formbook | ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4

General

Target

Swift.exe
Size

221KB
MD5

0202c53a04751949b148ac5eab59030e
SHA1

32febcf0ec3e26a2852a677a1e0f80a520844ee4
SHA256

ad6df53019d5d8930fce4ad4a7e0d15a08d9771b3cff97b7c06bf3df364c17a4
SHA512

07ea4cb41cbd1860ee7a9ff87b949372735f62e4e3dab916b2cc0493e5f1748cf64534afe454c81c06982d9b2c7e6a7bedaa72132b381c3f24da746cfec1dab6
SSDEEP

6144:MEa0Nyh7Uk49DgIyU3wmtax8+3AdmVsrPW1QBho5p:XUUk49DgIyU3Bp4HVQs4o7

Score

10^/10

formbook b31b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b31b

Decoy

deltafxtrading.com

alisonangl.com

cdfqs.com

easyentry.vip

dentalinfodomain.com

hiphoppianyc.com

pools-62911.com

supportteam26589.site

delldaypa.one

szanody.com

diaper-basket.art

ffscollab.com

freediverconnect.com

namesbrun.com

theprimone.top

lenzolab.com

cikmas.com

genyuei-no.space

hellofstyle.com

lamagall.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1660-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1684-145-0x00000000008C0000-0x00000000008EF000-memory.dmp	formbook
behavioral2/memory/1684-148-0x00000000008C0000-0x00000000008EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

idxgunu.exeidxgunu.exe

pid process

3228 idxgunu.exe
1660 idxgunu.exe

pid	process
3228	idxgunu.exe
1660	idxgunu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

idxgunu.exeidxgunu.exeWWAHost.exe

description	pid	process	target process
PID 3228 set thread context of 1660	3228	idxgunu.exe	idxgunu.exe
PID 1660 set thread context of 764	1660	idxgunu.exe	Explorer.EXE
PID 1684 set thread context of 764	1684	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

idxgunu.exeWWAHost.exe

pid	process
1660	idxgunu.exe
1660	idxgunu.exe
1660	idxgunu.exe
1660	idxgunu.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe
1684	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

764 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

idxgunu.exeidxgunu.exeWWAHost.exe

pid process

3228 idxgunu.exe
1660 idxgunu.exe
1660 idxgunu.exe
1660 idxgunu.exe
1684 WWAHost.exe
1684 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

idxgunu.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 1660 idxgunu.exe
Token: SeDebugPrivilege 1684 WWAHost.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

764 Explorer.EXE
764 Explorer.EXE
764 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

764 Explorer.EXE
764 Explorer.EXE
764 Explorer.EXE

pid	process
764	Explorer.EXE

pid	process
3228	idxgunu.exe
1660	idxgunu.exe
1660	idxgunu.exe
1660	idxgunu.exe
1684	WWAHost.exe
1684	WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	1660	idxgunu.exe
Token: SeDebugPrivilege	1684	WWAHost.exe

pid	process
764	Explorer.EXE
764	Explorer.EXE
764	Explorer.EXE

pid	process
764	Explorer.EXE
764	Explorer.EXE
764	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Swift.exeidxgunu.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1324 wrote to memory of 3228	1324	Swift.exe	idxgunu.exe
PID 1324 wrote to memory of 3228	1324	Swift.exe	idxgunu.exe
PID 1324 wrote to memory of 3228	1324	Swift.exe	idxgunu.exe
PID 3228 wrote to memory of 1660	3228	idxgunu.exe	idxgunu.exe
PID 3228 wrote to memory of 1660	3228	idxgunu.exe	idxgunu.exe
PID 3228 wrote to memory of 1660	3228	idxgunu.exe	idxgunu.exe
PID 3228 wrote to memory of 1660	3228	idxgunu.exe	idxgunu.exe
PID 764 wrote to memory of 1684	764	Explorer.EXE	WWAHost.exe
PID 764 wrote to memory of 1684	764	Explorer.EXE	WWAHost.exe
PID 764 wrote to memory of 1684	764	Explorer.EXE	WWAHost.exe
PID 1684 wrote to memory of 3356	1684	WWAHost.exe	cmd.exe
PID 1684 wrote to memory of 3356	1684	WWAHost.exe	cmd.exe
PID 1684 wrote to memory of 3356	1684	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\Swift.exe
"C:\Users\Admin\AppData\Local\Temp\Swift.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\idxgunu.exe
"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\idxgunu.exe
"C:\Users\Admin\AppData\Local\Temp\idxgunu.exe" C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\idxgunu.exe"
3⤵
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aznhzp.mba
Filesize
185KB

MD5
b3581defa6b04b02ec74081ebe1cdf25

SHA1
f721fca7fb1c097f954db044ca05f39482f65c2d

SHA256
fdaba24d7be4cacecfc6068d585d8135138d35d4513047beabd35ecdc567c106

SHA512
f351cbb5818e4b9c171fe9ac9b4ee342f6a2d30e7e818a684c98668f3f356d2558d65ffcf97ab14da252dc830824ffeeb905c91962cc0e65d8236799e775fa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe
Filesize
7KB

MD5
8748279bd1a60b520e0f062016b094e8

SHA1
78c8a552dd69b232715981c3eac3c1c2ec224f38

SHA256
6875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd

SHA512
7f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe
Filesize
7KB

MD5
8748279bd1a60b520e0f062016b094e8

SHA1
78c8a552dd69b232715981c3eac3c1c2ec224f38

SHA256
6875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd

SHA512
7f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\idxgunu.exe
Filesize
7KB

MD5
8748279bd1a60b520e0f062016b094e8

SHA1
78c8a552dd69b232715981c3eac3c1c2ec224f38

SHA256
6875c3049ed37ad538dde61f99c49917bbbe21b74ba6896626ec62edf689d2fd

SHA512
7f0a74986e2af5649554670b97fb87b8768a286c9e43795ba0a309185d4f2ba8f4080dc741aa9bb6741a6a3b5575cda39b5c4760ca246be678087ba4d6c035f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdgedcev.bx
Filesize
5KB

MD5
18e2b6cac2a0ea0a11fad297712721bc

SHA1
8c947c4d4a6e53f30eac64c7e830f325cee6775a

SHA256
1d8d7c32217eed7730b45b61ed0f98586b38f09c2b5ff8aa6292e1a40ff71e4d

SHA512
72d658d15e6b0a418cf41c3cafe050cd59e5036c91ce7c54bdcd7be3c9761a54d620688d60bd315fe4466b6051e329be9010e245628dfabb9c3cc89c43c2b7a8

Download Submit
memory/764-142-0x0000000002DF0000-0x0000000002ED6000-memory.dmp

Filesize
920KB

Download
memory/764-151-0x00000000081A0000-0x00000000082A0000-memory.dmp

Filesize
1024KB

Download
memory/764-150-0x00000000081A0000-0x00000000082A0000-memory.dmp

Filesize
1024KB

Download
memory/1660-137-0x0000000000000000-mapping.dmp

Download
memory/1660-141-0x00000000009A0000-0x00000000009B4000-memory.dmp

Filesize
80KB

Download
memory/1660-140-0x00000000012C0000-0x000000000160A000-memory.dmp

Filesize
3.3MB

Download
memory/1660-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-143-0x0000000000000000-mapping.dmp

Download
memory/1684-145-0x00000000008C0000-0x00000000008EF000-memory.dmp

Filesize
188KB

Download
memory/1684-144-0x00000000002F0000-0x00000000003CC000-memory.dmp

Filesize
880KB

Download
memory/1684-147-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download
memory/1684-148-0x00000000008C0000-0x00000000008EF000-memory.dmp

Filesize
188KB

Download
memory/1684-149-0x00000000011E0000-0x0000000001273000-memory.dmp

Filesize
588KB

Download
memory/3228-132-0x0000000000000000-mapping.dmp

Download
memory/3356-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads