formbook | b86196be9611b795234dff0f3d10d7d59678288391944190b189ad6fad017882

General

Target

a3aee41648e9fa62d3bfd4db586d97ea.exe
Size

214KB
MD5

a3aee41648e9fa62d3bfd4db586d97ea
SHA1

ea6d36b400e9566964bca70e1edeeb0f096059e4
SHA256

b86196be9611b795234dff0f3d10d7d59678288391944190b189ad6fad017882
SHA512

52f6fcb224a71d0fa6aa0ab207e61b8e694f2f6c1c30d89900235e22f7f84f6ce97f675853c7eb2e5fabf7fc76a13cf030df28cb9b7cb3f10d1f85b2a071088c

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1112-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1112-64-0x000000000041F150-mapping.dmp	formbook
behavioral1/memory/1112-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1564-74-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

vnpqm.exevnpqm.exe

pid process

1792 vnpqm.exe
1112 vnpqm.exe
Loads dropped DLL 2 IoCs

Processes:

a3aee41648e9fa62d3bfd4db586d97ea.exevnpqm.exe

pid process

1864 a3aee41648e9fa62d3bfd4db586d97ea.exe
1792 vnpqm.exe

pid	process
1792	vnpqm.exe
1112	vnpqm.exe

pid	process
1864	a3aee41648e9fa62d3bfd4db586d97ea.exe
1792	vnpqm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vnpqm.exevnpqm.exewuapp.exe

description	pid	process	target process
PID 1792 set thread context of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1112 set thread context of 1256	1112	vnpqm.exe	Explorer.EXE
PID 1564 set thread context of 1256	1564	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

vnpqm.exewuapp.exe

pid	process
1112	vnpqm.exe
1112	vnpqm.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe
1564	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vnpqm.exewuapp.exe

pid process

1112 vnpqm.exe
1112 vnpqm.exe
1112 vnpqm.exe
1564 wuapp.exe
1564 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vnpqm.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1112 vnpqm.exe
Token: SeDebugPrivilege 1564 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1112	vnpqm.exe
Token: SeDebugPrivilege	1564	wuapp.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a3aee41648e9fa62d3bfd4db586d97ea.exevnpqm.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1864 wrote to memory of 1792	1864	a3aee41648e9fa62d3bfd4db586d97ea.exe	vnpqm.exe
PID 1864 wrote to memory of 1792	1864	a3aee41648e9fa62d3bfd4db586d97ea.exe	vnpqm.exe
PID 1864 wrote to memory of 1792	1864	a3aee41648e9fa62d3bfd4db586d97ea.exe	vnpqm.exe
PID 1864 wrote to memory of 1792	1864	a3aee41648e9fa62d3bfd4db586d97ea.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1792 wrote to memory of 1112	1792	vnpqm.exe	vnpqm.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1564	1256	Explorer.EXE	wuapp.exe
PID 1564 wrote to memory of 1484	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1484	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1484	1564	wuapp.exe	cmd.exe
PID 1564 wrote to memory of 1484	1564	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\a3aee41648e9fa62d3bfd4db586d97ea.exe
"C:\Users\Admin\AppData\Local\Temp\a3aee41648e9fa62d3bfd4db586d97ea.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\vnpqm.exe
C:\Users\Admin\AppData\Local\Temp\vnpqm.exe C:\Users\Admin\AppData\Local\Temp\nwlle
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\vnpqm.exe
C:\Users\Admin\AppData\Local\Temp\vnpqm.exe C:\Users\Admin\AppData\Local\Temp\nwlle
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\vnpqm.exe"
3⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nwlle
Filesize
4KB

MD5
3e5540295ef17624a84b738370990263

SHA1
f31211168ba1fcabecf9b8ac8788157dcfc38abd

SHA256
02b8e56a9555ff71d4bf8e767208e615acc1c070988529f074825fdc785299a7

SHA512
834769ee8cd0aa6b4d115158d48c15a004a09b7957acdcc6316f75a0ffbaa44661599c4cef240e98e777a010f5c69b639d30642e84d5f2db78c0e4d3d610efc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbacyw3t6xt285evx
Filesize
184KB

MD5
aebd6f7d4b9548b673dcdb3348180a7b

SHA1
9862bccc5b8bf3fe627dd2554088ac931eee50de

SHA256
18e8497ced0059d1a231c09d748ba06b018452f5a7605cdd0612790ca8e899ff

SHA512
a18d461cbc15d2f4d7023175d4a55983d2697f723bb616638a15d00c7f37457e466e670f98ff9a5ef8cff0e83a8350e134b6ad5e72b039e4b432315805b6f3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnpqm.exe
Filesize
5KB

MD5
7f9a530257f6539adf6cfb0150ecb306

SHA1
5d2b049fca18b2cf9706dfc716bdc58654408b36

SHA256
a28bead116296db46ac6437684a5368451b0a999e1c9822a045bf09a1c48f713

SHA512
2905c1a51211712e4c6adfd10cab6f03de00f8386c79f1a2a76d57c8a9d9358c7674fc49f3a939246f6d73db2b4b514cf3fcf60a297dfcc3b2cc684c0f15612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnpqm.exe
Filesize
5KB

MD5
7f9a530257f6539adf6cfb0150ecb306

SHA1
5d2b049fca18b2cf9706dfc716bdc58654408b36

SHA256
a28bead116296db46ac6437684a5368451b0a999e1c9822a045bf09a1c48f713

SHA512
2905c1a51211712e4c6adfd10cab6f03de00f8386c79f1a2a76d57c8a9d9358c7674fc49f3a939246f6d73db2b4b514cf3fcf60a297dfcc3b2cc684c0f15612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnpqm.exe
Filesize
5KB

MD5
7f9a530257f6539adf6cfb0150ecb306

SHA1
5d2b049fca18b2cf9706dfc716bdc58654408b36

SHA256
a28bead116296db46ac6437684a5368451b0a999e1c9822a045bf09a1c48f713

SHA512
2905c1a51211712e4c6adfd10cab6f03de00f8386c79f1a2a76d57c8a9d9358c7674fc49f3a939246f6d73db2b4b514cf3fcf60a297dfcc3b2cc684c0f15612c

Download Submit
\Users\Admin\AppData\Local\Temp\vnpqm.exe
Filesize
5KB

MD5
7f9a530257f6539adf6cfb0150ecb306

SHA1
5d2b049fca18b2cf9706dfc716bdc58654408b36

SHA256
a28bead116296db46ac6437684a5368451b0a999e1c9822a045bf09a1c48f713

SHA512
2905c1a51211712e4c6adfd10cab6f03de00f8386c79f1a2a76d57c8a9d9358c7674fc49f3a939246f6d73db2b4b514cf3fcf60a297dfcc3b2cc684c0f15612c

Download Submit
\Users\Admin\AppData\Local\Temp\vnpqm.exe
Filesize
5KB

MD5
7f9a530257f6539adf6cfb0150ecb306

SHA1
5d2b049fca18b2cf9706dfc716bdc58654408b36

SHA256
a28bead116296db46ac6437684a5368451b0a999e1c9822a045bf09a1c48f713

SHA512
2905c1a51211712e4c6adfd10cab6f03de00f8386c79f1a2a76d57c8a9d9358c7674fc49f3a939246f6d73db2b4b514cf3fcf60a297dfcc3b2cc684c0f15612c

Download Submit
memory/1112-69-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/1112-68-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/1112-64-0x000000000041F150-mapping.dmp

Download
memory/1112-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-70-0x0000000004A20000-0x0000000004AF7000-memory.dmp

Filesize
860KB

Download
memory/1256-77-0x0000000004C30000-0x0000000004D0F000-memory.dmp

Filesize
892KB

Download
memory/1484-72-0x0000000000000000-mapping.dmp

Download
memory/1564-71-0x0000000000000000-mapping.dmp

Download
memory/1564-73-0x0000000000030000-0x000000000003B000-memory.dmp

Filesize
44KB

Download
memory/1564-74-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/1564-75-0x0000000001D50000-0x0000000002053000-memory.dmp

Filesize
3.0MB

Download
memory/1564-76-0x0000000002060000-0x00000000020F3000-memory.dmp

Filesize
588KB

Download
memory/1792-56-0x0000000000000000-mapping.dmp

Download
memory/1864-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads