formbook | 9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e

General

Target

d852dc6cd5735e9be663c145356878c5.exe
Size

413KB
MD5

d852dc6cd5735e9be663c145356878c5
SHA1

122bfaa3e35ab60f0d079c947c6df7cad0bd9cef
SHA256

9cb663413d7bc88e4260e2fa57a565227a9dab828345a8bc6d5c65694dfc455e
SHA512

58f715a85ca601bc366142df5418d8af195300e1825baa5209b173e75c55f9328b71573e5fe21f78cffcc2837b3d62d31800443de100b0ad503864c450f38da1
SSDEEP

6144:LBnmyK4O/ekC2y6gPH1fKSfJmEmEjD5tp6hnUpX3f4J/NhO:Q7e6gPH1SSmEnp+nU5QJ//O

Score

10^/10

formbook h3ha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3ha

Decoy

ideas-dulces.store

store1995.store

swuhn.com

ninideal.com

musiqhaus.com

quranchart.com

kszq26.club

lightfx.online

thetickettruth.com

meritloancubk.com

lawnforcement.com

sogeanetwork.com

thedinoexotics.com

kojima-ah.net

gr-myab3z.xyz

platiniuminestor.net

reviewsiske.com

stessil-lifestyle.com

goodqjourney.biz

cirimpianti.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/904-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/580-73-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/580-77-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

enqnjvfa.exeenqnjvfa.exe

pid process

2024 enqnjvfa.exe
904 enqnjvfa.exe
Loads dropped DLL 2 IoCs

Processes:

d852dc6cd5735e9be663c145356878c5.exeenqnjvfa.exe

pid process

1380 d852dc6cd5735e9be663c145356878c5.exe
2024 enqnjvfa.exe

pid	process
2024	enqnjvfa.exe
904	enqnjvfa.exe

pid	process
1380	d852dc6cd5735e9be663c145356878c5.exe
2024	enqnjvfa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

enqnjvfa.exeenqnjvfa.exemsiexec.exe

description	pid	process	target process
PID 2024 set thread context of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 904 set thread context of 1284	904	enqnjvfa.exe	Explorer.EXE
PID 580 set thread context of 1284	580	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

enqnjvfa.exemsiexec.exe

pid	process
904	enqnjvfa.exe
904	enqnjvfa.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe
580	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

enqnjvfa.exeenqnjvfa.exemsiexec.exe

pid process

2024 enqnjvfa.exe
904 enqnjvfa.exe
904 enqnjvfa.exe
904 enqnjvfa.exe
580 msiexec.exe
580 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

enqnjvfa.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 904 enqnjvfa.exe
Token: SeDebugPrivilege 580 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE

pid	process
1284	Explorer.EXE

pid	process
2024	enqnjvfa.exe
904	enqnjvfa.exe
904	enqnjvfa.exe
904	enqnjvfa.exe
580	msiexec.exe
580	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	904	enqnjvfa.exe
Token: SeDebugPrivilege	580	msiexec.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d852dc6cd5735e9be663c145356878c5.exeenqnjvfa.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1380 wrote to memory of 2024	1380	d852dc6cd5735e9be663c145356878c5.exe	enqnjvfa.exe
PID 1380 wrote to memory of 2024	1380	d852dc6cd5735e9be663c145356878c5.exe	enqnjvfa.exe
PID 1380 wrote to memory of 2024	1380	d852dc6cd5735e9be663c145356878c5.exe	enqnjvfa.exe
PID 1380 wrote to memory of 2024	1380	d852dc6cd5735e9be663c145356878c5.exe	enqnjvfa.exe
PID 2024 wrote to memory of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 2024 wrote to memory of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 2024 wrote to memory of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 2024 wrote to memory of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 2024 wrote to memory of 904	2024	enqnjvfa.exe	enqnjvfa.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 1284 wrote to memory of 580	1284	Explorer.EXE	msiexec.exe
PID 580 wrote to memory of 1772	580	msiexec.exe	cmd.exe
PID 580 wrote to memory of 1772	580	msiexec.exe	cmd.exe
PID 580 wrote to memory of 1772	580	msiexec.exe	cmd.exe
PID 580 wrote to memory of 1772	580	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\d852dc6cd5735e9be663c145356878c5.exe
"C:\Users\Admin\AppData\Local\Temp\d852dc6cd5735e9be663c145356878c5.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe" C:\Users\Admin\AppData\Local\Temp\xofvp.izm
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
"C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe"
3⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
Filesize
11KB

MD5
9e64e8dc3ad7ee7d625dcfce59356299

SHA1
f16c2f1126de4a1c350a00f9e485c27d578a7dbe

SHA256
a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661

SHA512
9e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
Filesize
11KB

MD5
9e64e8dc3ad7ee7d625dcfce59356299

SHA1
f16c2f1126de4a1c350a00f9e485c27d578a7dbe

SHA256
a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661

SHA512
9e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
Filesize
11KB

MD5
9e64e8dc3ad7ee7d625dcfce59356299

SHA1
f16c2f1126de4a1c350a00f9e485c27d578a7dbe

SHA256
a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661

SHA512
9e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\veakhnr.uza
Filesize
185KB

MD5
20d3e568432fdba197900c448b7410cb

SHA1
59758fbccb9618885923f383691d70893afeb1a5

SHA256
ba809e6eee1842a5c2cb86535ec45288cf1a4f69f5670cc8965ff8ba0c3dcfab

SHA512
37841f6af2308c4b098995a176e294f6cc754c39a45b843c12c36aa663092e5717ea993496bda44385d8d375345a7f4ff8a62f4225830740c2c7a17cbfbacff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xofvp.izm
Filesize
5KB

MD5
2b361c115ca3188f48dbb31359d8fee7

SHA1
c96e14eb1995e0c9f08e91998c843e9afb12cfc7

SHA256
65aa94ff37667b39a15375ae2dc697f4f5979d4c495e0785cfb972f667129bc9

SHA512
ce60bf5d2069d3e6c5808a9cda2f6b7cfc04e9513a0da7da80b5cec10585fbbe3bfe1ddbe5784ff046a9ecbdf78910663b121b2a66c328f6e7412d0bfbdd5e04

Download Submit
\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
Filesize
11KB

MD5
9e64e8dc3ad7ee7d625dcfce59356299

SHA1
f16c2f1126de4a1c350a00f9e485c27d578a7dbe

SHA256
a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661

SHA512
9e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f

Download Submit
\Users\Admin\AppData\Local\Temp\enqnjvfa.exe
Filesize
11KB

MD5
9e64e8dc3ad7ee7d625dcfce59356299

SHA1
f16c2f1126de4a1c350a00f9e485c27d578a7dbe

SHA256
a5579131c47b3270af6361bda4c722a9478164f57852a752d602cdf92ff85661

SHA512
9e9905e1f5d950ac6867990575e33c0bb4f49d9c5c84122a7affd3228e6df0629502f054c1e32a4062f88a6ce0bd4fc0e4ed6c473f2a0f1fb28329704d4ce56f

Download Submit
memory/580-77-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/580-69-0x0000000000000000-mapping.dmp

Download
memory/580-75-0x0000000001FB0000-0x0000000002043000-memory.dmp

Filesize
588KB

Download
memory/580-74-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/580-73-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/580-72-0x0000000000950000-0x0000000000964000-memory.dmp

Filesize
80KB

Download
memory/904-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/904-67-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/904-66-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/904-63-0x000000000041F0D0-mapping.dmp

Download
memory/1284-68-0x0000000006A70000-0x0000000006BFB000-memory.dmp

Filesize
1.5MB

Download
memory/1284-76-0x0000000007D00000-0x0000000007E42000-memory.dmp

Filesize
1.3MB

Download
memory/1284-78-0x0000000007D00000-0x0000000007E42000-memory.dmp

Filesize
1.3MB

Download
memory/1380-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1772-71-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads