
5KB

MD5
96b3c3b0f05b4cedf349797d7cb05627

SHA1
b2d7084dcae06676c21d0ab393c60d6480e1d03f

SHA256
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0

SHA512
e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe
Filesize
5KB

MD5
96b3c3b0f05b4cedf349797d7cb05627

SHA1
b2d7084dcae06676c21d0ab393c60d6480e1d03f

SHA256
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0

SHA512
e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\rysgtozci.exe
Filesize
5KB

MD5
96b3c3b0f05b4cedf349797d7cb05627

SHA1
b2d7084dcae06676c21d0ab393c60d6480e1d03f

SHA256
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0

SHA512
e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wduqqtzg
Filesize
5KB

MD5
cea27fda9443dd5882439188c2494a7b

SHA1
89b7f9c46c4462f37ee6e91d639ccdd3084e03cd

SHA256
26a0ef0fe1fdab9e6dae3caecec085c3800a44d32cd5b87c182c0c0a6b559f59

SHA512
12040c4009e23ec2d4cf15a9f5b31587070f6086f2816efeb946a6d2f1609339ba66a8639f187d2ac97d0284264df7aee0f62b40ea550567b5e35f66992a1c87

Download Submit
\Users\Admin\AppData\Local\Temp\rysgtozci.exe
Filesize
5KB

MD5
96b3c3b0f05b4cedf349797d7cb05627

SHA1
b2d7084dcae06676c21d0ab393c60d6480e1d03f

SHA256
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0

SHA512
e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73

Download Submit
\Users\Admin\AppData\Local\Temp\rysgtozci.exe
Filesize
5KB

MD5
96b3c3b0f05b4cedf349797d7cb05627

SHA1
b2d7084dcae06676c21d0ab393c60d6480e1d03f

SHA256
874f73e2673462859967afc64c3c33c1957d7b69915124cca91ced26dcfcd5c0

SHA512
e264e979679a7dcd410b2916ec16f8333cba6a45d59faad99c9a45ff75d0e574d6ecbb52fb21a7b89732a8236b5f5416fd8fcffb595692f451dd6556b9641e73

Download Submit
memory/644-56-0x0000000000000000-mapping.dmp

Download
memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1204-76-0x00000000073C0000-0x00000000074A9000-memory.dmp

Filesize
932KB

Download
memory/1204-68-0x0000000004AB0000-0x0000000004BC2000-memory.dmp

Filesize
1.1MB

Download
memory/1800-71-0x0000000000000000-mapping.dmp

Download
memory/1956-67-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1956-66-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1956-63-0x000000000041F150-mapping.dmp

Download
memory/1956-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2000-69-0x0000000000000000-mapping.dmp

Download
memory/2000-73-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2000-72-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/2000-74-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/2000-75-0x0000000000920000-0x00000000009B3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads