formbook | 7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6

General

Target

6bd52c8274a35c39740da9b52b4c7ef0.exe
Size

321KB
MD5

6bd52c8274a35c39740da9b52b4c7ef0
SHA1

0754724c922472de6048b5c5595f520f2b93e46e
SHA256

7a0e92402659c86d9da6faf33be3817996718051ea564e34aa43a41606df7be6
SHA512

24e3e05f7db606d1305fab3ab2cb8619cbec90afb81b1a2fafd528581fa04a04c9c3279f0cf6955f8a2e0114acfc70e29be1d10e426b1804c2b4bcb5123c52c7
SSDEEP

6144:9kwv4ysH1jEdoS3dMxsCfld0k1STCESE6pkOgyIuSqYXAHrHa2fI+CUO:jslEliffld0PUkOguSBAHu2W

Score

10^/10

formbook lt63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lt63

Decoy

fortrantelecom.africa

ffafa.buzz

bullybrain.com

ekeisolutions.com

lamiamira.com

noahsark.xyz

beautyby-eve.com

cloudfatory.com

12443.football

hataykultur.online

donqu3.sexy

breakthroughaustralia.com

havengpe.com

cpxlocatup.info

corefourpartners.com

amonefintech.com

thithombo.africa

bassmaty.store

fdshdsr.top

lifesoapsimple.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1072-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1188-75-0x0000000000140000-0x000000000016F000-memory.dmp	formbook
behavioral1/memory/1188-79-0x0000000000140000-0x000000000016F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ovwid.exeovwid.exe

pid process

664 ovwid.exe
1072 ovwid.exe
Loads dropped DLL 3 IoCs

Processes:

6bd52c8274a35c39740da9b52b4c7ef0.exeovwid.exe

pid process

1440 6bd52c8274a35c39740da9b52b4c7ef0.exe
1440 6bd52c8274a35c39740da9b52b4c7ef0.exe
664 ovwid.exe

pid	process
664	ovwid.exe
1072	ovwid.exe

pid	process
1440	6bd52c8274a35c39740da9b52b4c7ef0.exe
1440	6bd52c8274a35c39740da9b52b4c7ef0.exe
664	ovwid.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ovwid.exeovwid.exeexplorer.exe

description	pid	process	target process
PID 664 set thread context of 1072	664	ovwid.exe	ovwid.exe
PID 1072 set thread context of 1296	1072	ovwid.exe	Explorer.EXE
PID 1188 set thread context of 1296	1188	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ovwid.exeexplorer.exe

pid	process
1072	ovwid.exe
1072	ovwid.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe
1188	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ovwid.exeovwid.exeexplorer.exe

pid process

664 ovwid.exe
1072 ovwid.exe
1072 ovwid.exe
1072 ovwid.exe
1188 explorer.exe
1188 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ovwid.exeexplorer.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1072 ovwid.exe
Token: SeDebugPrivilege 1188 explorer.exe
Token: SeShutdownPrivilege 1296 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1296 Explorer.EXE
1296 Explorer.EXE

pid	process
1296	Explorer.EXE

pid	process
664	ovwid.exe
1072	ovwid.exe
1072	ovwid.exe
1072	ovwid.exe
1188	explorer.exe
1188	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1072	ovwid.exe
Token: SeDebugPrivilege	1188	explorer.exe
Token: SeShutdownPrivilege	1296	Explorer.EXE

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

pid	process
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

6bd52c8274a35c39740da9b52b4c7ef0.exeovwid.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1440 wrote to memory of 664	1440	6bd52c8274a35c39740da9b52b4c7ef0.exe	ovwid.exe
PID 1440 wrote to memory of 664	1440	6bd52c8274a35c39740da9b52b4c7ef0.exe	ovwid.exe
PID 1440 wrote to memory of 664	1440	6bd52c8274a35c39740da9b52b4c7ef0.exe	ovwid.exe
PID 1440 wrote to memory of 664	1440	6bd52c8274a35c39740da9b52b4c7ef0.exe	ovwid.exe
PID 664 wrote to memory of 1072	664	ovwid.exe	ovwid.exe
PID 664 wrote to memory of 1072	664	ovwid.exe	ovwid.exe
PID 664 wrote to memory of 1072	664	ovwid.exe	ovwid.exe
PID 664 wrote to memory of 1072	664	ovwid.exe	ovwid.exe
PID 664 wrote to memory of 1072	664	ovwid.exe	ovwid.exe
PID 1296 wrote to memory of 1188	1296	Explorer.EXE	explorer.exe
PID 1296 wrote to memory of 1188	1296	Explorer.EXE	explorer.exe
PID 1296 wrote to memory of 1188	1296	Explorer.EXE	explorer.exe
PID 1296 wrote to memory of 1188	1296	Explorer.EXE	explorer.exe
PID 1188 wrote to memory of 616	1188	explorer.exe	cmd.exe
PID 1188 wrote to memory of 616	1188	explorer.exe	cmd.exe
PID 1188 wrote to memory of 616	1188	explorer.exe	cmd.exe
PID 1188 wrote to memory of 616	1188	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\6bd52c8274a35c39740da9b52b4c7ef0.exe
"C:\Users\Admin\AppData\Local\Temp\6bd52c8274a35c39740da9b52b4c7ef0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\ovwid.exe
"C:\Users\Admin\AppData\Local\Temp\ovwid.exe" C:\Users\Admin\AppData\Local\Temp\rrsopjtftd.p
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\ovwid.exe
"C:\Users\Admin\AppData\Local\Temp\ovwid.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ovwid.exe"
3⤵
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqdkrcshwhw.w
Filesize
185KB

MD5
7e02dcac3d442f6e3a36de2b65661c8a

SHA1
5057ac4eff50e36d8c1a767b8f35accf7db4a5ee

SHA256
846b04da46b952747476b98c2cb6071faedc8d5ef0ca7f7a320b92fa299248fd

SHA512
f6976c1060780888f7f1dfb31edba6f89d8096134cd693ef9fb1ebb97fb06d42fd5a437d4da6d7bddb354d17f72e661f8140310dd8837468bdf59a648a81f32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrsopjtftd.p
Filesize
5KB

MD5
56286c4878d09104d3b70a79a461c288

SHA1
0454937ba6a485ef7893e0a37cb576e3b31c55e6

SHA256
2f34ec04e1cefc4bb24065ebaacf3e607c86a9f65976d098356735b546b7c029

SHA512
61944319fb9f54f948bf5e27dc3db5dfa50319a2e5ce4061490370e78b8e07796f02f153ca8ef6a72b43bef6fdcfb77940b7c175d068f2705619f29c8fd74ec1

Download Submit
\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
\Users\Admin\AppData\Local\Temp\ovwid.exe
Filesize
276KB

MD5
a5cc35863cadeb24f827d9daa513c424

SHA1
0584250d8f5b06a11afbd3071547c6719adf02a4

SHA256
46590fb8724e192cff8f18ccf4188f9cb2bd8661cbc1141cc15623775ad46a5c

SHA512
32761ac38ab4c9b9f99bd767476b35fdecff67af8dcd678b6c449a4cebfe0c1bb040b5b8d31ba046566d2a612865709088494d90d4825ec7e8353e37ac0a7098

Download Submit
memory/616-73-0x0000000000000000-mapping.dmp

Download
memory/664-57-0x0000000000000000-mapping.dmp

Download
memory/1072-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-63-0x000000000041F0B0-mapping.dmp

Download
memory/1072-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-66-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1072-67-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1188-76-0x0000000002410000-0x0000000002713000-memory.dmp

Filesize
3.0MB

Download
memory/1188-69-0x0000000000000000-mapping.dmp

Download
memory/1188-72-0x00000000751D1000-0x00000000751D3000-memory.dmp

Filesize
8KB

Download
memory/1188-74-0x00000000002A0000-0x0000000000521000-memory.dmp

Filesize
2.5MB

Download
memory/1188-75-0x0000000000140000-0x000000000016F000-memory.dmp

Filesize
188KB

Download
memory/1188-77-0x0000000002140000-0x00000000021D3000-memory.dmp

Filesize
588KB

Download
memory/1188-79-0x0000000000140000-0x000000000016F000-memory.dmp

Filesize
188KB

Download
memory/1296-68-0x00000000070F0000-0x000000000727D000-memory.dmp

Filesize
1.6MB

Download
memory/1296-78-0x0000000007C50000-0x0000000007DD7000-memory.dmp

Filesize
1.5MB

Download
memory/1296-80-0x0000000007C50000-0x0000000007DD7000-memory.dmp

Filesize
1.5MB

Download
memory/1440-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads