formbook | cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22

General

Target

file.exe
Size

259KB
MD5

db1d6b6c1108594478f24a4786471f12
SHA1

6d12343a3c3f5b0963b29f627149a50b4e45b863
SHA256

cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22
SHA512

8f6f791b7a468ae338563a864c8cd4aae8c1a691e96ebba10c73c39b855aa3630f060771a04942a37c3016e4f266decbc5db35fec3ec7210acac6f12ed1da0a7
SSDEEP

6144:/Ya6NlOY6ck9QfODA2riUkgkg4j8DLeHrcQBFtz4niOVdNPpm:/YXcqf7tjg5r0zz4iKm

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4740-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4276-146-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral2/memory/4276-150-0x0000000000600000-0x000000000062F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.exe

pid process

4800 hkjgvrfvu.exe
4740 hkjgvrfvu.exe

pid	process
4800	hkjgvrfvu.exe
4740	hkjgvrfvu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.exewlanext.exe

description	pid	process	target process
PID 4800 set thread context of 4740	4800	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 4740 set thread context of 1108	4740	hkjgvrfvu.exe	Explorer.EXE
PID 4276 set thread context of 1108	4276	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

hkjgvrfvu.exewlanext.exe

pid	process
4740	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe
4276	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1108 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.exewlanext.exe

pid process

4800 hkjgvrfvu.exe
4740 hkjgvrfvu.exe
4740 hkjgvrfvu.exe
4740 hkjgvrfvu.exe
4276 wlanext.exe
4276 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hkjgvrfvu.exewlanext.exe

description pid process

Token: SeDebugPrivilege 4740 hkjgvrfvu.exe
Token: SeDebugPrivilege 4276 wlanext.exe

pid	process
1108	Explorer.EXE

pid	process
4800	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4740	hkjgvrfvu.exe
4276	wlanext.exe
4276	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	4740	hkjgvrfvu.exe
Token: SeDebugPrivilege	4276	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

file.exehkjgvrfvu.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 4280 wrote to memory of 4800	4280	file.exe	hkjgvrfvu.exe
PID 4280 wrote to memory of 4800	4280	file.exe	hkjgvrfvu.exe
PID 4280 wrote to memory of 4800	4280	file.exe	hkjgvrfvu.exe
PID 4800 wrote to memory of 4740	4800	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 4800 wrote to memory of 4740	4800	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 4800 wrote to memory of 4740	4800	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 4800 wrote to memory of 4740	4800	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 1108 wrote to memory of 4276	1108	Explorer.EXE	wlanext.exe
PID 1108 wrote to memory of 4276	1108	Explorer.EXE	wlanext.exe
PID 1108 wrote to memory of 4276	1108	Explorer.EXE	wlanext.exe
PID 4276 wrote to memory of 4412	4276	wlanext.exe	cmd.exe
PID 4276 wrote to memory of 4412	4276	wlanext.exe	cmd.exe
PID 4276 wrote to memory of 4412	4276	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
    "C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe" C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
      "C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4740
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
    3⤵
    PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe

Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe

Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe

Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqjoo.s

Filesize
205KB

MD5
f02480ef16c5d7ecc90620743918ca44

SHA1
875dfc73bcf78252ed11bd267aa1f55c6ebf7dcb

SHA256
6104360084c434555d7c67d6ab609d74811999a184c6f83d26c1d3f999b1b408

SHA512
c025922febdb0a296ff46b9db242f261ae97cf23937b9629bf2b1563fbd4a55fa79d98316ce7b12d54df9efbc8c4a2b70b1b9af822e169e915090a973af9f990

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt

Filesize
5KB

MD5
a3657e3d945ffd46e34d3e0ff7d0d803

SHA1
aaf336d38bb57d3b95c3df6aee985d852aac4326

SHA256
1ce5fa65f2ad21e7ea17d38f66d39d9c4bd6e5e7b728914f89df8f34e6df0bbe

SHA512
46de1f30a203701525e477bd3bd5134db98efd27aa958d4d15c1cab947d4a1bbd584629effd4dbfbaf264d1a7c1bb7b516240030f6ac4b5c7eecc319a14eb951

Download Submit
memory/1108-149-0x0000000007030000-0x0000000007173000-memory.dmp

Filesize
1.3MB

Download
memory/1108-151-0x0000000007030000-0x0000000007173000-memory.dmp

Filesize
1.3MB

Download
memory/1108-142-0x0000000002A70000-0x0000000002BB1000-memory.dmp

Filesize
1.3MB

Download
memory/4276-150-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4276-146-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4276-148-0x0000000000BF0000-0x0000000000C83000-memory.dmp

Filesize
588KB

Download
memory/4276-143-0x0000000000000000-mapping.dmp

Download
memory/4276-144-0x0000000000EB0000-0x00000000011FA000-memory.dmp

Filesize
3.3MB

Download
memory/4276-145-0x00000000009C0000-0x00000000009D7000-memory.dmp

Filesize
92KB

Download
memory/4412-147-0x0000000000000000-mapping.dmp

Download
memory/4740-141-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/4740-140-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/4740-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-137-0x0000000000000000-mapping.dmp

Download
memory/4800-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads