formbook | 8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0

General

Target

img1100020222911pdf.exe
Size

228KB
MD5

d74737867056221a34fb0f606f46b695
SHA1

26605c664c9b4b3bd1f007fa1068abb0bbfaf265
SHA256

8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
SHA512

5451a474a6cc55f220b43bfe0b65fe9ed2b7c66dfef0ab33b22e9b8fce26929235073ecd820681087100035b6091acf7106f927a98ca801696aa5e89c89901f4
SSDEEP

6144:QBn1GdcqsCyQBYm/Zyo49qd/XvU1jO6IJO:gONsCyQBPsvmyjO6yO

Score

10^/10

formbook mi08 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi08

Decoy

mytimebabes.com

ycpxb.com

abdkaplani.com

cloudingersoftech.com

fthfire.xyz

christyna.work

3d-add-on.com

knowyourtechdeals.com

kcl24.com

sepatubiker.com

sunnyboy.live

zrbsq.com

rinpari.com

lesac-berra.com

yes820.com

cnnorman.com

mystichousedv.com

sbobet888auto.com

gawiul.xyz

luispenas.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4952-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4920-146-0x0000000000D20000-0x0000000000D4F000-memory.dmp	formbook
behavioral2/memory/4920-149-0x0000000000D20000-0x0000000000D4F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

eshbtmyh.exeeshbtmyh.exe

pid process

5016 eshbtmyh.exe
4952 eshbtmyh.exe

pid	process
5016	eshbtmyh.exe
4952	eshbtmyh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eshbtmyh.exeeshbtmyh.exeNETSTAT.EXE

description	pid	process	target process
PID 5016 set thread context of 4952	5016	eshbtmyh.exe	eshbtmyh.exe
PID 4952 set thread context of 2576	4952	eshbtmyh.exe	Explorer.EXE
PID 4920 set thread context of 2576	4920	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4920 NETSTAT.EXE

pid	process
4920	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

eshbtmyh.exeNETSTAT.EXE

pid	process
4952	eshbtmyh.exe
4952	eshbtmyh.exe
4952	eshbtmyh.exe
4952	eshbtmyh.exe
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE
4920	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2576 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

eshbtmyh.exeeshbtmyh.exeNETSTAT.EXE

pid process

5016 eshbtmyh.exe
4952 eshbtmyh.exe
4952 eshbtmyh.exe
4952 eshbtmyh.exe
4920 NETSTAT.EXE
4920 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

eshbtmyh.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4952 eshbtmyh.exe
Token: SeDebugPrivilege 4920 NETSTAT.EXE

pid	process
2576	Explorer.EXE

pid	process
5016	eshbtmyh.exe
4952	eshbtmyh.exe
4952	eshbtmyh.exe
4952	eshbtmyh.exe
4920	NETSTAT.EXE
4920	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4952	eshbtmyh.exe
Token: SeDebugPrivilege	4920	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

img1100020222911pdf.exeeshbtmyh.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 808 wrote to memory of 5016	808	img1100020222911pdf.exe	eshbtmyh.exe
PID 808 wrote to memory of 5016	808	img1100020222911pdf.exe	eshbtmyh.exe
PID 808 wrote to memory of 5016	808	img1100020222911pdf.exe	eshbtmyh.exe
PID 5016 wrote to memory of 4952	5016	eshbtmyh.exe	eshbtmyh.exe
PID 5016 wrote to memory of 4952	5016	eshbtmyh.exe	eshbtmyh.exe
PID 5016 wrote to memory of 4952	5016	eshbtmyh.exe	eshbtmyh.exe
PID 5016 wrote to memory of 4952	5016	eshbtmyh.exe	eshbtmyh.exe
PID 2576 wrote to memory of 4920	2576	Explorer.EXE	NETSTAT.EXE
PID 2576 wrote to memory of 4920	2576	Explorer.EXE	NETSTAT.EXE
PID 2576 wrote to memory of 4920	2576	Explorer.EXE	NETSTAT.EXE
PID 4920 wrote to memory of 2732	4920	NETSTAT.EXE	cmd.exe
PID 4920 wrote to memory of 2732	4920	NETSTAT.EXE	cmd.exe
PID 4920 wrote to memory of 2732	4920	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe
"C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
"C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
"C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"
3⤵
PID:2732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
Filesize
5KB

MD5
bf08797130b2716c878ce43694b70a00

SHA1
47cb8c4548094999b211f9c33dd5228cb069189d

SHA256
bf771c640f25137bc6d7f6a4d5ec4efa9b6ee66e7c6515dfcbaa7a9fcb52aa38

SHA512
e07763b41c1570b7dbc9ddd6921cd02b0494b7e4bd67e751ec3de990f780ccad1aa15a4f61f3bd498ae0bf3a663a819b9e7fb6b6ce48de95912a4b5d8206a7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mulqlcwybp.emj
Filesize
185KB

MD5
732eb533f6228a0f63b83dc52a820b45

SHA1
7994ca7bc8f02de4793a4de85c20dc55e18b2018

SHA256
4635d82c00779c583704bb744fe7d8d242d1d3e3aaf26bd0ed452885e4de7af0

SHA512
1b583f852f992e6656ad578749ed9d9e54bd9b262d98860afbd03332a3cd5cf11d9d566a23462283ac9c03e89f0473f0f9812e01c37cf62a3444fd970c7fdd61

Download Submit
memory/2576-142-0x00000000077D0000-0x00000000078D3000-memory.dmp

Filesize
1.0MB

Download
memory/2576-152-0x00000000087E0000-0x000000000894C000-memory.dmp

Filesize
1.4MB

Download
memory/2576-151-0x00000000087E0000-0x000000000894C000-memory.dmp

Filesize
1.4MB

Download
memory/2576-148-0x00000000077D0000-0x00000000078D3000-memory.dmp

Filesize
1.0MB

Download
memory/2732-144-0x0000000000000000-mapping.dmp

Download
memory/4920-146-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/4920-143-0x0000000000000000-mapping.dmp

Download
memory/4920-145-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/4920-147-0x0000000001710000-0x0000000001A5A000-memory.dmp

Filesize
3.3MB

Download
memory/4920-149-0x0000000000D20000-0x0000000000D4F000-memory.dmp

Filesize
188KB

Download
memory/4920-150-0x00000000014B0000-0x0000000001544000-memory.dmp

Filesize
592KB

Download
memory/4952-141-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/4952-140-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Filesize
3.3MB

Download
memory/4952-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4952-137-0x0000000000000000-mapping.dmp

Download
memory/5016-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads