formbook | 87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4

General

Target

e-Belge1.exe
Size

1.1MB
MD5

93806db4549578ef1cb21b7f688798b2
SHA1

12e313f0998ab9010ca7e23f85da6f98f8b02030
SHA256

87fdf41f3af47dc20348fe21148546a943111c455ffb9a8cd73b1beb77513ce4
SHA512

443c96b19426abde09f5f7006c77cc3ac5660200d0480eca898e724e27d2d03771774eab318f294295165bbb4d72cd43a5fc748af0f92371e865f5108f48d8da
SSDEEP

24576:UAOcZXcxP6+jn2sKlQT/zeRoCR3lBR4YaGAuvZG31RMaas/xqY:CHUez8bkQA3XM9c

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4136-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4136-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4136-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3196-147-0x0000000000B70000-0x0000000000B9F000-memory.dmp	formbook
behavioral2/memory/3196-150-0x0000000000B70000-0x0000000000B9F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

tjlxrq.pif

pid process

2412 tjlxrq.pif

pid	process
2412	tjlxrq.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e-Belge1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e-Belge1.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tjlxrq.pifRegSvcs.execmstp.exe

description	pid	process	target process
PID 2412 set thread context of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 4136 set thread context of 600	4136	RegSvcs.exe	Explorer.EXE
PID 3196 set thread context of 600	3196	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

RegSvcs.execmstp.exe

pid	process
4136	RegSvcs.exe
4136	RegSvcs.exe
4136	RegSvcs.exe
4136	RegSvcs.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe
3196	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

600 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execmstp.exe

pid process

4136 RegSvcs.exe
4136 RegSvcs.exe
4136 RegSvcs.exe
3196 cmstp.exe
3196 cmstp.exe

pid	process
600	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegSvcs.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	4136	RegSvcs.exe
Token: SeShutdownPrivilege	600	Explorer.EXE
Token: SeCreatePagefilePrivilege	600	Explorer.EXE
Token: SeShutdownPrivilege	600	Explorer.EXE
Token: SeCreatePagefilePrivilege	600	Explorer.EXE
Token: SeDebugPrivilege	3196	cmstp.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e-Belge1.exetjlxrq.pifExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2952 wrote to memory of 2412	2952	e-Belge1.exe	tjlxrq.pif
PID 2952 wrote to memory of 2412	2952	e-Belge1.exe	tjlxrq.pif
PID 2952 wrote to memory of 2412	2952	e-Belge1.exe	tjlxrq.pif
PID 2412 wrote to memory of 2232	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 2232	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 2232	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 2412 wrote to memory of 4136	2412	tjlxrq.pif	RegSvcs.exe
PID 600 wrote to memory of 3196	600	Explorer.EXE	cmstp.exe
PID 600 wrote to memory of 3196	600	Explorer.EXE	cmstp.exe
PID 600 wrote to memory of 3196	600	Explorer.EXE	cmstp.exe
PID 3196 wrote to memory of 216	3196	cmstp.exe	cmd.exe
PID 3196 wrote to memory of 216	3196	cmstp.exe	cmd.exe
PID 3196 wrote to memory of 216	3196	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe
"C:\Users\Admin\AppData\Local\Temp\e-Belge1.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
"C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif" xeaawehrpe.sbo
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5_17\ibkondar.cpl
Filesize
38KB

MD5
1c18f14fdd445534f700057f9f26882c

SHA1
d9d3d3ea982acaa128cf964378dfac65f09a09b0

SHA256
11a9097e0c6e23299763487ff98036f0a6a9ec706344ce22962ab7f350141165

SHA512
54db999e73eb51ce2bd2cebbfed22fcc8b88c42ddf15f5569737e7706896cdedfee4996c5d30921a424b59873b42b461dd740d8667d848b63e00e6bf899f2184

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\tjlxrq.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\vjrwlpjd.asm
Filesize
371KB

MD5
7def8b74316279546efc1e1937d2aef7

SHA1
5a85b867dcbeedb83cfec2848d2b4fda149a2fca

SHA256
69060028cbe4111dd9abf7b51390a3edd0669fcd5e804be0917ea95aedae5250

SHA512
a7129ee457e223ba3c93f6ce873906ea81cb23aab26e4dbd816daa2163e30487eaf8bf7040ff1a489c111c99632b2d22dff4f30871b9f010baa19e18e566e356

Download Submit
C:\Users\Admin\AppData\Roaming\5_17\xeaawehrpe.sbo
Filesize
177.8MB

MD5
119095e96ce0d1f51c35dd67ec2b5706

SHA1
7088de971881b64ac1cfcfefbda425213fa4bbbc

SHA256
cd8ada65644a210621c39aa5e4097e829e405575c743a799ffab10ff6f2dceca

SHA512
d99457332d8afbc12b2a1e640bf436701c721e3947db2cc77e4c4bd7f8872ec52617f6fa04ce20f8599bc181f5d424f501fb0d5c14c90543d3687c5c2c55c621

Download Submit
memory/216-148-0x0000000000000000-mapping.dmp

Download
memory/600-153-0x0000000007D10000-0x0000000007DCC000-memory.dmp

Filesize
752KB

Download
memory/600-152-0x0000000007D10000-0x0000000007DCC000-memory.dmp

Filesize
752KB

Download
memory/600-143-0x00000000037E0000-0x00000000038C9000-memory.dmp

Filesize
932KB

Download
memory/2412-132-0x0000000000000000-mapping.dmp

Download
memory/3196-149-0x0000000002C00000-0x0000000002F4A000-memory.dmp

Filesize
3.3MB

Download
memory/3196-151-0x0000000002A70000-0x0000000002B04000-memory.dmp

Filesize
592KB

Download
memory/3196-144-0x0000000000000000-mapping.dmp

Download
memory/3196-150-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/3196-146-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/3196-147-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/4136-142-0x0000000000E00000-0x0000000000E15000-memory.dmp

Filesize
84KB

Download
memory/4136-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-138-0x0000000000000000-mapping.dmp

Download
memory/4136-141-0x0000000000E90000-0x00000000011DA000-memory.dmp

Filesize
3.3MB

Download
memory/4136-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads