formbook | cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22

General

Target

file.exe
Size

259KB
MD5

db1d6b6c1108594478f24a4786471f12
SHA1

6d12343a3c3f5b0963b29f627149a50b4e45b863
SHA256

cec7134d68d67d6f7ee0d32945f6ee4eafeb58a68c4769867f212ad879480c22
SHA512

8f6f791b7a468ae338563a864c8cd4aae8c1a691e96ebba10c73c39b855aa3630f060771a04942a37c3016e4f266decbc5db35fec3ec7210acac6f12ed1da0a7
SSDEEP

6144:/Ya6NlOY6ck9QfODA2riUkgkg4j8DLeHrcQBFtz4niOVdNPpm:/YXcqf7tjg5r0zz4iKm

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3928-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2948-145-0x00000000011C0000-0x00000000011EF000-memory.dmp	formbook
behavioral2/memory/2948-150-0x00000000011C0000-0x00000000011EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.exe

pid process

3920 hkjgvrfvu.exe
3928 hkjgvrfvu.exe

pid	process
3920	hkjgvrfvu.exe
3928	hkjgvrfvu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.execmd.exe

description	pid	process	target process
PID 3920 set thread context of 3928	3920	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 3928 set thread context of 2440	3928	hkjgvrfvu.exe	Explorer.EXE
PID 2948 set thread context of 2440	2948	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

hkjgvrfvu.execmd.exe

pid	process
3928	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe
2948	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2440 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

hkjgvrfvu.exehkjgvrfvu.execmd.exe

pid process

3920 hkjgvrfvu.exe
3928 hkjgvrfvu.exe
3928 hkjgvrfvu.exe
3928 hkjgvrfvu.exe
2948 cmd.exe
2948 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hkjgvrfvu.execmd.exe

description pid process

Token: SeDebugPrivilege 3928 hkjgvrfvu.exe
Token: SeDebugPrivilege 2948 cmd.exe

pid	process
2440	Explorer.EXE

pid	process
3920	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
3928	hkjgvrfvu.exe
2948	cmd.exe
2948	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3928	hkjgvrfvu.exe
Token: SeDebugPrivilege	2948	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

file.exehkjgvrfvu.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3248 wrote to memory of 3920	3248	file.exe	hkjgvrfvu.exe
PID 3248 wrote to memory of 3920	3248	file.exe	hkjgvrfvu.exe
PID 3248 wrote to memory of 3920	3248	file.exe	hkjgvrfvu.exe
PID 3920 wrote to memory of 3928	3920	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 3920 wrote to memory of 3928	3920	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 3920 wrote to memory of 3928	3920	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 3920 wrote to memory of 3928	3920	hkjgvrfvu.exe	hkjgvrfvu.exe
PID 2440 wrote to memory of 2948	2440	Explorer.EXE	cmd.exe
PID 2440 wrote to memory of 2948	2440	Explorer.EXE	cmd.exe
PID 2440 wrote to memory of 2948	2440	Explorer.EXE	cmd.exe
PID 2948 wrote to memory of 4360	2948	cmd.exe	cmd.exe
PID 2948 wrote to memory of 4360	2948	cmd.exe	cmd.exe
PID 2948 wrote to memory of 4360	2948	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
"C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe" C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3920

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
"C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe"
3⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjgvrfvu.exe
Filesize
50KB

MD5
50dc5741790c3e0435ed979e2c090e51

SHA1
747dacd5f915ade2da4e85f7ec9c16deee5bd4e0

SHA256
edf66cd0400e292f6d9379e5a6f91ddff2ec215b2d13484ca8f6a740b1085bca

SHA512
05578da5687e2042ba4e96788815cb5a15aa93cfbc6b64d5219419b55daa294f7c2aa649bbcc2ddef8379764ce9b12d79f8ef5a47b7fba428fb289731047a594

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqjoo.s
Filesize
205KB

MD5
f02480ef16c5d7ecc90620743918ca44

SHA1
875dfc73bcf78252ed11bd267aa1f55c6ebf7dcb

SHA256
6104360084c434555d7c67d6ab609d74811999a184c6f83d26c1d3f999b1b408

SHA512
c025922febdb0a296ff46b9db242f261ae97cf23937b9629bf2b1563fbd4a55fa79d98316ce7b12d54df9efbc8c4a2b70b1b9af822e169e915090a973af9f990

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxzdohgw.ejt
Filesize
5KB

MD5
a3657e3d945ffd46e34d3e0ff7d0d803

SHA1
aaf336d38bb57d3b95c3df6aee985d852aac4326

SHA256
1ce5fa65f2ad21e7ea17d38f66d39d9c4bd6e5e7b728914f89df8f34e6df0bbe

SHA512
46de1f30a203701525e477bd3bd5134db98efd27aa958d4d15c1cab947d4a1bbd584629effd4dbfbaf264d1a7c1bb7b516240030f6ac4b5c7eecc319a14eb951

Download Submit
memory/2440-142-0x0000000007D70000-0x0000000007EBD000-memory.dmp

Filesize
1.3MB

Download
memory/2440-151-0x0000000008610000-0x0000000008750000-memory.dmp

Filesize
1.2MB

Download
memory/2440-149-0x0000000008610000-0x0000000008750000-memory.dmp

Filesize
1.2MB

Download
memory/2948-147-0x0000000001A60000-0x0000000001DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2948-143-0x0000000000000000-mapping.dmp

Download
memory/2948-144-0x0000000000B60000-0x0000000000BBA000-memory.dmp

Filesize
360KB

Download
memory/2948-145-0x00000000011C0000-0x00000000011EF000-memory.dmp

Filesize
188KB

Download
memory/2948-148-0x00000000018A0000-0x0000000001933000-memory.dmp

Filesize
588KB

Download
memory/2948-150-0x00000000011C0000-0x00000000011EF000-memory.dmp

Filesize
188KB

Download
memory/3920-132-0x0000000000000000-mapping.dmp

Download
memory/3928-140-0x0000000000B10000-0x0000000000E5A000-memory.dmp

Filesize
3.3MB

Download
memory/3928-141-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/3928-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-137-0x0000000000000000-mapping.dmp

Download
memory/4360-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads