formbook | 7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6

General

Target

7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe
Size

321KB
MD5

6bd52c8274a35c39740da9b52b4c7ef0
SHA1

0754724c922472de6048b5c5595f520f2b93e46e
SHA256

7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6
SHA512

24e3e05f7db606d1305fab3ab2cb8619cbec90afb81b1a2fafd528581fa04a04c9c3279f0cf6955f8a2e0114acfc70e29be1d10e426b1804c2b4bcb5123c52c7
SSDEEP

6144:9kwv4ysH1jEdoS3dMxsCfld0k1STCESE6pkOgyIuSqYXAHrHa2fI+CUO:jslEliffld0PUkOguSBAHu2W

Score

10^/10

formbook lt63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lt63

Decoy

fortrantelecom.africa

ffafa.buzz

bullybrain.com

ekeisolutions.com

lamiamira.com

noahsark.xyz

beautyby-eve.com

cloudfatory.com

12443.football

hataykultur.online

donqu3.sexy

breakthroughaustralia.com

havengpe.com

cpxlocatup.info

corefourpartners.com

amonefintech.com

thithombo.africa

bassmaty.store

fdshdsr.top

lifesoapsimple.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4292-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4604-145-0x0000000000CC0000-0x0000000000CEF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ovwid.exeovwid.exe

pid process

5100 ovwid.exe
4292 ovwid.exe

pid	process
5100	ovwid.exe
4292	ovwid.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ovwid.exeovwid.exemstsc.exe

description	pid	process	target process
PID 5100 set thread context of 4292	5100	ovwid.exe	ovwid.exe
PID 4292 set thread context of 2700	4292	ovwid.exe	Explorer.EXE
PID 4604 set thread context of 2700	4604	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

ovwid.exemstsc.exe

pid	process
4292	ovwid.exe
4292	ovwid.exe
4292	ovwid.exe
4292	ovwid.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe
4604	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2700 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ovwid.exeovwid.exemstsc.exe

pid process

5100 ovwid.exe
4292 ovwid.exe
4292 ovwid.exe
4292 ovwid.exe
4604 mstsc.exe
4604 mstsc.exe

pid	process
2700	Explorer.EXE

pid	process
5100	ovwid.exe
4292	ovwid.exe
4292	ovwid.exe
4292	ovwid.exe
4604	mstsc.exe
4604	mstsc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

ovwid.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4292	ovwid.exe
Token: SeDebugPrivilege	4604	mstsc.exe
Token: SeShutdownPrivilege	2700	Explorer.EXE
Token: SeCreatePagefilePrivilege	2700	Explorer.EXE
Token: SeShutdownPrivilege	2700	Explorer.EXE
Token: SeCreatePagefilePrivilege	2700	Explorer.EXE
Token: SeShutdownPrivilege	2700	Explorer.EXE
Token: SeCreatePagefilePrivilege	2700	Explorer.EXE
Token: SeShutdownPrivilege	2700	Explorer.EXE
Token: SeCreatePagefilePrivilege	2700	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exeovwid.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2248 wrote to memory of 5100	2248	7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe	ovwid.exe
PID 2248 wrote to memory of 5100	2248	7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe	ovwid.exe
PID 2248 wrote to memory of 5100	2248	7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe	ovwid.exe
PID 5100 wrote to memory of 4292	5100	ovwid.exe	ovwid.exe
PID 5100 wrote to memory of 4292	5100	ovwid.exe	ovwid.exe
PID 5100 wrote to memory of 4292	5100	ovwid.exe	ovwid.exe
PID 5100 wrote to memory of 4292	5100	ovwid.exe	ovwid.exe
PID 2700 wrote to memory of 4604	2700	Explorer.EXE	mstsc.exe
PID 2700 wrote to memory of 4604	2700	Explorer.EXE	mstsc.exe
PID 2700 wrote to memory of 4604	2700	Explorer.EXE	mstsc.exe
PID 4604 wrote to memory of 3616	4604	mstsc.exe	cmd.exe
PID 4604 wrote to memory of 3616	4604	mstsc.exe	cmd.exe
PID 4604 wrote to memory of 3616	4604	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe
  "C:\Users\Admin\AppData\Local\Temp\7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\ovwid.exe
    "C:\Users\Admin\AppData\Local\Temp\ovwid.exe" C:\Users\Admin\AppData\Local\Temp\rrsopjtftd.p
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\ovwid.exe
      "C:\Users\Admin\AppData\Local\Temp\ovwid.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4292
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ovwid.exe"
    3⤵
    PID:3616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqdkrcshwhw.w

Filesize
185KB

MD5
7e02dcac3d442f6e3a36de2b65661c8a

SHA1
5057ac4eff50e36d8c1a767b8f35accf7db4a5ee

SHA256
846b04da46b952747476b98c2cb6071faedc8d5ef0ca7f7a320b92fa299248fd

SHA512
f6976c1060780888f7f1dfb31edba6f89d8096134cd693ef9fb1ebb97fb06d42fd5a437d4da6d7bddb354d17f72e661f8140310dd8837468bdf59a648a81f32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe

Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe

Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe

Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsopjtftd.p

Filesize
5KB

MD5
56286c4878d09104d3b70a79a461c288

SHA1
0454937ba6a485ef7893e0a37cb576e3b31c55e6

SHA256
2f34ec04e1cefc4bb24065ebaacf3e607c86a9f65976d098356735b546b7c029

SHA512
61944319fb9f54f948bf5e27dc3db5dfa50319a2e5ce4061490370e78b8e07796f02f153ca8ef6a72b43bef6fdcfb77940b7c175d068f2705619f29c8fd74ec1

Download Submit
memory/2700-142-0x0000000008EC0000-0x0000000009050000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2700-161-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/2700-160-0x0000000003520000-0x0000000003530000-memory.dmp

Filesize
64KB

Download
memory/2700-159-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/2700-153-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2700-158-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2700-162-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/2700-156-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2700-155-0x0000000009050000-0x000000000914D000-memory.dmp

Filesize
1012KB

Download
memory/2700-147-0x0000000008EC0000-0x0000000009050000-memory.dmp

Filesize
1.6MB

Download
memory/2700-163-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/2700-149-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/2700-154-0x0000000003360000-0x0000000003370000-memory.dmp

Filesize
64KB

Download
memory/2700-151-0x0000000009050000-0x000000000914D000-memory.dmp

Filesize
1012KB

Download
memory/2700-152-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/3616-148-0x0000000000000000-mapping.dmp

Download
memory/4292-141-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/4292-140-0x0000000000B10000-0x0000000000E5A000-memory.dmp

Filesize
3.3MB

Download
memory/4292-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4292-137-0x0000000000000000-mapping.dmp

Download
memory/4604-150-0x0000000002A90000-0x0000000002B23000-memory.dmp

Filesize
588KB

Download
memory/4604-146-0x0000000002BF0000-0x0000000002F3A000-memory.dmp

Filesize
3.3MB

Download
memory/4604-145-0x0000000000CC0000-0x0000000000CEF000-memory.dmp

Filesize
188KB

Download
memory/4604-144-0x0000000000500000-0x000000000063A000-memory.dmp

Filesize
1.2MB

Download
memory/4604-143-0x0000000000000000-mapping.dmp

Download
memory/5100-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads