formbook | 3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995

General

Target

file.exe
Size

296KB
MD5

1d920aa56457a163c9ede013081ae820
SHA1

9e9ed8cf1341aaba3c6e32609a3780dff407a2ce
SHA256

3d269d34d687979b0d73960f880ef5eaf5cd4bf4b90129ce5d6c0c5f8ec58995
SHA512

f2e25d3656575e418a89642d4828ae15f04bb74e310c562cd3190bebf7dcf5b4104a4b81b20ba1825d4a3097234dafb1c1276c2cbee5ed00da69e4feaab8cbc2
SSDEEP

6144:/Ya60IJrcLmPyG1twMNr1GX1Iius7CCeEhMNUPLegtfSdtyQ:/YaIeOyG/slB7CCPQULid0Q

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/944-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/944-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/472-76-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/472-80-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1372	hpsfqj.exe
944	hpsfqj.exe

Loads dropped DLL 3 IoCs

pid	Process
1260	file.exe
1260	file.exe
1372	hpsfqj.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 944	1372	hpsfqj.exe	27
PID 944 set thread context of 1240	944	hpsfqj.exe	14
PID 472 set thread context of 1240	472	explorer.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
944	hpsfqj.exe
944	hpsfqj.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1372	hpsfqj.exe
944	hpsfqj.exe
944	hpsfqj.exe
944	hpsfqj.exe
472	explorer.exe
472	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	hpsfqj.exe
Token: SeDebugPrivilege	472	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1372	1260	file.exe	26
PID 1260 wrote to memory of 1372	1260	file.exe	26
PID 1260 wrote to memory of 1372	1260	file.exe	26
PID 1260 wrote to memory of 1372	1260	file.exe	26
PID 1372 wrote to memory of 944	1372	hpsfqj.exe	27
PID 1372 wrote to memory of 944	1372	hpsfqj.exe	27
PID 1372 wrote to memory of 944	1372	hpsfqj.exe	27
PID 1372 wrote to memory of 944	1372	hpsfqj.exe	27
PID 1372 wrote to memory of 944	1372	hpsfqj.exe	27
PID 1240 wrote to memory of 472	1240	Explorer.EXE	28
PID 1240 wrote to memory of 472	1240	Explorer.EXE	28
PID 1240 wrote to memory of 472	1240	Explorer.EXE	28
PID 1240 wrote to memory of 472	1240	Explorer.EXE	28
PID 472 wrote to memory of 1708	472	explorer.exe	29
PID 472 wrote to memory of 1708	472	explorer.exe	29
PID 472 wrote to memory of 1708	472	explorer.exe	29
PID 472 wrote to memory of 1708	472	explorer.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe
    "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe" C:\Users\Admin\AppData\Local\Temp\sfbna.k
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe
      "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:944
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe"
    3⤵
    PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eonfwp.i

Filesize
205KB

MD5
01dd5c4fca252266ee57fb2965293047

SHA1
59ce6810eccb161987d47c7c4dbef9e7b8f66550

SHA256
e504b465c746ac3e2cfb89997a240640661793eb17ead6ee5be0dbc6d46f73ea

SHA512
66c64db05b60c4a3540d0638beedb93cc9e6e3a6386ad01589db69d1ee466b75190112ee9b66c02f11e7e72cbf93e4b7fd645c3a919578e8f2b8e63ff169837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfbna.k

Filesize
5KB

MD5
ecd2f82ab8efe8913525e7cedb988c68

SHA1
0b1454a38fbe985bb6d45504b9c16f423abc7d74

SHA256
729aa075fa7bd0cc5cce972490f1a6cbc301151d5279b7f152a9eeea0bb44950

SHA512
43ec8a95030781c289c6649247bee837dc9558451a7a2b5e8d5034e7ab9f93a8b4db8fffcc7873d8c5451d7bf87b27c881040ff7d6f269f8011f6919eb551466

Download Submit
\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
\Users\Admin\AppData\Local\Temp\hpsfqj.exe

Filesize
122KB

MD5
05741cfa93356c5bc4ec6a0b18545d7e

SHA1
cffbb8e7e0cd9befc4116e02dade7df8e3a4e7ca

SHA256
4f08cfdc5d7e3d002a4803ad731780cf114f1a91a56962d249be780076aa41a0

SHA512
30d85216fe8c611599254535b4a1d9aacab98f12f844a38226dd419218ea355854ae1858d620ac5d009bdf8aa7ed3979c0a797c194ebeac98a7e1914f12552c3

Download Submit
memory/472-80-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/472-78-0x0000000000960000-0x00000000009F3000-memory.dmp

Filesize
588KB

Download
memory/472-77-0x0000000002370000-0x0000000002673000-memory.dmp

Filesize
3.0MB

Download
memory/472-76-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/472-75-0x0000000000CE0000-0x0000000000F61000-memory.dmp

Filesize
2.5MB

Download
memory/472-73-0x0000000074D31000-0x0000000074D33000-memory.dmp

Filesize
8KB

Download
memory/944-67-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/944-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/944-68-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/944-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1240-69-0x0000000006440000-0x00000000065D0000-memory.dmp

Filesize
1.6MB

Download
memory/1240-79-0x0000000006970000-0x0000000006A2E000-memory.dmp

Filesize
760KB

Download
memory/1240-81-0x0000000006970000-0x0000000006A2E000-memory.dmp

Filesize
760KB

Download
memory/1260-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing