formbook | 4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552

General

Target

file.exe
Size

274KB
MD5

e0b5ba1741b777e172f3c51d48768572
SHA1

8bc5e723bc75979404f55481990afc8014b648b0
SHA256

4c817012f18358469290ab2d534a7670dbd7769499cfafa327b5f7afca8c3552
SHA512

ccb4cb869c9a1f9db037925301b909ea5b8f4805231f3a6cba00ad7700face441c9724f45e0a3adea473d7fedd2b66e32bd3f775ccd14f4ab115fa1f37eefd28
SSDEEP

6144:PYa6mJ/EbkFtG0rrQ6veLQDSZPUtSx2Jiee+eSou3:PYwyYFtnrrQ6WXUAxce+ku3

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4748-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4748-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1212-148-0x00000000008F0000-0x000000000091F000-memory.dmp	formbook
behavioral2/memory/1212-153-0x00000000008F0000-0x000000000091F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

rajaemva.exerajaemva.exe

pid process

1132 rajaemva.exe
4748 rajaemva.exe

pid	process
1132	rajaemva.exe
4748	rajaemva.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

rajaemva.exerajaemva.exeNETSTAT.EXE

description	pid	process	target process
PID 1132 set thread context of 4748	1132	rajaemva.exe	rajaemva.exe
PID 4748 set thread context of 2596	4748	rajaemva.exe	Explorer.EXE
PID 4748 set thread context of 2596	4748	rajaemva.exe	Explorer.EXE
PID 1212 set thread context of 2596	1212	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1212 NETSTAT.EXE

pid	process
1212	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

rajaemva.exeNETSTAT.EXE

pid	process
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE
1212	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2596 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rajaemva.exerajaemva.exeNETSTAT.EXE

pid process

1132 rajaemva.exe
4748 rajaemva.exe
4748 rajaemva.exe
4748 rajaemva.exe
4748 rajaemva.exe
1212 NETSTAT.EXE
1212 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rajaemva.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4748 rajaemva.exe
Token: SeDebugPrivilege 1212 NETSTAT.EXE

pid	process
2596	Explorer.EXE

pid	process
1132	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
4748	rajaemva.exe
1212	NETSTAT.EXE
1212	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4748	rajaemva.exe
Token: SeDebugPrivilege	1212	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

file.exerajaemva.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3048 wrote to memory of 1132	3048	file.exe	rajaemva.exe
PID 3048 wrote to memory of 1132	3048	file.exe	rajaemva.exe
PID 3048 wrote to memory of 1132	3048	file.exe	rajaemva.exe
PID 1132 wrote to memory of 4748	1132	rajaemva.exe	rajaemva.exe
PID 1132 wrote to memory of 4748	1132	rajaemva.exe	rajaemva.exe
PID 1132 wrote to memory of 4748	1132	rajaemva.exe	rajaemva.exe
PID 1132 wrote to memory of 4748	1132	rajaemva.exe	rajaemva.exe
PID 2596 wrote to memory of 1212	2596	Explorer.EXE	NETSTAT.EXE
PID 2596 wrote to memory of 1212	2596	Explorer.EXE	NETSTAT.EXE
PID 2596 wrote to memory of 1212	2596	Explorer.EXE	NETSTAT.EXE
PID 1212 wrote to memory of 1340	1212	NETSTAT.EXE	cmd.exe
PID 1212 wrote to memory of 1340	1212	NETSTAT.EXE	cmd.exe
PID 1212 wrote to memory of 1340	1212	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe" C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jdd
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
"C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rajaemva.exe"
3⤵
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kdzgmngbm.jdd
Filesize
5KB

MD5
31cc59198718048d2737a08b4a3366d9

SHA1
3ba1fccd8ae4f3d10f0c2d6962ff6b26b86d5bbf

SHA256
65bee32f9d4ee6165842226c585768346af0102c20819a53ba774c9b00fbc5b0

SHA512
334644f361314fbd7888688a2e5952037d4f8a65f5c1233a14053c9bbe2428ee7f53f0628c8466eebb1441241ed32c09581ab312f09ba1d512175e4288d40119

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rajaemva.exe
Filesize
81KB

MD5
23aa665803bee823977ce5808f886dd4

SHA1
1bc30451dcb3e3fd22f6149ec46a043c7007139e

SHA256
f75dc79cb2a5a060c31920238e0ab7752b7e2ce3560155a7545fab593f0384b1

SHA512
5066b67aafea1575fe8631dae97b4c428319d55409cfebfc6754fba39f84a37a056fdd1b888a44aa8fd24de02d980e37066f0d0049f6b9567e29300101ea0bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvrsmbiycym.em
Filesize
205KB

MD5
b492e5d2d4e5d40860b4bc2d2eb553a7

SHA1
99f144d8002e0499d25d04b736c8f166a6523394

SHA256
81372f47de03414ecb6fe8a2eacaebad6a36ce272f6aa7c811db55c9a636c6f2

SHA512
b8d31fe301cf3d9d2d19d343d2a38ec90115ba7bdb428629155d6a8ef4e03742d71b6dda901bc48ac3a9f418f5ff42e0d15c76efc08084b326d9528a9e505a80

Download Submit
memory/1132-132-0x0000000000000000-mapping.dmp

Download
memory/1212-153-0x00000000008F0000-0x000000000091F000-memory.dmp

Filesize
188KB

Download
memory/1212-151-0x0000000000F40000-0x0000000000FD3000-memory.dmp

Filesize
588KB

Download
memory/1212-145-0x0000000000000000-mapping.dmp

Download
memory/1212-150-0x0000000001050000-0x000000000139A000-memory.dmp

Filesize
3.3MB

Download
memory/1212-148-0x00000000008F0000-0x000000000091F000-memory.dmp

Filesize
188KB

Download
memory/1212-147-0x0000000000040000-0x000000000004B000-memory.dmp

Filesize
44KB

Download
memory/1340-149-0x0000000000000000-mapping.dmp

Download
memory/2596-154-0x0000000003540000-0x000000000362E000-memory.dmp

Filesize
952KB

Download
memory/2596-142-0x0000000003430000-0x000000000353A000-memory.dmp

Filesize
1.0MB

Download
memory/2596-152-0x0000000003540000-0x000000000362E000-memory.dmp

Filesize
952KB

Download
memory/2596-144-0x0000000008CB0000-0x0000000008E32000-memory.dmp

Filesize
1.5MB

Download
memory/4748-137-0x0000000000000000-mapping.dmp

Download
memory/4748-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-143-0x0000000000D80000-0x0000000000D94000-memory.dmp

Filesize
80KB

Download
memory/4748-141-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/4748-140-0x0000000000A30000-0x0000000000D7A000-memory.dmp

Filesize
3.3MB

Download
memory/4748-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads