formbook | 9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2023 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.exe
Size

432KB
MD5

e3a874c6e454d2591f5380be7aa4dff4
SHA1

3714bee104682ecc3867aa84f9b049d3b6d58639
SHA256

9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA512

6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
SSDEEP

12288:TY74I2N2tpc73OFMf0aHFJOJYT8htu8GIS1r7L:TY7G2tW731zHnOJYmE8Fq3L

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral3/memory/3764-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/4880-145-0x0000000000D30000-0x0000000000D5F000-memory.dmp	formbook
behavioral3/memory/4880-150-0x0000000000D30000-0x0000000000D5F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exe

pid process

1260 njxmhiqte.exe
3764 njxmhiqte.exe

pid	process
1260	njxmhiqte.exe
3764	njxmhiqte.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exesvchost.exe

description	pid	process	target process
PID 1260 set thread context of 3764	1260	njxmhiqte.exe	njxmhiqte.exe
PID 3764 set thread context of 2416	3764	njxmhiqte.exe	Explorer.EXE
PID 4880 set thread context of 2416	4880	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

njxmhiqte.exesvchost.exe

pid	process
3764	njxmhiqte.exe
3764	njxmhiqte.exe
3764	njxmhiqte.exe
3764	njxmhiqte.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe
4880	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exesvchost.exe

pid process

1260 njxmhiqte.exe
3764 njxmhiqte.exe
3764 njxmhiqte.exe
3764 njxmhiqte.exe
4880 svchost.exe
4880 svchost.exe

pid	process
2416	Explorer.EXE

pid	process
1260	njxmhiqte.exe
3764	njxmhiqte.exe
3764	njxmhiqte.exe
3764	njxmhiqte.exe
4880	svchost.exe
4880	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

njxmhiqte.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3764	njxmhiqte.exe
Token: SeDebugPrivilege	4880	svchost.exe
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

new.exenjxmhiqte.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4972 wrote to memory of 1260	4972	new.exe	njxmhiqte.exe
PID 4972 wrote to memory of 1260	4972	new.exe	njxmhiqte.exe
PID 4972 wrote to memory of 1260	4972	new.exe	njxmhiqte.exe
PID 1260 wrote to memory of 3764	1260	njxmhiqte.exe	njxmhiqte.exe
PID 1260 wrote to memory of 3764	1260	njxmhiqte.exe	njxmhiqte.exe
PID 1260 wrote to memory of 3764	1260	njxmhiqte.exe	njxmhiqte.exe
PID 1260 wrote to memory of 3764	1260	njxmhiqte.exe	njxmhiqte.exe
PID 2416 wrote to memory of 4880	2416	Explorer.EXE	svchost.exe
PID 2416 wrote to memory of 4880	2416	Explorer.EXE	svchost.exe
PID 2416 wrote to memory of 4880	2416	Explorer.EXE	svchost.exe
PID 4880 wrote to memory of 5080	4880	svchost.exe	cmd.exe
PID 4880 wrote to memory of 5080	4880	svchost.exe	cmd.exe
PID 4880 wrote to memory of 5080	4880	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\new.exe
  "C:\Users\Admin\AppData\Local\Temp\new.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
    "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
      "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3764
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
    3⤵
    PID:5080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aeqxmj.pia

Filesize
205KB

MD5
baec02094b35270a151460be6cd66e65

SHA1
7c26210d4c1c7f2add9a13164179649b3a3c9dbe

SHA256
614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3

SHA512
3d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe

Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe

Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe

Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x

Filesize
5KB

MD5
22a3bb50bacb64d72699f4e7642d550d

SHA1
9ec311fd68910b475b95f5bc187dfb00a385d58d

SHA256
5bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327

SHA512
6360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53

Download Submit
memory/1260-132-0x0000000000000000-mapping.dmp

Download
memory/2416-172-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2416-209-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-212-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download
memory/2416-211-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-210-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-175-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-208-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-207-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-206-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-205-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-204-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-149-0x0000000008330000-0x00000000084B0000-memory.dmp

Filesize
1.5MB

Download
memory/2416-203-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-152-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-174-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-154-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-155-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-156-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-157-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-159-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-162-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-163-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-164-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-165-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-166-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-167-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-168-0x0000000007560000-0x0000000007570000-memory.dmp

Filesize
64KB

Download
memory/2416-169-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2416-170-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2416-171-0x0000000008330000-0x00000000084B0000-memory.dmp

Filesize
1.5MB

Download
memory/2416-142-0x0000000007C00000-0x0000000007DAE000-memory.dmp

Filesize
1.7MB

Download
memory/2416-173-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/2416-153-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-202-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-187-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-177-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-178-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-179-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-180-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-181-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-182-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-185-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-176-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-188-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-189-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-190-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-191-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2416-192-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2416-193-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2416-194-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/2416-195-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-196-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-197-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-198-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-199-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-200-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-201-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3764-137-0x0000000000000000-mapping.dmp

Download
memory/3764-141-0x0000000000E80000-0x0000000000E95000-memory.dmp

Filesize
84KB

Download
memory/3764-140-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/3764-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-150-0x0000000000D30000-0x0000000000D5F000-memory.dmp

Filesize
188KB

Download
memory/4880-148-0x00000000018A0000-0x0000000001934000-memory.dmp

Filesize
592KB

Download
memory/4880-147-0x0000000001A00000-0x0000000001D4A000-memory.dmp

Filesize
3.3MB

Download
memory/4880-145-0x0000000000D30000-0x0000000000D5F000-memory.dmp

Filesize
188KB

Download
memory/4880-144-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/4880-143-0x0000000000000000-mapping.dmp

Download
memory/5080-146-0x0000000000000000-mapping.dmp

Download