formbook | 7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293

General

Target

e17b0be6e0c42a0c39c5da63523af8d8.exe
Size

530KB
MD5

e17b0be6e0c42a0c39c5da63523af8d8
SHA1

c374934cf78e71069fc628de57b3ea15fff4c36c
SHA256

7eb67be31871fe9316bbb2ba993b6dfd13cb9e7e04a2e1091b934746399e5293
SHA512

1ba4983c40c19726d49b8dc73bbf9da2de7f3c53733f4264c4d731d75ae1f3e08718ecd9cba3a99d24295af5115a9449aed498259ac5c3fecf0a331c87cc4089
SSDEEP

6144:ukwxeWkEM+08FjAOpwh0eEnt4KHz/aOfL40QfkhzJtnXXXdxspXEWYUPwH:IHM+bsOpwh0lnt4NgIMhz3nHXTsmoPwH

Score

10^/10

formbook wh23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/800-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/800-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/628-76-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/628-80-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

myxwn.exemyxwn.exe

pid process

1960 myxwn.exe
800 myxwn.exe
Loads dropped DLL 3 IoCs

Processes:

e17b0be6e0c42a0c39c5da63523af8d8.exemyxwn.exe

pid process

1992 e17b0be6e0c42a0c39c5da63523af8d8.exe
1992 e17b0be6e0c42a0c39c5da63523af8d8.exe
1960 myxwn.exe

pid	process
1960	myxwn.exe
800	myxwn.exe

pid	process
1992	e17b0be6e0c42a0c39c5da63523af8d8.exe
1992	e17b0be6e0c42a0c39c5da63523af8d8.exe
1960	myxwn.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

myxwn.exemyxwn.exemsiexec.exe

description	pid	process	target process
PID 1960 set thread context of 800	1960	myxwn.exe	myxwn.exe
PID 800 set thread context of 1248	800	myxwn.exe	Explorer.EXE
PID 800 set thread context of 1248	800	myxwn.exe	Explorer.EXE
PID 628 set thread context of 1248	628	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

myxwn.exemsiexec.exe

pid	process
800	myxwn.exe
800	myxwn.exe
800	myxwn.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe
628	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

myxwn.exemyxwn.exemsiexec.exe

pid process

1960 myxwn.exe
800 myxwn.exe
800 myxwn.exe
800 myxwn.exe
800 myxwn.exe
628 msiexec.exe
628 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

myxwn.exemsiexec.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 800 myxwn.exe
Token: SeDebugPrivilege 628 msiexec.exe
Token: SeShutdownPrivilege 1248 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE

pid	process
1960	myxwn.exe
800	myxwn.exe
800	myxwn.exe
800	myxwn.exe
800	myxwn.exe
628	msiexec.exe
628	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	800	myxwn.exe
Token: SeDebugPrivilege	628	msiexec.exe
Token: SeShutdownPrivilege	1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e17b0be6e0c42a0c39c5da63523af8d8.exemyxwn.exemyxwn.exemsiexec.exe

description	pid	process	target process
PID 1992 wrote to memory of 1960	1992	e17b0be6e0c42a0c39c5da63523af8d8.exe	myxwn.exe
PID 1992 wrote to memory of 1960	1992	e17b0be6e0c42a0c39c5da63523af8d8.exe	myxwn.exe
PID 1992 wrote to memory of 1960	1992	e17b0be6e0c42a0c39c5da63523af8d8.exe	myxwn.exe
PID 1992 wrote to memory of 1960	1992	e17b0be6e0c42a0c39c5da63523af8d8.exe	myxwn.exe
PID 1960 wrote to memory of 800	1960	myxwn.exe	myxwn.exe
PID 1960 wrote to memory of 800	1960	myxwn.exe	myxwn.exe
PID 1960 wrote to memory of 800	1960	myxwn.exe	myxwn.exe
PID 1960 wrote to memory of 800	1960	myxwn.exe	myxwn.exe
PID 1960 wrote to memory of 800	1960	myxwn.exe	myxwn.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 800 wrote to memory of 628	800	myxwn.exe	msiexec.exe
PID 628 wrote to memory of 1128	628	msiexec.exe	cmd.exe
PID 628 wrote to memory of 1128	628	msiexec.exe	cmd.exe
PID 628 wrote to memory of 1128	628	msiexec.exe	cmd.exe
PID 628 wrote to memory of 1128	628	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248

C:\Users\Admin\AppData\Local\Temp\e17b0be6e0c42a0c39c5da63523af8d8.exe
"C:\Users\Admin\AppData\Local\Temp\e17b0be6e0c42a0c39c5da63523af8d8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\myxwn.exe
"C:\Users\Admin\AppData\Local\Temp\myxwn.exe" C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\myxwn.exe
"C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\myxwn.exe"
6⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eilfol.tsc
Filesize
185KB

MD5
663d2953e8beddc4a08aca27a1145112

SHA1
3293e912d9661b2736ca8d403250590eb2d5164d

SHA256
2aa0a26b9a38b19c34c10e53834ec199fc87cbfea15e8babee582a3df331b9cb

SHA512
30581e1321f0165abcfcc908e15877f080dad2bf7bbedb24fa8e8baee3176097d7f43c5e59076f095c3929438b4e5740e1871ab3716c338e765c4d3d011a630a

Download Submit
C:\Users\Admin\AppData\Local\Temp\getlceffch.gqb
Filesize
6KB

MD5
e6d82eb1bea9bca087062e488dfd575e

SHA1
5ec22cec8805d965d6dac1719976bef32867b595

SHA256
ad495d0d0e35a6ab15c042e900e0dfc20197ef36153e15559e0fdaef4c541230

SHA512
6ef986b00509140137d51f114ecdf7b92c1008c3fae513579634ed202f1fc4e34ba904db48cbf092cf8d12c0a5e84cc5b2a0d61e95c03f4006eca3f190f80fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
C:\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
\Users\Admin\AppData\Local\Temp\myxwn.exe
Filesize
276KB

MD5
2afdd35f6df6b6cbf8f3500822625d70

SHA1
2efd81cdd798b38908b63a7a8ae88806e5234a1d

SHA256
393af45214ac518895d3178055bee95f70264bdc65ca7b97f4c564daf95943c8

SHA512
b49476cddd05b3b003bb326e0f02a78eea6021f5087c4c6cd55d306ccfb061fc8510ffa44b59a96e3cd0a7c91c037989a691561b0234f3672be08194a5825359

Download Submit
memory/628-80-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/628-78-0x0000000000B60000-0x0000000000BF3000-memory.dmp

Filesize
588KB

Download
memory/628-71-0x0000000000000000-mapping.dmp

Download
memory/628-77-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/628-76-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/628-75-0x0000000000C80000-0x0000000000C94000-memory.dmp

Filesize
80KB

Download
memory/800-66-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/800-69-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/800-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-67-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/800-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-63-0x000000000041F110-mapping.dmp

Download
memory/1128-74-0x0000000000000000-mapping.dmp

Download
memory/1248-70-0x0000000004F90000-0x000000000509A000-memory.dmp

Filesize
1.0MB

Download
memory/1248-68-0x0000000004CD0000-0x0000000004E52000-memory.dmp

Filesize
1.5MB

Download
memory/1248-79-0x0000000004060000-0x000000000413D000-memory.dmp

Filesize
884KB

Download
memory/1248-81-0x0000000004060000-0x000000000413D000-memory.dmp

Filesize
884KB

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads