formbook | 890f77a5e151d7e87c3a0a953f471fb964e00644b798f37b566100d61b5f35ee

General

Target

e-dekont.html.exe
Size

213KB
MD5

eb9d6d2df1cbcca4f5d82c2832a7c0a1
SHA1

7749b8248b8da350dffa42d06763ffe5ecd5068b
SHA256

890f77a5e151d7e87c3a0a953f471fb964e00644b798f37b566100d61b5f35ee
SHA512

f7e557fae3f6376e51ed53762ea7f7bea032c91097347d04f17b1897016b3a82301d7ee3fe12835c229657617ef62cbe13eacddcf82cd2774584e2d2a0e2642c
SSDEEP

6144:QBn1tLOFNRnx6BSe8GtF9XMuXOPNjNu/C:gYyBSLGtXXMuXR6

Score

10^/10

formbook mi08 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi08

Decoy

mytimebabes.com

ycpxb.com

abdkaplani.com

cloudingersoftech.com

fthfire.xyz

christyna.work

3d-add-on.com

knowyourtechdeals.com

kcl24.com

sepatubiker.com

sunnyboy.live

zrbsq.com

rinpari.com

lesac-berra.com

yes820.com

cnnorman.com

mystichousedv.com

sbobet888auto.com

gawiul.xyz

luispenas.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/948-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1624-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1624-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

guxhskl.exeguxhskl.exe

pid process

1952 guxhskl.exe
948 guxhskl.exe
Loads dropped DLL 2 IoCs

Processes:

e-dekont.html.exeguxhskl.exe

pid process

1376 e-dekont.html.exe
1952 guxhskl.exe

pid	process
1952	guxhskl.exe
948	guxhskl.exe

pid	process
1376	e-dekont.html.exe
1952	guxhskl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

guxhskl.exeguxhskl.exeNAPSTAT.EXE

description	pid	process	target process
PID 1952 set thread context of 948	1952	guxhskl.exe	guxhskl.exe
PID 948 set thread context of 1240	948	guxhskl.exe	Explorer.EXE
PID 1624 set thread context of 1240	1624	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

guxhskl.exeNAPSTAT.EXE

pid	process
948	guxhskl.exe
948	guxhskl.exe
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

guxhskl.exeguxhskl.exeNAPSTAT.EXE

pid process

1952 guxhskl.exe
948 guxhskl.exe
948 guxhskl.exe
948 guxhskl.exe
1624 NAPSTAT.EXE
1624 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

guxhskl.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 948 guxhskl.exe
Token: SeDebugPrivilege 1624 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE

pid	process
1240	Explorer.EXE

pid	process
1952	guxhskl.exe
948	guxhskl.exe
948	guxhskl.exe
948	guxhskl.exe
1624	NAPSTAT.EXE
1624	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	948	guxhskl.exe
Token: SeDebugPrivilege	1624	NAPSTAT.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

e-dekont.html.exeguxhskl.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1376 wrote to memory of 1952	1376	e-dekont.html.exe	guxhskl.exe
PID 1376 wrote to memory of 1952	1376	e-dekont.html.exe	guxhskl.exe
PID 1376 wrote to memory of 1952	1376	e-dekont.html.exe	guxhskl.exe
PID 1376 wrote to memory of 1952	1376	e-dekont.html.exe	guxhskl.exe
PID 1952 wrote to memory of 948	1952	guxhskl.exe	guxhskl.exe
PID 1952 wrote to memory of 948	1952	guxhskl.exe	guxhskl.exe
PID 1952 wrote to memory of 948	1952	guxhskl.exe	guxhskl.exe
PID 1952 wrote to memory of 948	1952	guxhskl.exe	guxhskl.exe
PID 1952 wrote to memory of 948	1952	guxhskl.exe	guxhskl.exe
PID 1240 wrote to memory of 1624	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1624	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1624	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1624	1240	Explorer.EXE	NAPSTAT.EXE
PID 1624 wrote to memory of 1760	1624	NAPSTAT.EXE	cmd.exe
PID 1624 wrote to memory of 1760	1624	NAPSTAT.EXE	cmd.exe
PID 1624 wrote to memory of 1760	1624	NAPSTAT.EXE	cmd.exe
PID 1624 wrote to memory of 1760	1624	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\e-dekont.html.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.html.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\guxhskl.exe
"C:\Users\Admin\AppData\Local\Temp\guxhskl.exe" C:\Users\Admin\AppData\Local\Temp\cqprpnp.at
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\guxhskl.exe
"C:\Users\Admin\AppData\Local\Temp\guxhskl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\guxhskl.exe"
3⤵
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqprpnp.at
Filesize
5KB

MD5
13955dd417218e1663c6417a168b0222

SHA1
f7a0d32839e19cc2a51952ad9fb91b5f94dd1d58

SHA256
a01e4a1819964f8d7e760b47b03031ecb4c15d271d9e6bb975920c5f8d883bb9

SHA512
a076847926dcf65de7a8cf57c2af511b6cf327e829dba9b261c7dac253ab5c705c94cbc878cfb5810e3343aaf3f3f93d393dd4190ebc07e4e3bb74e2a78273db

Download Submit
C:\Users\Admin\AppData\Local\Temp\guxhskl.exe
Filesize
12KB

MD5
53cd66a038a6234bb252521b3f4c4991

SHA1
c13359ad3ad9ef190ed2e7b6b35513bc92e32b52

SHA256
0e519fe0eb831d5e0e6f2f6cf27e03316b736a4321317f758eee4388a3eb141c

SHA512
260fb4d29298ca7dc17e8c8d15100b66e3c285fe4942aa52c30bf3de196ada540b3696dc450f04be6d56c1074489001537184d87cfb8188459b7b58716c34c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\guxhskl.exe
Filesize
12KB

MD5
53cd66a038a6234bb252521b3f4c4991

SHA1
c13359ad3ad9ef190ed2e7b6b35513bc92e32b52

SHA256
0e519fe0eb831d5e0e6f2f6cf27e03316b736a4321317f758eee4388a3eb141c

SHA512
260fb4d29298ca7dc17e8c8d15100b66e3c285fe4942aa52c30bf3de196ada540b3696dc450f04be6d56c1074489001537184d87cfb8188459b7b58716c34c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\guxhskl.exe
Filesize
12KB

MD5
53cd66a038a6234bb252521b3f4c4991

SHA1
c13359ad3ad9ef190ed2e7b6b35513bc92e32b52

SHA256
0e519fe0eb831d5e0e6f2f6cf27e03316b736a4321317f758eee4388a3eb141c

SHA512
260fb4d29298ca7dc17e8c8d15100b66e3c285fe4942aa52c30bf3de196ada540b3696dc450f04be6d56c1074489001537184d87cfb8188459b7b58716c34c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\shaibhbjn.eg
Filesize
185KB

MD5
c696717afaeea1d981c54cdd3467d8de

SHA1
96a6235043de003f510eb495a15528fc8e88f991

SHA256
f6735888147364d3120346df6fa87f594b3a108a0a6550907376e51cb50dda36

SHA512
89197eda49bb1ed6409e0c847238f2ab79476ec2080b8b023891cc705228e2f4ad8b4d31629e1561502d58896213fce65522e1eae95efc227b435025b73caf05

Download Submit
\Users\Admin\AppData\Local\Temp\guxhskl.exe
Filesize
12KB

MD5
53cd66a038a6234bb252521b3f4c4991

SHA1
c13359ad3ad9ef190ed2e7b6b35513bc92e32b52

SHA256
0e519fe0eb831d5e0e6f2f6cf27e03316b736a4321317f758eee4388a3eb141c

SHA512
260fb4d29298ca7dc17e8c8d15100b66e3c285fe4942aa52c30bf3de196ada540b3696dc450f04be6d56c1074489001537184d87cfb8188459b7b58716c34c37

Download Submit
\Users\Admin\AppData\Local\Temp\guxhskl.exe
Filesize
12KB

MD5
53cd66a038a6234bb252521b3f4c4991

SHA1
c13359ad3ad9ef190ed2e7b6b35513bc92e32b52

SHA256
0e519fe0eb831d5e0e6f2f6cf27e03316b736a4321317f758eee4388a3eb141c

SHA512
260fb4d29298ca7dc17e8c8d15100b66e3c285fe4942aa52c30bf3de196ada540b3696dc450f04be6d56c1074489001537184d87cfb8188459b7b58716c34c37

Download Submit
memory/948-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-65-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/948-66-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/948-62-0x000000000041F020-mapping.dmp

Download
memory/1240-74-0x0000000007200000-0x0000000007361000-memory.dmp

Filesize
1.4MB

Download
memory/1240-76-0x0000000007200000-0x0000000007361000-memory.dmp

Filesize
1.4MB

Download
memory/1240-67-0x0000000006AF0000-0x0000000006C9C000-memory.dmp

Filesize
1.7MB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1624-68-0x0000000000000000-mapping.dmp

Download
memory/1624-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1624-72-0x0000000002040000-0x0000000002343000-memory.dmp

Filesize
3.0MB

Download
memory/1624-73-0x0000000000790000-0x0000000000824000-memory.dmp

Filesize
592KB

Download
memory/1624-69-0x00000000008D0000-0x0000000000916000-memory.dmp

Filesize
280KB

Download
memory/1624-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1760-71-0x0000000000000000-mapping.dmp

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads