formbook | 9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89

General

Target

new.exe
Size

432KB
MD5

e3a874c6e454d2591f5380be7aa4dff4
SHA1

3714bee104682ecc3867aa84f9b049d3b6d58639
SHA256

9e804f046cb3978daaa84fe71badb3a5fef3aea5387377e3b05524cbb8092a89
SHA512

6eb235dfcdb612b4db9926275e827e179166e3522256de14b51da3fb6610fe610c6547c7eb29ceb3b95eebb434c68d9bf000e7d1a14320853363e0dcd0c0f93e
SSDEEP

12288:TY74I2N2tpc73OFMf0aHFJOJYT8htu8GIS1r7L:TY7G2tW731zHnOJYmE8Fq3L

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1880-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1504-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1504-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exe

pid process

1184 njxmhiqte.exe
1880 njxmhiqte.exe
Loads dropped DLL 2 IoCs

Processes:

new.exenjxmhiqte.exe

pid process

856 new.exe
1184 njxmhiqte.exe

pid	process
1184	njxmhiqte.exe
1880	njxmhiqte.exe

pid	process
856	new.exe
1184	njxmhiqte.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exemsdt.exe

description	pid	process	target process
PID 1184 set thread context of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1880 set thread context of 1268	1880	njxmhiqte.exe	Explorer.EXE
PID 1504 set thread context of 1268	1504	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

njxmhiqte.exemsdt.exe

pid	process
1880	njxmhiqte.exe
1880	njxmhiqte.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe
1504	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

njxmhiqte.exenjxmhiqte.exemsdt.exe

pid process

1184 njxmhiqte.exe
1880 njxmhiqte.exe
1880 njxmhiqte.exe
1880 njxmhiqte.exe
1504 msdt.exe
1504 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

njxmhiqte.exemsdt.exe

description pid process

Token: SeDebugPrivilege 1880 njxmhiqte.exe
Token: SeDebugPrivilege 1504 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE

pid	process
1184	njxmhiqte.exe
1880	njxmhiqte.exe
1880	njxmhiqte.exe
1880	njxmhiqte.exe
1504	msdt.exe
1504	msdt.exe

description	pid	process
Token: SeDebugPrivilege	1880	njxmhiqte.exe
Token: SeDebugPrivilege	1504	msdt.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

new.exenjxmhiqte.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 856 wrote to memory of 1184	856	new.exe	njxmhiqte.exe
PID 856 wrote to memory of 1184	856	new.exe	njxmhiqte.exe
PID 856 wrote to memory of 1184	856	new.exe	njxmhiqte.exe
PID 856 wrote to memory of 1184	856	new.exe	njxmhiqte.exe
PID 1184 wrote to memory of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1184 wrote to memory of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1184 wrote to memory of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1184 wrote to memory of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1184 wrote to memory of 1880	1184	njxmhiqte.exe	njxmhiqte.exe
PID 1268 wrote to memory of 1504	1268	Explorer.EXE	msdt.exe
PID 1268 wrote to memory of 1504	1268	Explorer.EXE	msdt.exe
PID 1268 wrote to memory of 1504	1268	Explorer.EXE	msdt.exe
PID 1268 wrote to memory of 1504	1268	Explorer.EXE	msdt.exe
PID 1504 wrote to memory of 584	1504	msdt.exe	cmd.exe
PID 1504 wrote to memory of 584	1504	msdt.exe	cmd.exe
PID 1504 wrote to memory of 584	1504	msdt.exe	cmd.exe
PID 1504 wrote to memory of 584	1504	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe" C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
"C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe"
3⤵
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aeqxmj.pia
Filesize
205KB

MD5
baec02094b35270a151460be6cd66e65

SHA1
7c26210d4c1c7f2add9a13164179649b3a3c9dbe

SHA256
614efbff773c1b4425326ebc028ae76905a96bc9d59d76b33a1eff15fd0d8ad3

SHA512
3d5b117d6658a414e4a674fb559d0a6b6d46436cef7df94bbbdec48b86d4a2a17eff3dcb90bfbac3b8e1b8cb3440aa10c063226b1793cf9faec98e599d3e5566

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjjnidhdl.x
Filesize
5KB

MD5
22a3bb50bacb64d72699f4e7642d550d

SHA1
9ec311fd68910b475b95f5bc187dfb00a385d58d

SHA256
5bfcbe087f6d1e836243ae8e69b6fe11dfc8ff434b70f90c7c64936db8512327

SHA512
6360c9d4208a9de79996cdced4af9fe478f973c59b1318929a2b630dcd5dec9d0a9eb015a467533ab5d8318779eaf9ead4c750c120660342888ad0b85f45fd53

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
\Users\Admin\AppData\Local\Temp\njxmhiqte.exe
Filesize
322KB

MD5
60ee2623954b697257bb49f0189d751a

SHA1
2598c631a24546a707cbc797dbe2772512f08b49

SHA256
80ac0e1f3ce4e9512e6821849b0c9296b61adb17ed52632aebe6853b02599a1c

SHA512
f0bb9279d81d2acc888b9991e68c338c86d1b1aafc760c32517c5738ff1766f22019b179b1e196ecb8eddceb6e8aa63dec663b08f49b69d0dad0e81f4a0e1459

Download Submit
memory/584-71-0x0000000000000000-mapping.dmp

Download
memory/856-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1184-56-0x0000000000000000-mapping.dmp

Download
memory/1268-68-0x0000000004B70000-0x0000000004CA3000-memory.dmp

Filesize
1.2MB

Download
memory/1268-78-0x0000000004A00000-0x0000000004AD8000-memory.dmp

Filesize
864KB

Download
memory/1268-76-0x0000000004A00000-0x0000000004AD8000-memory.dmp

Filesize
864KB

Download
memory/1504-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1504-69-0x0000000000000000-mapping.dmp

Download
memory/1504-72-0x0000000000C30000-0x0000000000D24000-memory.dmp

Filesize
976KB

Download
memory/1504-74-0x00000000022C0000-0x00000000025C3000-memory.dmp

Filesize
3.0MB

Download
memory/1504-75-0x0000000000A20000-0x0000000000AB4000-memory.dmp

Filesize
592KB

Download
memory/1504-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1880-67-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/1880-63-0x000000000041F070-mapping.dmp

Download
memory/1880-66-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1880-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads