formbook | 1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c

General

Target

a44404aac23672009dc1d835f223d35b.exe
Size

293KB
MD5

a44404aac23672009dc1d835f223d35b
SHA1

31aee1e8489ef5b6033f24050ff309941f8f38b0
SHA256

1a82b5f2c6d3897569544939dfae30457d05924c8811f009d0cd1540319ea90c
SHA512

2a70e223ca53759418bb42caa5d90dee2629f18815035f4cb92296eddac284f8a4074cfc9efada30ab9c27305e14249d5cb3731ec18fc41fc87695a6ef04357b
SSDEEP

6144:0Ya6qfeaNVq78yPmAR6PAqqQ1hPP23xulTtZ3X3fCA:0YMmaS78yP3g4qxYeZ3XvCA

Score

10^/10

formbook nes8 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nes8

Decoy

simantsfamily.com

ninobrowndelivery.net

y94x.info

huibi01.vip

davidspanu.com

swegon.tech

moapulsa.com

coveredseguros.com

owltoon.site

loyalguardianop.com

banca-particulares.icu

innovativanimal.com

girlschools.top

smartbed-gb-tok.life

vhail.store

bluffdalecitizens.info

asmcpn.us

wordybag.online

smmfsa.com

jinglunqhd.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/572-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1660-74-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1660-78-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
940	yoznhk.exe
572	yoznhk.exe

Loads dropped DLL 3 IoCs

pid	Process
1368	a44404aac23672009dc1d835f223d35b.exe
1368	a44404aac23672009dc1d835f223d35b.exe
940	yoznhk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 572	940	yoznhk.exe	28
PID 572 set thread context of 1232	572	yoznhk.exe	15
PID 1660 set thread context of 1232	1660	cmstp.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
572	yoznhk.exe
572	yoznhk.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe
1660	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
940	yoznhk.exe
572	yoznhk.exe
572	yoznhk.exe
572	yoznhk.exe
1660	cmstp.exe
1660	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	yoznhk.exe
Token: SeDebugPrivilege	1660	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 940	1368	a44404aac23672009dc1d835f223d35b.exe	27
PID 1368 wrote to memory of 940	1368	a44404aac23672009dc1d835f223d35b.exe	27
PID 1368 wrote to memory of 940	1368	a44404aac23672009dc1d835f223d35b.exe	27
PID 1368 wrote to memory of 940	1368	a44404aac23672009dc1d835f223d35b.exe	27
PID 940 wrote to memory of 572	940	yoznhk.exe	28
PID 940 wrote to memory of 572	940	yoznhk.exe	28
PID 940 wrote to memory of 572	940	yoznhk.exe	28
PID 940 wrote to memory of 572	940	yoznhk.exe	28
PID 940 wrote to memory of 572	940	yoznhk.exe	28
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1660	1232	Explorer.EXE	29
PID 1660 wrote to memory of 952	1660	cmstp.exe	30
PID 1660 wrote to memory of 952	1660	cmstp.exe	30
PID 1660 wrote to memory of 952	1660	cmstp.exe	30
PID 1660 wrote to memory of 952	1660	cmstp.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe
  "C:\Users\Admin\AppData\Local\Temp\a44404aac23672009dc1d835f223d35b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\yoznhk.exe
    "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe" C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\yoznhk.exe
      "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:572
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\yoznhk.exe"
    3⤵
    PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qanka.d

Filesize
205KB

MD5
f1ea13fa35de3f09b96364341d87d125

SHA1
8de2b74f3a5bbcb1ba8ced276904c7a47266a1a1

SHA256
b21c98a92b9bbbf684de96fb96adbcd534368df3fdd7b615bc59e0b1685a8434

SHA512
7e91642293d03ad05941ab5e1c464bc08197900001b61ddbd9d3f3445b5e1559d1e82ba1630634ec78701b2d508822585bb5cbfab80e07c33052401f7cff442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsruthgcsxr.a

Filesize
5KB

MD5
54b71333295fca6cf02f2b33fd820c76

SHA1
1b918d25d644d6aae65324fb77e50a3a2ee50147

SHA256
5d44da7c885fc6d6a5f454a2e73c7409a5d5f434ea9984f39221750b75840442

SHA512
095ebd5cac031872c9cb2328070c127ea7862140e9bc89421c4ce8ff17804dde88ccc330b79e709c17c61179bc7c8146420e734c8e512b5e82eede690fa5629b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
\Users\Admin\AppData\Local\Temp\yoznhk.exe

Filesize
74KB

MD5
33197092d5e40869139dafa9e86397eb

SHA1
1c94e4036d5ab42cc9e405c31bccc2af3e316fed

SHA256
91975a8affb95985c82de51e6f71acb803833d2e9ddf1099145f9a2a04300d50

SHA512
a313a4fd70685c733257eecc437944f7e3bd1277c6be1c8f1b569e624e50c9b7b57453ff2b93effe3ba9f9cd08ab34c6a85c50c5dd805c7a09a620b105fcb8b5

Download Submit
memory/572-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-67-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/572-68-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1232-69-0x0000000002970000-0x0000000002A39000-memory.dmp

Filesize
804KB

Download
memory/1232-80-0x000007FF1FA70000-0x000007FF1FA7A000-memory.dmp

Filesize
40KB

Download
memory/1232-83-0x000007FF1FA70000-0x000007FF1FA7A000-memory.dmp

Filesize
40KB

Download
memory/1232-82-0x000007FEF68E0000-0x000007FEF6A23000-memory.dmp

Filesize
1.3MB

Download
memory/1232-81-0x0000000004BD0000-0x0000000004CB5000-memory.dmp

Filesize
916KB

Download
memory/1232-79-0x000007FEF68E0000-0x000007FEF6A23000-memory.dmp

Filesize
1.3MB

Download
memory/1232-77-0x0000000004BD0000-0x0000000004CB5000-memory.dmp

Filesize
916KB

Download
memory/1368-54-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1660-76-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download
memory/1660-78-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1660-75-0x0000000001E00000-0x0000000002103000-memory.dmp

Filesize
3.0MB

Download
memory/1660-74-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1660-73-0x00000000006C0000-0x00000000006D8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing