formbook | 8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0

General

Target

img1100020222911pdf.exe
Size

228KB
MD5

d74737867056221a34fb0f606f46b695
SHA1

26605c664c9b4b3bd1f007fa1068abb0bbfaf265
SHA256

8dec08c523bc61d2d8da23da4d82ff33e89f69c7478578af3623f9411e1a38d0
SHA512

5451a474a6cc55f220b43bfe0b65fe9ed2b7c66dfef0ab33b22e9b8fce26929235073ecd820681087100035b6091acf7106f927a98ca801696aa5e89c89901f4
SSDEEP

6144:QBn1GdcqsCyQBYm/Zyo49qd/XvU1jO6IJO:gONsCyQBPsvmyjO6yO

Score

10^/10

formbook mi08 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi08

Decoy

mytimebabes.com

ycpxb.com

abdkaplani.com

cloudingersoftech.com

fthfire.xyz

christyna.work

3d-add-on.com

knowyourtechdeals.com

kcl24.com

sepatubiker.com

sunnyboy.live

zrbsq.com

rinpari.com

lesac-berra.com

yes820.com

cnnorman.com

mystichousedv.com

sbobet888auto.com

gawiul.xyz

luispenas.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2156-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4448-145-0x0000000000180000-0x00000000001AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

78 4448 cscript.exe
Executes dropped EXE 2 IoCs

Processes:

eshbtmyh.exeeshbtmyh.exe

pid process

4500 eshbtmyh.exe
2156 eshbtmyh.exe

flow	pid	process
78	4448	cscript.exe

pid	process
4500	eshbtmyh.exe
2156	eshbtmyh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eshbtmyh.exeeshbtmyh.execscript.exe

description	pid	process	target process
PID 4500 set thread context of 2156	4500	eshbtmyh.exe	eshbtmyh.exe
PID 2156 set thread context of 2752	2156	eshbtmyh.exe	Explorer.EXE
PID 4448 set thread context of 2752	4448	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

eshbtmyh.execscript.exe

pid	process
2156	eshbtmyh.exe
2156	eshbtmyh.exe
2156	eshbtmyh.exe
2156	eshbtmyh.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe
4448	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2752 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

eshbtmyh.exeeshbtmyh.execscript.exe

pid process

4500 eshbtmyh.exe
2156 eshbtmyh.exe
2156 eshbtmyh.exe
2156 eshbtmyh.exe
4448 cscript.exe
4448 cscript.exe

pid	process
2752	Explorer.EXE

pid	process
4500	eshbtmyh.exe
2156	eshbtmyh.exe
2156	eshbtmyh.exe
2156	eshbtmyh.exe
4448	cscript.exe
4448	cscript.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

eshbtmyh.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2156	eshbtmyh.exe
Token: SeDebugPrivilege	4448	cscript.exe
Token: SeShutdownPrivilege	2752	Explorer.EXE
Token: SeCreatePagefilePrivilege	2752	Explorer.EXE
Token: SeShutdownPrivilege	2752	Explorer.EXE
Token: SeCreatePagefilePrivilege	2752	Explorer.EXE
Token: SeShutdownPrivilege	2752	Explorer.EXE
Token: SeCreatePagefilePrivilege	2752	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2752 Explorer.EXE
2752 Explorer.EXE

pid	process
2752	Explorer.EXE
2752	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

img1100020222911pdf.exeeshbtmyh.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 3064 wrote to memory of 4500	3064	img1100020222911pdf.exe	eshbtmyh.exe
PID 3064 wrote to memory of 4500	3064	img1100020222911pdf.exe	eshbtmyh.exe
PID 3064 wrote to memory of 4500	3064	img1100020222911pdf.exe	eshbtmyh.exe
PID 4500 wrote to memory of 2156	4500	eshbtmyh.exe	eshbtmyh.exe
PID 4500 wrote to memory of 2156	4500	eshbtmyh.exe	eshbtmyh.exe
PID 4500 wrote to memory of 2156	4500	eshbtmyh.exe	eshbtmyh.exe
PID 4500 wrote to memory of 2156	4500	eshbtmyh.exe	eshbtmyh.exe
PID 2752 wrote to memory of 4448	2752	Explorer.EXE	cscript.exe
PID 2752 wrote to memory of 4448	2752	Explorer.EXE	cscript.exe
PID 2752 wrote to memory of 4448	2752	Explorer.EXE	cscript.exe
PID 4448 wrote to memory of 4820	4448	cscript.exe	cmd.exe
PID 4448 wrote to memory of 4820	4448	cscript.exe	cmd.exe
PID 4448 wrote to memory of 4820	4448	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\img1100020222911pdf.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
    "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe
      "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe" C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2156
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe"
    3⤵
    PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\artrnvmjmeh.uz

Filesize
5KB

MD5
bf08797130b2716c878ce43694b70a00

SHA1
47cb8c4548094999b211f9c33dd5228cb069189d

SHA256
bf771c640f25137bc6d7f6a4d5ec4efa9b6ee66e7c6515dfcbaa7a9fcb52aa38

SHA512
e07763b41c1570b7dbc9ddd6921cd02b0494b7e4bd67e751ec3de990f780ccad1aa15a4f61f3bd498ae0bf3a663a819b9e7fb6b6ce48de95912a4b5d8206a7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eshbtmyh.exe

Filesize
59KB

MD5
c23565b815af9468d59e97b63aadce26

SHA1
51fe24f24c98738ce936d9f9a66d759297018729

SHA256
511646182f1e77634cb75442ff180bf9fd490addf15a7b943a20fce6a347c5d6

SHA512
9553be9b57add87a08b0cdc1f9290e30f7cc4d3d92e425da6b6c4ba80acad11bf8b2643a62c4d6d48de6dc97a3b15c007021045bcc9d15a86d13ad074e9694c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mulqlcwybp.emj

Filesize
185KB

MD5
732eb533f6228a0f63b83dc52a820b45

SHA1
7994ca7bc8f02de4793a4de85c20dc55e18b2018

SHA256
4635d82c00779c583704bb744fe7d8d242d1d3e3aaf26bd0ed452885e4de7af0

SHA512
1b583f852f992e6656ad578749ed9d9e54bd9b262d98860afbd03332a3cd5cf11d9d566a23462283ac9c03e89f0473f0f9812e01c37cf62a3444fd970c7fdd61

Download Submit
memory/2156-140-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download
memory/2156-137-0x0000000000000000-mapping.dmp

Download
memory/2156-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-141-0x0000000000D30000-0x0000000000D45000-memory.dmp

Filesize
84KB

Download
memory/2752-150-0x00000000029B0000-0x0000000002A74000-memory.dmp

Filesize
784KB

Download
memory/2752-142-0x0000000002810000-0x00000000028F8000-memory.dmp

Filesize
928KB

Download
memory/2752-149-0x00000000029B0000-0x0000000002A74000-memory.dmp

Filesize
784KB

Download
memory/4448-144-0x0000000000BF0000-0x0000000000C17000-memory.dmp

Filesize
156KB

Download
memory/4448-145-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/4448-146-0x0000000002630000-0x000000000297A000-memory.dmp

Filesize
3.3MB

Download
memory/4448-148-0x00000000023C0000-0x0000000002454000-memory.dmp

Filesize
592KB

Download
memory/4448-143-0x0000000000000000-mapping.dmp

Download
memory/4500-132-0x0000000000000000-mapping.dmp

Download
memory/4820-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads