formbook | 333f11c6e9126b93d7be34321bf27d170b248d2fb9615ea8bd3d3f63fc202adb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

518b7be44238b0a1112086cccfa90eea.exe
Size

357KB
MD5

518b7be44238b0a1112086cccfa90eea
SHA1

900c555665538dd7eacaf3bcbd3e72a1fed55fd4
SHA256

333f11c6e9126b93d7be34321bf27d170b248d2fb9615ea8bd3d3f63fc202adb
SHA512

81687b735b1d6d102bcf597394d3167078c51cf755d0e5edf9fdca4ff1bfe5a5999dc2be6b1d1f9bd72556dcf35dbbc4db62a828b828e7d93dc75480411d0527
SSDEEP

6144:HEa0eDyf/UBrohN9DYxf+7GwGFOrFTjOFAZo4LBKPYiAIm99ckB1ytTNw4LPE3D:LdNi5NXLBLBehmQTN30

Score

10^/10

formbook h3ha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2308-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2308-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3516-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3516-151-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2260	bidhgshgu.exe
2308	bidhgshgu.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 2308	2260	bidhgshgu.exe	82
PID 2308 set thread context of 3092	2308	bidhgshgu.exe	39
PID 3516 set thread context of 3092	3516	cmstp.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2308	bidhgshgu.exe
2308	bidhgshgu.exe
2308	bidhgshgu.exe
2308	bidhgshgu.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe
3516	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2260	bidhgshgu.exe
2308	bidhgshgu.exe
2308	bidhgshgu.exe
2308	bidhgshgu.exe
3516	cmstp.exe
3516	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	bidhgshgu.exe
Token: SeDebugPrivilege	3516	cmstp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2260	5036	518b7be44238b0a1112086cccfa90eea.exe	81
PID 5036 wrote to memory of 2260	5036	518b7be44238b0a1112086cccfa90eea.exe	81
PID 5036 wrote to memory of 2260	5036	518b7be44238b0a1112086cccfa90eea.exe	81
PID 2260 wrote to memory of 2308	2260	bidhgshgu.exe	82
PID 2260 wrote to memory of 2308	2260	bidhgshgu.exe	82
PID 2260 wrote to memory of 2308	2260	bidhgshgu.exe	82
PID 2260 wrote to memory of 2308	2260	bidhgshgu.exe	82
PID 3092 wrote to memory of 3516	3092	Explorer.EXE	83
PID 3092 wrote to memory of 3516	3092	Explorer.EXE	83
PID 3092 wrote to memory of 3516	3092	Explorer.EXE	83
PID 3516 wrote to memory of 3784	3516	cmstp.exe	87
PID 3516 wrote to memory of 3784	3516	cmstp.exe	87
PID 3516 wrote to memory of 3784	3516	cmstp.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\518b7be44238b0a1112086cccfa90eea.exe
  "C:\Users\Admin\AppData\Local\Temp\518b7be44238b0a1112086cccfa90eea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe
    "C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe" C:\Users\Admin\AppData\Local\Temp\izkihwzvzm.j
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe
      "C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe" C:\Users\Admin\AppData\Local\Temp\izkihwzvzm.j
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe"
    3⤵
    PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe

Filesize
91KB

MD5
ccbeb1a6b0b65eceb3821d71cfc7d3ba

SHA1
a4ac93a9a247138d081118a0c14ad66e8a9e8dc0

SHA256
84f18192b2b611b2c2469db2d8b0deb4db0c1f204e48b0d0522a971fbbc98f88

SHA512
3459b7498b479860633dcce078fdeed5e59ea83f0da13467450183bbfec4f216492dc038724b673766c3434133ead085315466c6608823c967b6119202410e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe

Filesize
91KB

MD5
ccbeb1a6b0b65eceb3821d71cfc7d3ba

SHA1
a4ac93a9a247138d081118a0c14ad66e8a9e8dc0

SHA256
84f18192b2b611b2c2469db2d8b0deb4db0c1f204e48b0d0522a971fbbc98f88

SHA512
3459b7498b479860633dcce078fdeed5e59ea83f0da13467450183bbfec4f216492dc038724b673766c3434133ead085315466c6608823c967b6119202410e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bidhgshgu.exe

Filesize
91KB

MD5
ccbeb1a6b0b65eceb3821d71cfc7d3ba

SHA1
a4ac93a9a247138d081118a0c14ad66e8a9e8dc0

SHA256
84f18192b2b611b2c2469db2d8b0deb4db0c1f204e48b0d0522a971fbbc98f88

SHA512
3459b7498b479860633dcce078fdeed5e59ea83f0da13467450183bbfec4f216492dc038724b673766c3434133ead085315466c6608823c967b6119202410e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\izkihwzvzm.j

Filesize
5KB

MD5
c0de03eaa491d9a7dcab2e71d16db9a6

SHA1
7417fae943ef5d7d05483603d794cb750cb30d66

SHA256
ce3e6d246c27cb6725bb34060048720ca3e530fb95f31ee1746d4d3fe7532f95

SHA512
bccd3414448ec290cb80a3ad8137da489e81bd8c6ebc6de964f82a42b2e19107be24711dede105ac3b7bc9823d761af77dccec7df85b23cb5cca363d40f739b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyyabrdoqql.e

Filesize
185KB

MD5
4702affd9d789eab9a6c435bbb02ed9c

SHA1
e4a64336c07053ecabb0057074eae468610fd2ce

SHA256
b1916c097f31b215092b2d8a1d95fb49eb5d6ccb44be0d71507a32c143b015aa

SHA512
eddeee9a61c1101ed4d16e51370ee3d5d3727f47a1136e98031949b22f9345f86f521e5f057f2580945b1ce8d9771bda080b30f67e00e990744da40b48f0aac9

Download Submit
memory/2260-132-0x0000000000000000-mapping.dmp

Download
memory/2308-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-137-0x0000000000000000-mapping.dmp

Download
memory/2308-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-140-0x0000000000A90000-0x0000000000DDA000-memory.dmp

Filesize
3.3MB

Download
memory/2308-141-0x00000000005D0000-0x00000000005E4000-memory.dmp

Filesize
80KB

Download
memory/3092-142-0x0000000007DE0000-0x0000000007EDB000-memory.dmp

Filesize
1004KB

Download
memory/3092-150-0x0000000007EE0000-0x0000000007FD1000-memory.dmp

Filesize
964KB

Download
memory/3092-152-0x0000000007EE0000-0x0000000007FD1000-memory.dmp

Filesize
964KB

Download
memory/3516-143-0x0000000000000000-mapping.dmp

Download
memory/3516-145-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/3516-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-148-0x0000000002350000-0x000000000269A000-memory.dmp

Filesize
3.3MB

Download
memory/3516-149-0x0000000002190000-0x0000000002223000-memory.dmp

Filesize
588KB

Download
memory/3516-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3784-147-0x0000000000000000-mapping.dmp

Download