formbook | cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22

General

Target

file.exe
Size

259KB
MD5

db1d6b6c1108594478f24a4786471f12
SHA1

6d12343a3c3f5b0963b29f627149a50b4e45b863
SHA256

cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22
SHA512

8f6f791b7a468ae338563a864c8cd4aae8c1a691e96ebba10c73c39b855aa3630f060771a04942a37c3016e4f266decbc5db35fec3ec7210acac6f12ed1da0a7
SSDEEP

6144:/Ya6NlOY6ck9QfODA2riUkgkg4j8DLeHrcQBFtz4niOVdNPpm:/YXcqf7tjg5r0zz4iKm

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1292-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1292-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1728-74-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/1728-78-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.exe

pid process

928 hkjgvrfvu.exe
1292 hkjgvrfvu.exe
Loads dropped DLL 2 IoCs

Processes:

file.exehkjgvrfvu.exe

pid process

1320 file.exe
928 hkjgvrfvu.exe

pid	process
928	hkjgvrfvu.exe
1292	hkjgvrfvu.exe

pid	process
1320	file.exe
928	hkjgvrfvu.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.execmmon32.exe

description	pid	process	target process
PID 928 set thread context of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 1292 set thread context of 1208	1292	hkjgvrfvu.exe	Explorer.EXE
PID 1292 set thread context of 1208	1292	hkjgvrfvu.exe	Explorer.EXE
PID 1728 set thread context of 1208	1728	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

hkjgvrfvu.execmmon32.exe

pid	process
1292	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe
1728	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.execmmon32.exe

pid process

928 hkjgvrfvu.exe
1292 hkjgvrfvu.exe
1292 hkjgvrfvu.exe
1292 hkjgvrfvu.exe
1292 hkjgvrfvu.exe
1728 cmmon32.exe
1728 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hkjgvrfvu.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1292 hkjgvrfvu.exe
Token: SeDebugPrivilege 1728 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

pid	process
928	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1292	hkjgvrfvu.exe
1728	cmmon32.exe
1728	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1292	hkjgvrfvu.exe
Token: SeDebugPrivilege	1728	cmmon32.exe

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

file.exehkjgvrfvu.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1320 wrote to memory of 928	1320	file.exe	hkjgvrfvu.exe
PID 1320 wrote to memory of 928	1320	file.exe	hkjgvrfvu.exe
PID 1320 wrote to memory of 928	1320	file.exe	hkjgvrfvu.exe
PID 1320 wrote to memory of 928	1320	file.exe	hkjgvrfvu.exe
PID 928 wrote to memory of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 928 wrote to memory of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 928 wrote to memory of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 928 wrote to memory of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 928 wrote to memory of 1292	928	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 1208 wrote to memory of 1728	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1728	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1728	1208	Explorer.EXE	cmmon32.exe
PID 1208 wrote to memory of 1728	1208	Explorer.EXE	cmmon32.exe
PID 1728 wrote to memory of 1740	1728	cmmon32.exe	cmd.exe
PID 1728 wrote to memory of 1740	1728	cmmon32.exe	cmd.exe
PID 1728 wrote to memory of 1740	1728	cmmon32.exe	cmd.exe
PID 1728 wrote to memory of 1740	1728	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
"C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe" C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
"C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
3⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqjoo.s
Filesize
205KB

MD5
f02480ef16c5d7ecc90620743918ca44

SHA1
875dfc73bcf78252ed11bd267aa1f55c6ebf7dcb

SHA256
6104360084c434555d7c67d6ab609d74811999a184c6f83d26c1d3f999b1b408

SHA512
c025922febdb0a296ff46b9db242f261ae97cf23937b9629bf2b1563fbd4a55fa79d98316ce7b12d54df9efbc8c4a2b70b1b9af822e169e915090a973af9f990

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt
Filesize
5KB

MD5
a3657e3d945ffd46e34d3e0ff7d0d803

SHA1
aaf336d38bb57d3b95c3df6aee985d852aac4326

SHA256
1ce5fa65f2ad21e7ea17d38f66d39d9c4bd6e5e7b728914f89df8f34e6df0bbe

SHA512
46de1f30a203701525e477bd3bd5134db98efd27aa958d4d15c1cab947d4a1bbd584629effd4dbfbaf264d1a7c1bb7b516240030f6ac4b5c7eecc319a14eb951

Download Submit
\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
memory/928-56-0x0000000000000000-mapping.dmp

Download
memory/1208-69-0x0000000004D00000-0x0000000004E32000-memory.dmp

Filesize
1.2MB

Download
memory/1208-81-0x0000000004E40000-0x0000000004FC5000-memory.dmp

Filesize
1.5MB

Download
memory/1208-80-0x000007FEDDD00000-0x000007FEDDD0A000-memory.dmp

Filesize
40KB

Download
memory/1208-79-0x000007FEF6850000-0x000007FEF6993000-memory.dmp

Filesize
1.3MB

Download
memory/1208-77-0x0000000004E40000-0x0000000004FC5000-memory.dmp

Filesize
1.5MB

Download
memory/1208-67-0x0000000004AB0000-0x0000000004BE7000-memory.dmp

Filesize
1.2MB

Download
memory/1292-68-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/1292-66-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/1292-62-0x000000000041F130-mapping.dmp

Download
memory/1292-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-65-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1320-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1728-78-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1728-75-0x00000000020C0000-0x00000000023C3000-memory.dmp

Filesize
3.0MB

Download
memory/1728-76-0x0000000000830000-0x00000000008C3000-memory.dmp

Filesize
588KB

Download
memory/1728-73-0x0000000000CB0000-0x0000000000CBD000-memory.dmp

Filesize
52KB

Download
memory/1728-74-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1728-70-0x0000000000000000-mapping.dmp

Download
memory/1740-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads