formbook | 62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f

Analysis

max time kernel
137s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 08:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe
Size

306KB
MD5

372a40e50a902c3d708ad7879289f3b1
SHA1

9a9de665d27033ff3846f209b19bd117852eed49
SHA256

62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f
SHA512

893d3417b704ce328dcb7b62ae81c1bed674f6ec61fd4ff9499d4ecf1c328b5bb24f044d8ec1f6fe61ecfe6ce1862876917095fc61bdf37cd004930a6d4061bd
SSDEEP

6144:rGiubhtTcC3GuulMvV1FhOWGkdLwIhLQZCuxC/rep5TuSpFfN:AnYCjulMvzOYLfQdp5TuSPfN

Score

10^/10

formbook mg0t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mg0t

Decoy

3949842.com

webxdigital.net

dirums.online

metawiser.com

takefreepass.com

colphata.com

searchwebsafety.online

unrule.net

merch.ventures

tooreake.xyz

leonelaperu.com

qiangcai.xyz

cocco24.com

lovinganime.com

mbfad.com

historytodaygameshow.com

gadgetwellprotected.com

nutritoken-diet.com

liberty-lilies.com

singleofficial.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4600-134-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4600	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe
4600	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80
PID 3052 wrote to memory of 4600	3052	62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe	80

C:\Users\Admin\AppData\Local\Temp\62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe
"C:\Users\Admin\AppData\Local\Temp\62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe
  "C:\Users\Admin\AppData\Local\Temp\62f75c04145584721209a0d160d0f6b374e6b9465a759aba8e3f6c89ae67938f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsmD3F.tmp\bzcxpqbjpd.dll

Filesize
140KB

MD5
fd5381c9e33552677b53f319918800b1

SHA1
8dc478f678f10150c3b96371e3a5183adb19f2d0

SHA256
8fd984dc2c6f5fa97f5916309f2994bfb8dd2a9284c7c777e05c47ab65615f95

SHA512
c2382e259c777b6e9e862c7ff4fdf41499a2b2a24d44990632ff0cb259ad0700550bb4afc615760884d2017c117753c6d710363f05d51282313645b4b3629a25

Download Submit
memory/3052-135-0x0000000075090000-0x00000000750B9000-memory.dmp

Filesize
164KB

Download
memory/4600-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-136-0x0000000000AB0000-0x0000000000DFA000-memory.dmp

Filesize
3.3MB

Download