formbook | 2e919dbaca46898116a0aa387553a54f4711aea584ea9931e6ea49d89e8986b8

General

Target

file.exe
Size

271KB
MD5

e3a576fda3253b1f5e57734e1d1d30ec
SHA1

4da98990e681a5c9ea026960ca0150582088173d
SHA256

2e919dbaca46898116a0aa387553a54f4711aea584ea9931e6ea49d89e8986b8
SHA512

46a9280eff90efecb485ff491d43ae4ee62ac2e0ca2a0364b4749c1a4bf60bd49ed7d4dd2c1b9a9aa25e448776e5d172591b5df333c3965af7147631123ce64b
SSDEEP

6144:/Ya6x5gt3OupNIRztp3FXl50iIj74HtMJh9plSNqw7mPONATWEsbSDYv:/YDSt3OX95l5uj8NMJZlSz7mPOO4SDE

Score

10^/10

formbook w12e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w12e

Decoy

poshsalon.co.uk

ideeksha.net

eaglebreaks.com

exileine.me.uk

saveittoday.net

ceon.tech

estateagentswebsitedesign.uk

faropublicidade.com

depression-treatment-83678.com

informationdata16376.com

wirecreations.africa

coolsculpting-pros.life

ethoshabitats.com

amtindividual.com

gotoken.online

cherny-100-imec-msu.ru

historicaarcanum.com

gpsarhealthcare.com

kx1257.com

abdullahbinomar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/912-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/940-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/940-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

13 940 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.exe

pid process

1452 uytjxhzdd.exe
912 uytjxhzdd.exe
Loads dropped DLL 3 IoCs

Processes:

file.exeuytjxhzdd.exe

pid process

1292 file.exe
1292 file.exe
1452 uytjxhzdd.exe

flow	pid	process
13	940	cmd.exe

pid	process
1452	uytjxhzdd.exe
912	uytjxhzdd.exe

pid	process
1292	file.exe
1292	file.exe
1452	uytjxhzdd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.execmd.exe

description	pid	process	target process
PID 1452 set thread context of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 912 set thread context of 1248	912	uytjxhzdd.exe	Explorer.EXE
PID 940 set thread context of 1248	940	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

uytjxhzdd.execmd.exe

pid	process
912	uytjxhzdd.exe
912	uytjxhzdd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe
940	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

uytjxhzdd.exeuytjxhzdd.execmd.exe

pid process

1452 uytjxhzdd.exe
912 uytjxhzdd.exe
912 uytjxhzdd.exe
912 uytjxhzdd.exe
940 cmd.exe
940 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uytjxhzdd.execmd.exe

description pid process

Token: SeDebugPrivilege 912 uytjxhzdd.exe
Token: SeDebugPrivilege 940 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1452	uytjxhzdd.exe
912	uytjxhzdd.exe
912	uytjxhzdd.exe
912	uytjxhzdd.exe
940	cmd.exe
940	cmd.exe

description	pid	process
Token: SeDebugPrivilege	912	uytjxhzdd.exe
Token: SeDebugPrivilege	940	cmd.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

file.exeuytjxhzdd.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 1452	1292	file.exe	uytjxhzdd.exe
PID 1292 wrote to memory of 1452	1292	file.exe	uytjxhzdd.exe
PID 1292 wrote to memory of 1452	1292	file.exe	uytjxhzdd.exe
PID 1292 wrote to memory of 1452	1292	file.exe	uytjxhzdd.exe
PID 1452 wrote to memory of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 1452 wrote to memory of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 1452 wrote to memory of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 1452 wrote to memory of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 1452 wrote to memory of 912	1452	uytjxhzdd.exe	uytjxhzdd.exe
PID 1248 wrote to memory of 940	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 940	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 940	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 940	1248	Explorer.EXE	cmd.exe
PID 940 wrote to memory of 1704	940	cmd.exe	cmd.exe
PID 940 wrote to memory of 1704	940	cmd.exe	cmd.exe
PID 940 wrote to memory of 1704	940	cmd.exe	cmd.exe
PID 940 wrote to memory of 1704	940	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
"C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe" C:\Users\Admin\AppData\Local\Temp\cjfqwq.l
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
"C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe"
3⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cjfqwq.l
Filesize
5KB

MD5
880b21b90e22befd4df0d80aba7ff644

SHA1
ebc3d261dc7b28d440786da3a1713f2e10beba5e

SHA256
5ef221dc3ae4d47c1f069885b8e6ffce7531bfa772a6d67d23f92da1afa142c6

SHA512
13005bfa2abe5fe93d7400b806dcf6521b47ea3e93c88f356cc00a249b3fad68ec75541a9f565c5b0652c6f62dcce0bc3c85f4a3e80295775411a211b7ad8b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\wndad.e
Filesize
205KB

MD5
aa76268a5e3f86543d2713c18055d0b0

SHA1
5034b6a8301d6733d5f96697a894119ec3b241e0

SHA256
35d310bc108289db31f597e661ed8c7ed1c6acde491c013cbc386ab9088ded2f

SHA512
e879fd4bba33faa3c638f0b510551acc397a2ae3a5ad41c59abc3e03840f9603bc80996c885ea34bb367088a2da098d79f4e9bc84ab71de78479689d8bc9da53

Download Submit
\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
\Users\Admin\AppData\Local\Temp\uytjxhzdd.exe
Filesize
75KB

MD5
7ba3704321ad41d32538052ff873a680

SHA1
c32751f91d47369c68a0d2c974b03a21c1d10f05

SHA256
6b61580c129877c0ea92647800d963854e3289557220136c23ddb3924619b9a3

SHA512
ecec4b75f28d0461dcd13cacc6bead72b1e500edfb4ce95bab66a3db15e2427f9a11762db1828836f5368ce12459ce40f8232b140bebdec7a6053427e484b703

Download Submit
memory/912-67-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/912-68-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/912-64-0x000000000041F130-mapping.dmp

Download
memory/912-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/940-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/940-70-0x0000000000000000-mapping.dmp

Download
memory/940-72-0x000000004A3D0000-0x000000004A41C000-memory.dmp

Filesize
304KB

Download
memory/940-74-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/940-75-0x0000000001E20000-0x0000000001EB3000-memory.dmp

Filesize
588KB

Download
memory/940-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1248-69-0x0000000002A70000-0x0000000002B40000-memory.dmp

Filesize
832KB

Download
memory/1248-76-0x00000000071E0000-0x000000000735E000-memory.dmp

Filesize
1.5MB

Download
memory/1248-78-0x00000000071E0000-0x000000000735E000-memory.dmp

Filesize
1.5MB

Download
memory/1292-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1452-57-0x0000000000000000-mapping.dmp

Download
memory/1704-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads