formbook | f0c572c44f221308ba93f1301f995c5e8056be18e5a06c0470f383f1362aa692

General

Target

DHL_AWB_NO#907853880911.exe
Size

267KB
MD5

9d5bfa23857f350ce14dd21f0a42bd29
SHA1

bbf0a34b5e758b99c49f3b7e14cfe9a50c436400
SHA256

f0c572c44f221308ba93f1301f995c5e8056be18e5a06c0470f383f1362aa692
SHA512

d6396c093d64b6648d125e8c7fdd6b4e08d5b2a6bb47d088bb32157b1d27b0883c0f732a350dfe7e49e006eb15ebe68b30610c66e3776cfe1b8452026b4753f3

Score

10^/10

formbook fw02 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3924-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3924-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3596-146-0x0000000000F30000-0x0000000000F5F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

woydiaq.exewoydiaq.exe

pid process

4752 woydiaq.exe
3924 woydiaq.exe

pid	process
4752	woydiaq.exe
3924	woydiaq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

woydiaq.exewoydiaq.execmstp.exe

description	pid	process	target process
PID 4752 set thread context of 3924	4752	woydiaq.exe	woydiaq.exe
PID 3924 set thread context of 3172	3924	woydiaq.exe	Explorer.EXE
PID 3596 set thread context of 3172	3596	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

woydiaq.execmstp.exe

pid	process
3924	woydiaq.exe
3924	woydiaq.exe
3924	woydiaq.exe
3924	woydiaq.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe
3596	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3172 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

woydiaq.execmstp.exe

pid process

3924 woydiaq.exe
3924 woydiaq.exe
3924 woydiaq.exe
3596 cmstp.exe
3596 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

woydiaq.execmstp.exe

description pid process

Token: SeDebugPrivilege 3924 woydiaq.exe
Token: SeDebugPrivilege 3596 cmstp.exe

pid	process
3172	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3924	woydiaq.exe
Token: SeDebugPrivilege	3596	cmstp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DHL_AWB_NO#907853880911.exewoydiaq.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 3892 wrote to memory of 4752	3892	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 3892 wrote to memory of 4752	3892	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 3892 wrote to memory of 4752	3892	DHL_AWB_NO#907853880911.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 4752 wrote to memory of 3924	4752	woydiaq.exe	woydiaq.exe
PID 3172 wrote to memory of 3596	3172	Explorer.EXE	cmstp.exe
PID 3172 wrote to memory of 3596	3172	Explorer.EXE	cmstp.exe
PID 3172 wrote to memory of 3596	3172	Explorer.EXE	cmstp.exe
PID 3596 wrote to memory of 4468	3596	cmstp.exe	cmd.exe
PID 3596 wrote to memory of 4468	3596	cmstp.exe	cmd.exe
PID 3596 wrote to memory of 4468	3596	cmstp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO#907853880911.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe C:\Users\Admin\AppData\Local\Temp\spztad
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\woydiaq.exe"
3⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe C:\Users\Admin\AppData\Local\Temp\spztad
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\spztad
Filesize
5KB

MD5
0aedeefbab464a4415407c295d16e4df

SHA1
1d5dd49d02e670af3ebb0fa966431adfe47b6e74

SHA256
a796ad60a15252449f7266f404561386397ec45d23aa85ca2bda9c2137c9658d

SHA512
3d0886cf0d791fb9122dcf403944e5ec9ab6634a5e74587eeae3ae5b663fa0a727c2f79b86b9248d441f3306c25a11e0b66b793a48006d117566f37e149277e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\woydiaq.exe
Filesize
74KB

MD5
479caad6c56fd4a045b25ed8b022a168

SHA1
f9a25d2c1fa81dd6405e7c3b44ae384981c79b08

SHA256
934223e2f6bee30cf5ae6f8775e902d76dadd16e5e38f81656113f8051904409

SHA512
f22562b741e7f11c8d4ab84bdf2a3dc5d1b673511766ae0f783f3c28e5354edcb3b01dde499c67f2f8d910206e10d7bdc750e3c984debdebc040ba298ed70472

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjg2rci35ljn
Filesize
184KB

MD5
8304fa4e25ae8d02f3d1a254fd69c76a

SHA1
d5bb30d1ad247af463923a0c53abd0ee5ee26042

SHA256
a115618420c68eb6a78166081f5cb5cd48844cb221159baa0103467f4bcde88b

SHA512
abd8629f5da76a24a125fafb9080016ae33deae6216861d371b7a46b2c0857a1f67ff3b520fb929117c495b01691b8b7f694be91b685baaddb84995ed69ab23f

Download Submit
memory/3172-142-0x0000000008AF0000-0x0000000008C1D000-memory.dmp

Filesize
1.2MB

Download
memory/3172-149-0x0000000003740000-0x0000000003821000-memory.dmp

Filesize
900KB

Download
memory/3596-143-0x0000000000000000-mapping.dmp

Download
memory/3596-146-0x0000000000F30000-0x0000000000F5F000-memory.dmp

Filesize
188KB

Download
memory/3596-147-0x0000000003120000-0x000000000346A000-memory.dmp

Filesize
3.3MB

Download
memory/3596-145-0x0000000000F70000-0x0000000000F86000-memory.dmp

Filesize
88KB

Download
memory/3596-148-0x0000000002E60000-0x0000000002EF3000-memory.dmp

Filesize
588KB

Download
memory/3924-141-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/3924-140-0x0000000000AC0000-0x0000000000E0A000-memory.dmp

Filesize
3.3MB

Download
memory/3924-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-135-0x0000000000000000-mapping.dmp

Download
memory/4468-144-0x0000000000000000-mapping.dmp

Download
memory/4752-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads