formbook | f0c572c44f221308ba93f1301f995c5e8056be18e5a06c0470f383f1362aa692

General

Target

DHL_AWB_NO#907853880911.exe
Size

267KB
MD5

9d5bfa23857f350ce14dd21f0a42bd29
SHA1

bbf0a34b5e758b99c49f3b7e14cfe9a50c436400
SHA256

f0c572c44f221308ba93f1301f995c5e8056be18e5a06c0470f383f1362aa692
SHA512

d6396c093d64b6648d125e8c7fdd6b4e08d5b2a6bb47d088bb32157b1d27b0883c0f732a350dfe7e49e006eb15ebe68b30610c66e3776cfe1b8452026b4753f3

Score

10^/10

formbook fw02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1720-64-0x000000000041F150-mapping.dmp	formbook
behavioral1/memory/1720-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1720-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

woydiaq.exewoydiaq.exe

pid process

2044 woydiaq.exe
1720 woydiaq.exe
Loads dropped DLL 3 IoCs

Processes:

DHL_AWB_NO#907853880911.exewoydiaq.exe

pid process

844 DHL_AWB_NO#907853880911.exe
844 DHL_AWB_NO#907853880911.exe
2044 woydiaq.exe

pid	process
2044	woydiaq.exe
1720	woydiaq.exe

pid	process
844	DHL_AWB_NO#907853880911.exe
844	DHL_AWB_NO#907853880911.exe
2044	woydiaq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

woydiaq.exewoydiaq.exe

description	pid	process	target process
PID 2044 set thread context of 1720	2044	woydiaq.exe	woydiaq.exe
PID 1720 set thread context of 1204	1720	woydiaq.exe	Explorer.EXE
PID 1720 set thread context of 1204	1720	woydiaq.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

woydiaq.exe

pid process

1720 woydiaq.exe
1720 woydiaq.exe
1720 woydiaq.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

woydiaq.exe

pid process

1720 woydiaq.exe
1720 woydiaq.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

woydiaq.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1720 woydiaq.exe
Token: SeShutdownPrivilege 1204 Explorer.EXE

pid	process
1720	woydiaq.exe
1720	woydiaq.exe
1720	woydiaq.exe

pid	process
1720	woydiaq.exe
1720	woydiaq.exe

description	pid	process
Token: SeDebugPrivilege	1720	woydiaq.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

DHL_AWB_NO#907853880911.exewoydiaq.exe

description	pid	process	target process
PID 844 wrote to memory of 2044	844	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 844 wrote to memory of 2044	844	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 844 wrote to memory of 2044	844	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 844 wrote to memory of 2044	844	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe
PID 2044 wrote to memory of 1720	2044	woydiaq.exe	woydiaq.exe

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe C:\Users\Admin\AppData\Local\Temp\spztad
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe C:\Users\Admin\AppData\Local\Temp\spztad
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\spztad
Filesize
5KB

MD5
0aedeefbab464a4415407c295d16e4df

SHA1
1d5dd49d02e670af3ebb0fa966431adfe47b6e74

SHA256
a796ad60a15252449f7266f404561386397ec45d23aa85ca2bda9c2137c9658d

SHA512
3d0886cf0d791fb9122dcf403944e5ec9ab6634a5e74587eeae3ae5b663fa0a727c2f79b86b9248d441f3306c25a11e0b66b793a48006d117566f37e149277e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjg2rci35ljn
Filesize
184KB

MD5
8304fa4e25ae8d02f3d1a254fd69c76a

SHA1
d5bb30d1ad247af463923a0c53abd0ee5ee26042

SHA256
a115618420c68eb6a78166081f5cb5cd48844cb221159baa0103467f4bcde88b

SHA512
abd8629f5da76a24a125fafb9080016ae33deae6216861d371b7a46b2c0857a1f67ff3b520fb929117c495b01691b8b7f694be91b685baaddb84995ed69ab23f

Download Submit
\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
memory/844-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1204-68-0x00000000068D0000-0x0000000006A73000-memory.dmp

Filesize
1.6MB

Download
memory/1204-73-0x0000000006EF0000-0x0000000007017000-memory.dmp

Filesize
1.2MB

Download
memory/1720-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-64-0x000000000041F150-mapping.dmp

Download
memory/1720-69-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1720-70-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1720-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-72-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/2044-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads