formbook | 5276ea0f67b9003422fa937e91c3af7b805efc0b0b9506bdd2936abb4fdd5a9c

General

Target

DHL_AWB_NO#907853880911.exe
Size

248KB
MD5

1b61be2437fb5806334b0bb10e0512e6
SHA1

ab7d1e8698a07ce9c4dc12f73f9c57e6abd0e618
SHA256

5276ea0f67b9003422fa937e91c3af7b805efc0b0b9506bdd2936abb4fdd5a9c
SHA512

e9b6a474800659b97c00545b36cef0827165f865a9eed75558a555d0d245db111d75c6fb7d1e8392e32a09fe6c29021bbb4665fcb3081bf99e8595872ceea85b

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3596-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3596-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2876-145-0x0000000001370000-0x000000000139F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

alxsiiy.exealxsiiy.exe

pid process

3420 alxsiiy.exe
3596 alxsiiy.exe

pid	process
3420	alxsiiy.exe
3596	alxsiiy.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

alxsiiy.exealxsiiy.execscript.exe

description	pid	process	target process
PID 3420 set thread context of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3596 set thread context of 3172	3596	alxsiiy.exe	Explorer.EXE
PID 2876 set thread context of 3172	2876	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

alxsiiy.execscript.exe

pid	process
3596	alxsiiy.exe
3596	alxsiiy.exe
3596	alxsiiy.exe
3596	alxsiiy.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe
2876	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

alxsiiy.execscript.exe

pid process

3596 alxsiiy.exe
3596 alxsiiy.exe
3596 alxsiiy.exe
2876 cscript.exe
2876 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

alxsiiy.execscript.exe

description pid process

Token: SeDebugPrivilege 3596 alxsiiy.exe
Token: SeDebugPrivilege 2876 cscript.exe

pid	process
3172	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3596	alxsiiy.exe
Token: SeDebugPrivilege	2876	cscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DHL_AWB_NO#907853880911.exealxsiiy.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1388 wrote to memory of 3420	1388	DHL_AWB_NO#907853880911.exe	alxsiiy.exe
PID 1388 wrote to memory of 3420	1388	DHL_AWB_NO#907853880911.exe	alxsiiy.exe
PID 1388 wrote to memory of 3420	1388	DHL_AWB_NO#907853880911.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3420 wrote to memory of 3596	3420	alxsiiy.exe	alxsiiy.exe
PID 3172 wrote to memory of 2876	3172	Explorer.EXE	cscript.exe
PID 3172 wrote to memory of 2876	3172	Explorer.EXE	cscript.exe
PID 3172 wrote to memory of 2876	3172	Explorer.EXE	cscript.exe
PID 2876 wrote to memory of 4952	2876	cscript.exe	cmd.exe
PID 2876 wrote to memory of 4952	2876	cscript.exe	cmd.exe
PID 2876 wrote to memory of 4952	2876	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe C:\Users\Admin\AppData\Local\Temp\nbesgph
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe C:\Users\Admin\AppData\Local\Temp\nbesgph
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe"
3⤵
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6escjpcrke8i6
Filesize
184KB

MD5
f707e9b9c5039fd55390fbbf657fc778

SHA1
14757602a1af42adb184a435d87a69f6639a591c

SHA256
c5ed8e9abfd27e99fceb5547ced9a6b941b10100213d6af4228b58d8c75af213

SHA512
6c5e7b0a60029f28e1540827f449b89279bba44f501c6e0f9f62541e556970e44ac7cf20226cc21c2788f59c45c9e8ff39aab539c1058a019cec4fce8616e24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe
Filesize
78KB

MD5
ec3a3de6e908886ea6b4408f599d7b15

SHA1
77e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d

SHA256
ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408

SHA512
58dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe
Filesize
78KB

MD5
ec3a3de6e908886ea6b4408f599d7b15

SHA1
77e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d

SHA256
ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408

SHA512
58dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\alxsiiy.exe
Filesize
78KB

MD5
ec3a3de6e908886ea6b4408f599d7b15

SHA1
77e52d60e0a4cf1bd9dc87b8bc70f4b9a4f1108d

SHA256
ed10c8c988cf91693a760dec857309a1012cc4b6d0da597b6a7b11b7f6edd408

SHA512
58dcec90327299bec3df9c0cac130c8ace5451c04970b546fa3bf3f779a37552d932c209f2577dc2d01fa7263e3e6cd3eae035546f144731dc1f27de6ee0b3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbesgph
Filesize
5KB

MD5
18f6d7ca10e3ffc8c74fb860d7577c7c

SHA1
c283a6c35c2fa3322b2b966996c544294dfa2cee

SHA256
efe035b9d988a5734d64eb1efb40009150ba2998b3869ab63ad2130dc9264698

SHA512
164527ce6e78518d3c0eb6fb3b24f0f4d3323b5346c268ffd8aeee1f46bcbf78d94e80b25657ff8176b5574d71678761e0c27a161cc593b858905dd5a94f3edc

Download Submit
memory/2876-143-0x0000000000000000-mapping.dmp

Download
memory/2876-144-0x0000000000480000-0x00000000004A7000-memory.dmp

Filesize
156KB

Download
memory/2876-148-0x00000000032C0000-0x0000000003353000-memory.dmp

Filesize
588KB

Download
memory/2876-147-0x0000000003520000-0x000000000386A000-memory.dmp

Filesize
3.3MB

Download
memory/2876-145-0x0000000001370000-0x000000000139F000-memory.dmp

Filesize
188KB

Download
memory/3172-149-0x0000000002570000-0x0000000002632000-memory.dmp

Filesize
776KB

Download
memory/3172-142-0x0000000007D30000-0x0000000007E33000-memory.dmp

Filesize
1.0MB

Download
memory/3420-130-0x0000000000000000-mapping.dmp

Download
memory/3596-140-0x00000000014F0000-0x000000000183A000-memory.dmp

Filesize
3.3MB

Download
memory/3596-141-0x0000000000F70000-0x0000000000F84000-memory.dmp

Filesize
80KB

Download
memory/3596-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-135-0x0000000000000000-mapping.dmp

Download
memory/4952-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads