formbook | 4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
26-01-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe
Size

274KB
MD5

e0b5ba1741b777e172f3c51d48768572
SHA1

8bc5e723bc75979404f55481990afc8014b648b0
SHA256

4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552
SHA512

ccb4cb869c9a1f9db037925301b909ea5b8f4805231f3a6cba00ad7700face441c9724f45e0a3adea473d7fedd2b66e32bd3f775ccd14f4ab115fa1f37eefd28
SSDEEP

6144:PYa6mJ/EbkFtG0rrQ6veLQDSZPUtSx2Jiee+eSou3:PYwyYFtnrrQ6WXUAxce+ku3

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1556-233-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1556-241-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/780-247-0x00000000005B0000-0x00000000005DF000-memory.dmp	formbook
behavioral1/memory/780-271-0x00000000005B0000-0x00000000005DF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

rajaemva.exerajaemva.exe

pid process

3352 rajaemva.exe
1556 rajaemva.exe

pid	process
3352	rajaemva.exe
1556	rajaemva.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

rajaemva.exerajaemva.exehelp.exe

description	pid	process	target process
PID 3352 set thread context of 1556	3352	rajaemva.exe	rajaemva.exe
PID 1556 set thread context of 2816	1556	rajaemva.exe	Explorer.EXE
PID 1556 set thread context of 2816	1556	rajaemva.exe	Explorer.EXE
PID 780 set thread context of 2816	780	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

rajaemva.exehelp.exe

pid	process
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe
780	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2816 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rajaemva.exerajaemva.exehelp.exe

pid process

3352 rajaemva.exe
1556 rajaemva.exe
1556 rajaemva.exe
1556 rajaemva.exe
1556 rajaemva.exe
780 help.exe
780 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rajaemva.exehelp.exe

description pid process

Token: SeDebugPrivilege 1556 rajaemva.exe
Token: SeDebugPrivilege 780 help.exe

pid	process
2816	Explorer.EXE

pid	process
3352	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
1556	rajaemva.exe
780	help.exe
780	help.exe

description	pid	process
Token: SeDebugPrivilege	1556	rajaemva.exe
Token: SeDebugPrivilege	780	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exerajaemva.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 4940 wrote to memory of 3352	4940	4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe	rajaemva.exe
PID 4940 wrote to memory of 3352	4940	4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe	rajaemva.exe
PID 4940 wrote to memory of 3352	4940	4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe	rajaemva.exe
PID 3352 wrote to memory of 1556	3352	rajaemva.exe	rajaemva.exe
PID 3352 wrote to memory of 1556	3352	rajaemva.exe	rajaemva.exe
PID 3352 wrote to memory of 1556	3352	rajaemva.exe	rajaemva.exe
PID 3352 wrote to memory of 1556	3352	rajaemva.exe	rajaemva.exe
PID 2816 wrote to memory of 780	2816	Explorer.EXE	help.exe
PID 2816 wrote to memory of 780	2816	Explorer.EXE	help.exe
PID 2816 wrote to memory of 780	2816	Explorer.EXE	help.exe
PID 780 wrote to memory of 3004	780	help.exe	cmd.exe
PID 780 wrote to memory of 3004	780	help.exe	cmd.exe
PID 780 wrote to memory of 3004	780	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe
"C:\Users\Admin\AppData\Local\Temp\4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe" C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jdd
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"
3⤵
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jdd
Filesize
5KB

MD5
31cc59198718048d2737a08b4a3366d9

SHA1
3ba1fccd8ae4f3d10f0c2d6962ff6b26b86d5bbf

SHA256
65bee32f9d4ee6165842226c585768346af0102c20819a53ba774c9b00fbc5b0

SHA512
334644f361314fbd7888688a2e5952037d4f8a65f5c1233a14053c9bbe2428ee7f53f0628c8466eebb1441241ed32c09581ab312f09ba1d512175e4288d40119

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvrsmbiycym.em
Filesize
205KB

MD5
b492e5d2d4e5d40860b4bc2d2eb553a7

SHA1
99f144d8002e0499d25d04b736c8f166a6523394

SHA256
81372f47de03414ecb6fe8a2eacaebad6a36ce272f6aa7c811db55c9a636c6f2

SHA512
b8d31fe301cf3d9d2d19d343d2a38ec90115ba7bdb428629155d6a8ef4e03742d71b6dda901bc48ac3a9f418f5ff42e0d15c76efc08084b326d9528a9e505a80

Download Submit
memory/780-239-0x0000000000000000-mapping.dmp

Download
memory/780-271-0x00000000005B0000-0x00000000005DF000-memory.dmp

Filesize
188KB

Download
memory/780-272-0x00000000009D0000-0x0000000000A63000-memory.dmp

Filesize
588KB

Download
memory/780-261-0x0000000002D10000-0x0000000003030000-memory.dmp

Filesize
3.1MB

Download
memory/780-247-0x00000000005B0000-0x00000000005DF000-memory.dmp

Filesize
188KB

Download
memory/780-246-0x0000000000D00000-0x0000000000D07000-memory.dmp

Filesize
28KB

Download
memory/1556-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-237-0x0000000002770000-0x0000000002784000-memory.dmp

Filesize
80KB

Download
memory/1556-235-0x0000000000DF0000-0x0000000000E04000-memory.dmp

Filesize
80KB

Download
memory/1556-234-0x0000000000AB0000-0x0000000000DD0000-memory.dmp

Filesize
3.1MB

Download
memory/1556-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-211-0x000000000041F130-mapping.dmp

Download
memory/2816-238-0x00000000057A0000-0x000000000593E000-memory.dmp

Filesize
1.6MB

Download
memory/2816-236-0x00000000012D0000-0x0000000001398000-memory.dmp

Filesize
800KB

Download
memory/2816-274-0x0000000006800000-0x0000000006951000-memory.dmp

Filesize
1.3MB

Download
memory/2816-260-0x00000000012D0000-0x0000000001398000-memory.dmp

Filesize
800KB

Download
memory/2816-273-0x0000000006800000-0x0000000006951000-memory.dmp

Filesize
1.3MB

Download
memory/3004-254-0x0000000000000000-mapping.dmp

Download
memory/3352-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-184-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-186-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/3352-167-0x0000000000000000-mapping.dmp

Download
memory/4940-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-165-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-127-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-124-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download
memory/4940-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

Filesize
1.6MB

Download