formbook | 1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7

General

Target

1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe
Size

228KB
MD5

0cb9ae3bbda860d66aecf80bb0ecdded
SHA1

5da779c51ba99bdd6d116aa07ca85d16ee1a857a
SHA256

1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7
SHA512

b2a77ce3b04a79547d134b626e906121e3d652880ebb36e40351f5d36b5296e3fbf9c2bc1b626c9b9d5e54a0daa429c9cb224f207abb0072b454657be244da3a
SSDEEP

6144:QBn1v53NqFxQea5h5IB5fsirujm4F6L9cFyu:gvtN0QDNILfsiQm46cV

Score

10^/10

formbook lh24 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lh24

Decoy

50spage.com

acesalamo.xyz

magicair.org.uk

jrroyalps.com

hohot.xyz

affichecrea.com

2048xtw.net

atlas-pars.com

cqxjbz.com

180bingxue.com

coupdechacal.com

k00050.com

twin-vitro.net

haverninstitute.com

espada-japonesa.com

launchcu.info

discountauto.club

8o7eventhebrand.com

fishersmarinaandcampground.com

crystalfloodplain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2972-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2972-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2668-147-0x0000000000920000-0x000000000094F000-memory.dmp	formbook
behavioral2/memory/2668-151-0x0000000000920000-0x000000000094F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

bmdmfha.exebmdmfha.exe

pid process

840 bmdmfha.exe
2972 bmdmfha.exe

pid	process
840	bmdmfha.exe
2972	bmdmfha.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bmdmfha.exebmdmfha.execolorcpl.exe

description	pid	process	target process
PID 840 set thread context of 2972	840	bmdmfha.exe	bmdmfha.exe
PID 2972 set thread context of 3036	2972	bmdmfha.exe	Explorer.EXE
PID 2668 set thread context of 3036	2668	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

bmdmfha.execolorcpl.exe

pid	process
2972	bmdmfha.exe
2972	bmdmfha.exe
2972	bmdmfha.exe
2972	bmdmfha.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe
2668	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bmdmfha.exebmdmfha.execolorcpl.exe

pid process

840 bmdmfha.exe
2972 bmdmfha.exe
2972 bmdmfha.exe
2972 bmdmfha.exe
2668 colorcpl.exe
2668 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bmdmfha.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 2972 bmdmfha.exe
Token: SeDebugPrivilege 2668 colorcpl.exe

pid	process
3036	Explorer.EXE

pid	process
840	bmdmfha.exe
2972	bmdmfha.exe
2972	bmdmfha.exe
2972	bmdmfha.exe
2668	colorcpl.exe
2668	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	2972	bmdmfha.exe
Token: SeDebugPrivilege	2668	colorcpl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exebmdmfha.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4788 wrote to memory of 840	4788	1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe	bmdmfha.exe
PID 4788 wrote to memory of 840	4788	1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe	bmdmfha.exe
PID 4788 wrote to memory of 840	4788	1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe	bmdmfha.exe
PID 840 wrote to memory of 2972	840	bmdmfha.exe	bmdmfha.exe
PID 840 wrote to memory of 2972	840	bmdmfha.exe	bmdmfha.exe
PID 840 wrote to memory of 2972	840	bmdmfha.exe	bmdmfha.exe
PID 840 wrote to memory of 2972	840	bmdmfha.exe	bmdmfha.exe
PID 3036 wrote to memory of 2668	3036	Explorer.EXE	colorcpl.exe
PID 3036 wrote to memory of 2668	3036	Explorer.EXE	colorcpl.exe
PID 3036 wrote to memory of 2668	3036	Explorer.EXE	colorcpl.exe
PID 2668 wrote to memory of 904	2668	colorcpl.exe	cmd.exe
PID 2668 wrote to memory of 904	2668	colorcpl.exe	cmd.exe
PID 2668 wrote to memory of 904	2668	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe
"C:\Users\Admin\AppData\Local\Temp\1a7e6a15cb68a7921d4dd6f694f653ff2635ddb7dcc64dc4a3279f0bf7294cf7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe
"C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe" C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe
"C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe" C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe"
3⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe
Filesize
59KB

MD5
f5d6bcc7ed9bcf9591695a11c01b3109

SHA1
bb9c76294536e3aa1e41f334b92490465b34b92a

SHA256
6244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa

SHA512
17fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe
Filesize
59KB

MD5
f5d6bcc7ed9bcf9591695a11c01b3109

SHA1
bb9c76294536e3aa1e41f334b92490465b34b92a

SHA256
6244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa

SHA512
17fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmdmfha.exe
Filesize
59KB

MD5
f5d6bcc7ed9bcf9591695a11c01b3109

SHA1
bb9c76294536e3aa1e41f334b92490465b34b92a

SHA256
6244c6c88427e09bbca2ccf9e549b13f1f272bc2f92ef9bb3d35d7feb3e903aa

SHA512
17fd4d5b94ed84e5f714ac0eb4ad4b70dc650ccebb1961fe744e210817a2f0e81f2dacc803e815fef2f9c314cf5dabb07eedfa4bbad4cd5fe2cdf688f2404195

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcekaersgbe.tp
Filesize
5KB

MD5
cd48bd280141373063371589699077c4

SHA1
1ee7aa022d2416a8077f7ad0a49ddd21f8e2ddb3

SHA256
dcda9f15c496fed89683582c23485866f10b085cb30ffd8a9cd1df2e0df9bccb

SHA512
bc5b8c643783e003a22f45893bf538c93d13601c92a36e0859dbf1e23198b511103a05a102425fabe58b2b6c8938682ef06bc24d353771797684a429c9d09971

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofcvfjaor.s
Filesize
185KB

MD5
0381ed3d2bae60ecdb42c460e5ed413f

SHA1
bfbf087d40b0276d97db246b4b900a959460539e

SHA256
5caac70e547402762c324137a7b12cd29f901546caa998386d019d1b814a6ccc

SHA512
1686888abe5c82c16a6a5e26d4400ae4cbf854721c128f8f00cb641c8e7b856ac8037a0a9f0d2776c4ad4c15b3a5dd1874f841460f3363b64f288e3d6d958c8f

Download Submit
memory/840-132-0x0000000000000000-mapping.dmp

Download
memory/904-145-0x0000000000000000-mapping.dmp

Download
memory/2668-151-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download
memory/2668-149-0x00000000029B0000-0x0000000002A43000-memory.dmp

Filesize
588KB

Download
memory/2668-148-0x0000000002C80000-0x0000000002FCA000-memory.dmp

Filesize
3.3MB

Download
memory/2668-147-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download
memory/2668-143-0x0000000000000000-mapping.dmp

Download
memory/2668-146-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/2972-137-0x0000000000000000-mapping.dmp

Download
memory/2972-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-141-0x00000000005B0000-0x00000000005C4000-memory.dmp

Filesize
80KB

Download
memory/2972-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2972-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-142-0x0000000008C30000-0x0000000008D62000-memory.dmp

Filesize
1.2MB

Download
memory/3036-150-0x0000000003440000-0x000000000351D000-memory.dmp

Filesize
884KB

Download
memory/3036-152-0x0000000003440000-0x000000000351D000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads