formbook | 9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

Analysis

max time kernel
150s
max time network
145s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-02-2023 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.exe
Size

432KB
MD5

e3a874c6e454d2591f5380be7aa4dff4
SHA1

3714bee104682ecc3867aa84f9b049d3b6d58639
SHA256

9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA512

6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
SSDEEP

12288:TY74I2N2tpc73OFMf0aHFJOJYT8htu8GIS1r7L:TY7G2tW731zHnOJYmE8Fq3L

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3372-235-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1172-264-0x0000000000B30000-0x0000000000B5F000-memory.dmp	formbook
behavioral1/memory/1172-275-0x0000000000B30000-0x0000000000B5F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exe

pid process

2592 njxmhiqte.exe
3372 njxmhiqte.exe

pid	process
2592	njxmhiqte.exe
3372	njxmhiqte.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exewscript.exe

description	pid	process	target process
PID 2592 set thread context of 3372	2592	njxmhiqte.exe	njxmhiqte.exe
PID 3372 set thread context of 3048	3372	njxmhiqte.exe	Explorer.EXE
PID 1172 set thread context of 3048	1172	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

njxmhiqte.exewscript.exe

pid	process
3372	njxmhiqte.exe
3372	njxmhiqte.exe
3372	njxmhiqte.exe
3372	njxmhiqte.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe
1172	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exewscript.exe

pid process

2592 njxmhiqte.exe
3372 njxmhiqte.exe
3372 njxmhiqte.exe
3372 njxmhiqte.exe
1172 wscript.exe
1172 wscript.exe

pid	process
2592	njxmhiqte.exe
3372	njxmhiqte.exe
3372	njxmhiqte.exe
3372	njxmhiqte.exe
1172	wscript.exe
1172	wscript.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

njxmhiqte.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3372	njxmhiqte.exe
Token: SeDebugPrivilege	1172	wscript.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

new.exenjxmhiqte.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2688 wrote to memory of 2592	2688	new.exe	njxmhiqte.exe
PID 2688 wrote to memory of 2592	2688	new.exe	njxmhiqte.exe
PID 2688 wrote to memory of 2592	2688	new.exe	njxmhiqte.exe
PID 2592 wrote to memory of 3372	2592	njxmhiqte.exe	njxmhiqte.exe
PID 2592 wrote to memory of 3372	2592	njxmhiqte.exe	njxmhiqte.exe
PID 2592 wrote to memory of 3372	2592	njxmhiqte.exe	njxmhiqte.exe
PID 2592 wrote to memory of 3372	2592	njxmhiqte.exe	njxmhiqte.exe
PID 3048 wrote to memory of 1172	3048	Explorer.EXE	wscript.exe
PID 3048 wrote to memory of 1172	3048	Explorer.EXE	wscript.exe
PID 3048 wrote to memory of 1172	3048	Explorer.EXE	wscript.exe
PID 1172 wrote to memory of 3564	1172	wscript.exe	cmd.exe
PID 1172 wrote to memory of 3564	1172	wscript.exe	cmd.exe
PID 1172 wrote to memory of 3564	1172	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
3⤵
PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aeqxmj.pia
Filesize
205KB

MD5
baec02094b35270a151460be6cd66e65

SHA1
7c26210d4c1c7f2add9a13164179649b3a3c9dbe

SHA256
614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3

SHA512
3d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
Filesize
5KB

MD5
22a3bb50bacb64d72699f4e7642d550d

SHA1
9ec311fd68910b475b95f5bc187dfb00a385d58d

SHA256
5bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327

SHA512
6360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53

Download Submit
memory/1172-276-0x00000000049A0000-0x0000000004B3A000-memory.dmp

Filesize
1.6MB

Download
memory/1172-275-0x0000000000B30000-0x0000000000B5F000-memory.dmp

Filesize
188KB

Download
memory/1172-273-0x00000000049A0000-0x0000000004B3A000-memory.dmp

Filesize
1.6MB

Download
memory/1172-271-0x0000000004CE0000-0x0000000005000000-memory.dmp

Filesize
3.1MB

Download
memory/1172-263-0x0000000000CC0000-0x0000000000CE7000-memory.dmp

Filesize
156KB

Download
memory/1172-264-0x0000000000B30000-0x0000000000B5F000-memory.dmp

Filesize
188KB

Download
memory/1172-239-0x0000000000000000-mapping.dmp

Download
memory/2592-178-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-172-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-162-0x0000000000000000-mapping.dmp

Download
memory/2592-177-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-176-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-179-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-175-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-174-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-173-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-180-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-171-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-169-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-168-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-167-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-166-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-165-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-164-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-181-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-136-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-135-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-147-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-148-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-149-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-150-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-151-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-152-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-153-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-154-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-155-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-156-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-157-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-158-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-159-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-160-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-161-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-145-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-144-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-143-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-142-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-141-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-139-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-140-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-138-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-137-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-115-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-146-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-134-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-133-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-132-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-131-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-130-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-129-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-128-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-127-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-126-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-125-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-124-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-116-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-123-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-117-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-118-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-119-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-120-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-122-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/2688-121-0x00000000774C0000-0x000000007764E000-memory.dmp

Filesize
1.6MB

Download
memory/3048-238-0x0000000003190000-0x00000000032F9000-memory.dmp

Filesize
1.4MB

Download
memory/3048-274-0x0000000005CE0000-0x0000000005DC9000-memory.dmp

Filesize
932KB

Download
memory/3048-277-0x0000000005CE0000-0x0000000005DC9000-memory.dmp

Filesize
932KB

Download
memory/3372-237-0x0000000001A70000-0x0000000001A85000-memory.dmp

Filesize
84KB

Download
memory/3372-236-0x00000000013C0000-0x000000000146E000-memory.dmp

Filesize
696KB

Download
memory/3372-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-213-0x000000000041F070-mapping.dmp

Download
memory/3564-265-0x0000000000000000-mapping.dmp

Download