formbook | fe69a7884252cb7f2728065d43e5143e1c6168b5800813154f70727a97f78fc2

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

259KB
MD5

4e8bee4ffcd91df4d0af5ad5809a5836
SHA1

f667fdda0388044884a7b98a9e25c79344e986ec
SHA256

fe69a7884252cb7f2728065d43e5143e1c6168b5800813154f70727a97f78fc2
SHA512

7d78d0fe3c3d761db9e79de77d2100d829f46b1c343e0fe0d59c2f6e30a41ed5ab3bbe6d154b01b71c1883a824f458865d0614fe40c3178963ef5ecfe079185b
SSDEEP

6144:/Ya6Wp9dAl3KJDohZfDxO9rItqosk+MMnrSQBQvfD+DnYTT14UPj7Q:/YopwlqM7D09stErqQKvfAnYTT1PY

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3208-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3208-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2592-154-0x0000000000490000-0x00000000004BF000-memory.dmp	formbook
behavioral2/memory/2592-156-0x0000000000490000-0x00000000004BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

mgsbmh.exemgsbmh.exe

pid process

2060 mgsbmh.exe
3208 mgsbmh.exe

pid	process
2060	mgsbmh.exe
3208	mgsbmh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mgsbmh.exemgsbmh.exeipconfig.exe

description	pid	process	target process
PID 2060 set thread context of 3208	2060	mgsbmh.exe	mgsbmh.exe
PID 3208 set thread context of 3136	3208	mgsbmh.exe	Explorer.EXE
PID 2592 set thread context of 3136	2592	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2592 ipconfig.exe

pid	process
2592	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

mgsbmh.exeipconfig.exe

pid	process
3208	mgsbmh.exe
3208	mgsbmh.exe
3208	mgsbmh.exe
3208	mgsbmh.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe
2592	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

mgsbmh.exemgsbmh.exeipconfig.exe

pid process

2060 mgsbmh.exe
3208 mgsbmh.exe
3208 mgsbmh.exe
3208 mgsbmh.exe
2592 ipconfig.exe
2592 ipconfig.exe

pid	process
3136	Explorer.EXE

pid	process
2060	mgsbmh.exe
3208	mgsbmh.exe
3208	mgsbmh.exe
3208	mgsbmh.exe
2592	ipconfig.exe
2592	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

mgsbmh.exeipconfig.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3208	mgsbmh.exe
Token: SeDebugPrivilege	2592	ipconfig.exe
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE
Token: SeShutdownPrivilege	3136	Explorer.EXE
Token: SeCreatePagefilePrivilege	3136	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3136 Explorer.EXE
3136 Explorer.EXE

pid	process
3136	Explorer.EXE
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exemgsbmh.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4832 wrote to memory of 2060	4832	tmp.exe	mgsbmh.exe
PID 4832 wrote to memory of 2060	4832	tmp.exe	mgsbmh.exe
PID 4832 wrote to memory of 2060	4832	tmp.exe	mgsbmh.exe
PID 2060 wrote to memory of 3208	2060	mgsbmh.exe	mgsbmh.exe
PID 2060 wrote to memory of 3208	2060	mgsbmh.exe	mgsbmh.exe
PID 2060 wrote to memory of 3208	2060	mgsbmh.exe	mgsbmh.exe
PID 2060 wrote to memory of 3208	2060	mgsbmh.exe	mgsbmh.exe
PID 3136 wrote to memory of 2592	3136	Explorer.EXE	ipconfig.exe
PID 3136 wrote to memory of 2592	3136	Explorer.EXE	ipconfig.exe
PID 3136 wrote to memory of 2592	3136	Explorer.EXE	ipconfig.exe
PID 2592 wrote to memory of 3308	2592	ipconfig.exe	cmd.exe
PID 2592 wrote to memory of 3308	2592	ipconfig.exe	cmd.exe
PID 2592 wrote to memory of 3308	2592	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe
"C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe" C:\Users\Admin\AppData\Local\Temp\qzvvclg.hww
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe
"C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe"
3⤵
PID:3308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe
Filesize
51KB

MD5
a0448488825d9ec069f14f096f7819bf

SHA1
b4b134e05075042992ab43cfdf8d89cf7035ebae

SHA256
0b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b

SHA512
e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe
Filesize
51KB

MD5
a0448488825d9ec069f14f096f7819bf

SHA1
b4b134e05075042992ab43cfdf8d89cf7035ebae

SHA256
0b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b

SHA512
e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsbmh.exe
Filesize
51KB

MD5
a0448488825d9ec069f14f096f7819bf

SHA1
b4b134e05075042992ab43cfdf8d89cf7035ebae

SHA256
0b3acb81b12210f2c6ed929a2ba1800c06faa781d65cbf03a00b35bd15bfb84b

SHA512
e78d2528c80dda2bca9c96c6e1d929cefb11de1ead484946d7d170e918f07dc1113ae4ee0c8264f39ca2e872ef8ef931c55976f7e172267de8d30a042fd600ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\olpkhizgs.ad
Filesize
205KB

MD5
da93adf6273d48dc40849b0b0d763798

SHA1
e04be861160e8c80d8246cf7762659d7545d31c1

SHA256
08e22731cb15a03b218cc142c9aeb69b62159ea187f2491a7be8ca6cb558e32e

SHA512
eee5a1defcd159158606523db0f98ab1101ca1ec0dfc8c1cfbb73f16a37011552fbb5da3389fd740b8d215fc87f1c4df433f2fa8a222c809dae4a062e1524db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzvvclg.hww
Filesize
5KB

MD5
911b087e7ba59d148ae81188bdbd70b1

SHA1
964665215f8ccae6974e9e23baac2efa3cbbc587

SHA256
cf80c63612e589e1fadc5405cdae4b1e34b7ffad4786afa7312308d7fd510a1d

SHA512
cd3cb008c92d20e950f99e2a88a12ce776f4f8a5e59fe8094bf71eeca00c70ea8ae731efd6b37ceb5c6a9e26a2aa358ec7283e28fba1e4df7109b8326d32080f

Download Submit
memory/2060-140-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/2592-156-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/2592-152-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

Filesize
44KB

Download
memory/2592-153-0x0000000000FA0000-0x0000000000FAB000-memory.dmp

Filesize
44KB

Download
memory/2592-158-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/2592-154-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/2592-155-0x0000000000BD0000-0x0000000000F1A000-memory.dmp

Filesize
3.3MB

Download
memory/3136-182-0x0000000008BC0000-0x0000000008BD0000-memory.dmp

Filesize
64KB

Download
memory/3136-194-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-159-0x00000000099D0000-0x0000000009B3A000-memory.dmp

Filesize
1.4MB

Download
memory/3136-160-0x00000000099D0000-0x0000000009B3A000-memory.dmp

Filesize
1.4MB

Download
memory/3136-161-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-162-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-163-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-164-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-166-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-165-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-167-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-168-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-169-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-170-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-171-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-172-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-173-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-174-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-175-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-176-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-177-0x0000000008BC0000-0x0000000008BD0000-memory.dmp

Filesize
64KB

Download
memory/3136-178-0x0000000008BC0000-0x0000000008BD0000-memory.dmp

Filesize
64KB

Download
memory/3136-180-0x00000000099D0000-0x0000000009B3A000-memory.dmp

Filesize
1.4MB

Download
memory/3136-181-0x0000000008BC0000-0x0000000008BD0000-memory.dmp

Filesize
64KB

Download
memory/3136-149-0x00000000090D0000-0x000000000924B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-188-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-189-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-190-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-191-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-192-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-193-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-235-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/3136-195-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-196-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-197-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-198-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-199-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-200-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-201-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-202-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-203-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-205-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-206-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-207-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-209-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-210-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-211-0x0000000003030000-0x0000000003040000-memory.dmp

Filesize
64KB

Download
memory/3136-217-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-218-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-219-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-220-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-221-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-222-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-223-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-224-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-225-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-226-0x0000000008020000-0x0000000008030000-memory.dmp

Filesize
64KB

Download
memory/3136-233-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/3136-234-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/3208-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-146-0x0000000000980000-0x0000000000CCA000-memory.dmp

Filesize
3.3MB

Download
memory/3208-148-0x0000000000EA0000-0x0000000000EB5000-memory.dmp

Filesize
84KB

Download
memory/3208-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download