formbook | 9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f

General

Target

a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
Size

413KB
MD5

a2b43ba6d6a6af9f0fa07cab1a1ffd64
SHA1

0d63ee2545439dff61486e040fb8d921bee79ae3
SHA256

9a67166c5a81302300022d5fcf029600356460fcf3ce82fa37db08b131a0459f
SHA512

2a1105023880ae650ba67f2d657f3c0fe8c1a84c40a5a9ac5303f0c666226c454c40893f79073e816d14d873a3b583803934f9540a9ee7a604318affb1b427bb
SSDEEP

6144:LBnmyK4O/ekC2y6gPWJ6OC4tp8k4Hg2Y5nkjtPPraKFMP4wzSl7dlP7O/9Dj:Q7e6gPPOCm8kSIsPWK2Ptzo7dpy

Score

10^/10

formbook 8rmt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

8rmt

Decoy

3472cc.com

takecareyourhair.com

kontolajigasd21.xyz

daihaitrinh.net

syncmostlatestinfo-file.info

lovesolutionsastrologist.info

angelapryan.com

rio727casino.com

jjsgagets.com

devyatkina.online

thegoldenbeautyqatar.com

czytaj-unas24live.monster

timepoachers.com

gayxxxporn.site

72308.xyz

kristanolivo.com

hijrahfwd.com

bmfighters.com

alfamx.website

handfulofbabesbows.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4160-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4160-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4836-146-0x0000000000A50000-0x0000000000A7F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ycayuhnew.exeycayuhnew.exe

pid process

4672 ycayuhnew.exe
4160 ycayuhnew.exe

pid	process
4672	ycayuhnew.exe
4160	ycayuhnew.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ycayuhnew.exeycayuhnew.execontrol.exe

description	pid	process	target process
PID 4672 set thread context of 4160	4672	ycayuhnew.exe	ycayuhnew.exe
PID 4160 set thread context of 2572	4160	ycayuhnew.exe	Explorer.EXE
PID 4836 set thread context of 2572	4836	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

ycayuhnew.execontrol.exe

pid	process
4160	ycayuhnew.exe
4160	ycayuhnew.exe
4160	ycayuhnew.exe
4160	ycayuhnew.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe
4836	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2572 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ycayuhnew.exeycayuhnew.execontrol.exe

pid process

4672 ycayuhnew.exe
4160 ycayuhnew.exe
4160 ycayuhnew.exe
4160 ycayuhnew.exe
4836 control.exe
4836 control.exe

pid	process
2572	Explorer.EXE

pid	process
4672	ycayuhnew.exe
4160	ycayuhnew.exe
4160	ycayuhnew.exe
4160	ycayuhnew.exe
4836	control.exe
4836	control.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

ycayuhnew.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4160	ycayuhnew.exe
Token: SeDebugPrivilege	4836	control.exe
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE
Token: SeShutdownPrivilege	2572	Explorer.EXE
Token: SeCreatePagefilePrivilege	2572	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

Explorer.EXE

pid process

2572 Explorer.EXE
2572 Explorer.EXE

pid	process
2572	Explorer.EXE
2572	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

a2b43ba6d6a6af9f0fa07cab1a1ffd64.exeycayuhnew.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1612 wrote to memory of 4672	1612	a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe	ycayuhnew.exe
PID 1612 wrote to memory of 4672	1612	a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe	ycayuhnew.exe
PID 1612 wrote to memory of 4672	1612	a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe	ycayuhnew.exe
PID 4672 wrote to memory of 4160	4672	ycayuhnew.exe	ycayuhnew.exe
PID 4672 wrote to memory of 4160	4672	ycayuhnew.exe	ycayuhnew.exe
PID 4672 wrote to memory of 4160	4672	ycayuhnew.exe	ycayuhnew.exe
PID 4672 wrote to memory of 4160	4672	ycayuhnew.exe	ycayuhnew.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	control.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	control.exe
PID 2572 wrote to memory of 4836	2572	Explorer.EXE	control.exe
PID 4836 wrote to memory of 1392	4836	control.exe	cmd.exe
PID 4836 wrote to memory of 1392	4836	control.exe	cmd.exe
PID 4836 wrote to memory of 1392	4836	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2572

C:\Users\Admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe
"C:\Users\Admin\AppData\Local\Temp\a2b43ba6d6a6af9f0fa07cab1a1ffd64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe" C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
"C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe"
3⤵
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxlnbanzq.e
Filesize
185KB

MD5
f6710918e3ecdba55aa451fb1b08742d

SHA1
4ef0c29c55d0d532ceb1a5a324b62ff98d08dd70

SHA256
cc573825aba59339f11629b7fe1ed9adf098e5f12004f441948fe45fcc12a5a7

SHA512
fc35b518211c758cc7f00820a6dd8d5b8543b5e069cb3f837859b98c40027256c11459dfff85dde653a1137cd20c3e5a6bc1cfd3f7b82a094fe94e16d549a4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjyyjwcs.j
Filesize
5KB

MD5
45cbfd24b9943772008f524a20e0a56f

SHA1
b4b00712aa448298ed165890245d8c916d2d0f64

SHA256
afef884e713661b15d8639ac7268b667742ebe67b0e031e7d617f2dd2d5813ff

SHA512
4f01cb3c9eb01dcd9e359322605d88e1c0d4b1dde3ecabc594dcb7ab44b6e937880c13cf595cff506df317cb7c928c2d30ebfb3249548ff3832c19a802e07f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycayuhnew.exe
Filesize
11KB

MD5
d3749f4e6710b8d5beb987f07a5e8580

SHA1
17d39d416576972ecdf7deb2dce4275941497a29

SHA256
edfa8cf65bbe6a0ad70cfc86a451b4ac86d034efc77f4e117151faa48af2d73f

SHA512
6c53523743ddec06f36fe941180c755a3d32c6c6fe85fe15fa7b159ded7d3d32202b6dd4e58f470e567feeac5ab46f3c6cc09a5d57a4b307baf786aa0365c5cd

Download Submit
memory/1392-148-0x0000000000000000-mapping.dmp

Download
memory/2572-159-0x0000000008300000-0x000000000848C000-memory.dmp

Filesize
1.5MB

Download
memory/2572-160-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2572-168-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-167-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-142-0x00000000080B0000-0x0000000008237000-memory.dmp

Filesize
1.5MB

Download
memory/2572-166-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-165-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-164-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-163-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-162-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-161-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/2572-149-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2572-150-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2572-151-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-152-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-153-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-154-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-155-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-156-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2572-158-0x0000000008300000-0x000000000848C000-memory.dmp

Filesize
1.5MB

Download
memory/4160-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-137-0x0000000000000000-mapping.dmp

Download
memory/4160-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-141-0x00000000015C0000-0x00000000015D5000-memory.dmp

Filesize
84KB

Download
memory/4160-140-0x0000000001620000-0x000000000196A000-memory.dmp

Filesize
3.3MB

Download
memory/4672-132-0x0000000000000000-mapping.dmp

Download
memory/4836-157-0x0000000002740000-0x00000000027D4000-memory.dmp

Filesize
592KB

Download
memory/4836-147-0x00000000028E0000-0x0000000002C2A000-memory.dmp

Filesize
3.3MB

Download
memory/4836-146-0x0000000000A50000-0x0000000000A7F000-memory.dmp

Filesize
188KB

Download
memory/4836-145-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4836-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads