formbook | 8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba

General

Target

fatura.hk.exe
Size

322KB
MD5

8104841622a72073beb0f28da060a864
SHA1

5b9b45998957d6742bb6a2c108702f2cdf298536
SHA256

8a8bd03d6e56297acd34652142a5cb999089c75e28decf038c43eeccc14158ba
SHA512

770b9561f0a2a3dca5eff576738cf088b127a46c1cfbe1cd521acf3c790f7a7ed99e00756d948ac80598c5227a48a1173f5a4cabbce5ee4c047525ed5672dca6
SSDEEP

6144:QBn1FyGPg0kL7SAoDYx0AbFfVB6wRNd8kyqZkJ4ocFOnLipUE9b33hkKb:gFLozv5oDY+AbFdDR78ZbQOemEV3Co

Score

10^/10

formbook tc10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tc10

Decoy

mwigyu.com

sepuluholx.com

nsdigitalagency.com

horrorkore.com

santaclaracoimbrakarate.com

myeternalsummer.com

laosmidnight-lotto.com

haremp.xyz

boyace.top

unusualwithdrawal.com

wildflowerkidsri.com

backlitvps.dev

topwellgas.com

k3nnsworld3.com

wanbang.xyz

cntvc.net

sjcamden.church

pussit24.com

claml.com

statisticsturkey.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1332-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1332-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ttuzgytoke.exettuzgytoke.exe

pid process

1740 ttuzgytoke.exe
1516 ttuzgytoke.exe
Loads dropped DLL 2 IoCs

Processes:

fatura.hk.exettuzgytoke.exe

pid process

864 fatura.hk.exe
1740 ttuzgytoke.exe

pid	process
1740	ttuzgytoke.exe
1516	ttuzgytoke.exe

pid	process
864	fatura.hk.exe
1740	ttuzgytoke.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ttuzgytoke.exettuzgytoke.exeexplorer.exe

description	pid	process	target process
PID 1740 set thread context of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1516 set thread context of 1212	1516	ttuzgytoke.exe	Explorer.EXE
PID 1332 set thread context of 1212	1332	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ttuzgytoke.exeexplorer.exe

pid	process
1516	ttuzgytoke.exe
1516	ttuzgytoke.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe
1332	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ttuzgytoke.exettuzgytoke.exeexplorer.exe

pid process

1740 ttuzgytoke.exe
1516 ttuzgytoke.exe
1516 ttuzgytoke.exe
1516 ttuzgytoke.exe
1332 explorer.exe
1332 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ttuzgytoke.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1516 ttuzgytoke.exe
Token: SeDebugPrivilege 1332 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1740	ttuzgytoke.exe
1516	ttuzgytoke.exe
1516	ttuzgytoke.exe
1516	ttuzgytoke.exe
1332	explorer.exe
1332	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1516	ttuzgytoke.exe
Token: SeDebugPrivilege	1332	explorer.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fatura.hk.exettuzgytoke.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 864 wrote to memory of 1740	864	fatura.hk.exe	ttuzgytoke.exe
PID 864 wrote to memory of 1740	864	fatura.hk.exe	ttuzgytoke.exe
PID 864 wrote to memory of 1740	864	fatura.hk.exe	ttuzgytoke.exe
PID 864 wrote to memory of 1740	864	fatura.hk.exe	ttuzgytoke.exe
PID 1740 wrote to memory of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1740 wrote to memory of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1740 wrote to memory of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1740 wrote to memory of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1740 wrote to memory of 1516	1740	ttuzgytoke.exe	ttuzgytoke.exe
PID 1212 wrote to memory of 1332	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1332	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1332	1212	Explorer.EXE	explorer.exe
PID 1212 wrote to memory of 1332	1212	Explorer.EXE	explorer.exe
PID 1332 wrote to memory of 760	1332	explorer.exe	cmd.exe
PID 1332 wrote to memory of 760	1332	explorer.exe	cmd.exe
PID 1332 wrote to memory of 760	1332	explorer.exe	cmd.exe
PID 1332 wrote to memory of 760	1332	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe
  "C:\Users\Admin\AppData\Local\Temp\fatura.hk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
    "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe" C:\Users\Admin\AppData\Local\Temp\usbtj.t
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe
      "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe"
    3⤵
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iubxsew.h

Filesize
185KB

MD5
1c2c23901515e429615ead3767cac439

SHA1
2a8c43828771a38a3bb6981f831db04a386a2fa8

SHA256
b4fd5c0b6bfdbb3cbc377d385653babeabba1c4b12dffd70cfd66164bc5c7902

SHA512
ff14e44c3660818aa8b333ed36b8350a71b39c6f22ae0efc15dd22062be40a723fc8769498391adaaaf67104a997862eca0feb5b048567b77bf86235c89504ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe

Filesize
267KB

MD5
1dd0df5125aa1c11275e8a33ba56eea7

SHA1
878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

SHA256
39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

SHA512
f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe

Filesize
267KB

MD5
1dd0df5125aa1c11275e8a33ba56eea7

SHA1
878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

SHA256
39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

SHA512
f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe

Filesize
267KB

MD5
1dd0df5125aa1c11275e8a33ba56eea7

SHA1
878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

SHA256
39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

SHA512
f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

Download Submit
C:\Users\Admin\AppData\Local\Temp\usbtj.t

Filesize
5KB

MD5
1d38231c9e7aa6467bcab6ffe0451159

SHA1
de6aa8f5a9045cfd11af655c57be35d658c549f6

SHA256
df74eb7933d7fe22e390632f5361b04a6dadd9bad0bc5f2d8d69d91f0be91823

SHA512
1d250a3c2bc04c5fef6cbf8c4061619984cdc80cc78407e18941b908dd6d8bf3c9a9cc2afca091858601e6f65b3b05619dccd5ee1c5196783b944c2c66864715

Download Submit
\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe

Filesize
267KB

MD5
1dd0df5125aa1c11275e8a33ba56eea7

SHA1
878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

SHA256
39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

SHA512
f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

Download Submit
\Users\Admin\AppData\Local\Temp\ttuzgytoke.exe

Filesize
267KB

MD5
1dd0df5125aa1c11275e8a33ba56eea7

SHA1
878ab8459a03a9cb01e40cd3d7327d9f91ccf59c

SHA256
39eacec35a4f52bc22462f94b54dba43d0863e7e8802b7f22995a59438853385

SHA512
f82439a04da4600cb2d2370d01339f4ef32b5b737b2726c27cb00a7cc319efea4e4e0d5e00d2e2cfcecad1d9494fcdf359139f93be635948e1f42f3c89c8859b

Download Submit
memory/760-71-0x0000000000000000-mapping.dmp

Download
memory/864-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1212-67-0x0000000006490000-0x000000000662A000-memory.dmp

Filesize
1.6MB

Download
memory/1212-78-0x00000000074C0000-0x0000000007620000-memory.dmp

Filesize
1.4MB

Download
memory/1212-76-0x00000000074C0000-0x0000000007620000-memory.dmp

Filesize
1.4MB

Download
memory/1332-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1332-68-0x0000000000000000-mapping.dmp

Download
memory/1332-70-0x0000000075121000-0x0000000075123000-memory.dmp

Filesize
8KB

Download
memory/1332-72-0x00000000000F0000-0x0000000000371000-memory.dmp

Filesize
2.5MB

Download
memory/1332-74-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/1332-75-0x0000000002050000-0x00000000020E3000-memory.dmp

Filesize
588KB

Download
memory/1332-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1516-66-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1516-65-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1516-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-62-0x000000000041F0E0-mapping.dmp

Download
memory/1740-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads