formbook | 85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba

General

Target

85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe
Size

261KB
MD5

6f67808d109e693faccbead538c9fdd9
SHA1

a96325f7bb589f8b63af347c982e1a9177cc8686
SHA256

85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba
SHA512

88e52f650ae7c8936e8b2ebe2b4d883f7f577da491d85b2ba1ecc2c7f535961b4db8e5b6bd2567bf61fae38bb9bf40c9a66b7433c8b105868efa6e95b5aaa710
SSDEEP

6144:PYa6gVlkprrwLO5cekvA/NpGuEFJLyDFMfrQKD/IEdE3ZKAxXR:PYWVyprr1cTuELugQKD/IEG3ZKa

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4888-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4888-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1112-155-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1112-157-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

43 1112 msiexec.exe
71 1112 msiexec.exe
Executes dropped EXE 2 IoCs

Processes:

rvxcbg.exervxcbg.exe

pid process

4544 rvxcbg.exe
4888 rvxcbg.exe

flow	pid	process
43	1112	msiexec.exe
71	1112	msiexec.exe

pid	process
4544	rvxcbg.exe
4888	rvxcbg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rvxcbg.exervxcbg.exemsiexec.exe

description	pid	process	target process
PID 4544 set thread context of 4888	4544	rvxcbg.exe	rvxcbg.exe
PID 4888 set thread context of 3156	4888	rvxcbg.exe	Explorer.EXE
PID 1112 set thread context of 3156	1112	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

rvxcbg.exemsiexec.exe

pid	process
4888	rvxcbg.exe
4888	rvxcbg.exe
4888	rvxcbg.exe
4888	rvxcbg.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe
1112	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3156 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rvxcbg.exervxcbg.exemsiexec.exe

pid process

4544 rvxcbg.exe
4888 rvxcbg.exe
4888 rvxcbg.exe
4888 rvxcbg.exe
1112 msiexec.exe
1112 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rvxcbg.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 4888 rvxcbg.exe
Token: SeDebugPrivilege 1112 msiexec.exe

pid	process
3156	Explorer.EXE

pid	process
4544	rvxcbg.exe
4888	rvxcbg.exe
4888	rvxcbg.exe
4888	rvxcbg.exe
1112	msiexec.exe
1112	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	4888	rvxcbg.exe
Token: SeDebugPrivilege	1112	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exervxcbg.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3216 wrote to memory of 4544	3216	85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe	rvxcbg.exe
PID 3216 wrote to memory of 4544	3216	85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe	rvxcbg.exe
PID 3216 wrote to memory of 4544	3216	85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe	rvxcbg.exe
PID 4544 wrote to memory of 4888	4544	rvxcbg.exe	rvxcbg.exe
PID 4544 wrote to memory of 4888	4544	rvxcbg.exe	rvxcbg.exe
PID 4544 wrote to memory of 4888	4544	rvxcbg.exe	rvxcbg.exe
PID 4544 wrote to memory of 4888	4544	rvxcbg.exe	rvxcbg.exe
PID 3156 wrote to memory of 1112	3156	Explorer.EXE	msiexec.exe
PID 3156 wrote to memory of 1112	3156	Explorer.EXE	msiexec.exe
PID 3156 wrote to memory of 1112	3156	Explorer.EXE	msiexec.exe
PID 1112 wrote to memory of 4868	1112	msiexec.exe	cmd.exe
PID 1112 wrote to memory of 4868	1112	msiexec.exe	cmd.exe
PID 1112 wrote to memory of 4868	1112	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe
"C:\Users\Admin\AppData\Local\Temp\85abcc70fdc2527f8c6572efbd759073c1b409b9a806f2b27425808bbe3211ba.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe
"C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe" C:\Users\Admin\AppData\Local\Temp\qxzjri.v
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe
"C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe"
3⤵
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dqiyeyujttq.kfc
Filesize
205KB

MD5
328a193a54eb35ad306dba6a5e9cee32

SHA1
0e4a789a43f46d27ae1682206355e417150442a6

SHA256
54ee17bbb195344970b4d59d84b9f7a8c76f88e1ce4e1bf2a613d021fb36734e

SHA512
91b93b59896886ce340b0e9a0775e834ee23f278bd07f61e807809db7e42bab83b1832d4acb694547ac8aafec67ccf70d6539fe62a3ac7c75387d75f13575531

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxzjri.v
Filesize
5KB

MD5
4280b3ffa223c3a6784737f12ae969b4

SHA1
dd7430712f471d0f1bf3cbca96c7e73b874a0422

SHA256
8ac665a9e3e20819e1349cfe13503151a319f3babe603426a2020a980b5cdd28

SHA512
111bd83e421c7eceaf14736d59113ea6060d1a74e6a826553186883dd17f7c338810732cb2c4462b7ec66d628c9b16877102afa7022610839425e5d96bbc69f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe
Filesize
54KB

MD5
b0801f1a8bbce88b7af329c2c3136eea

SHA1
b475c2697dd8b8b022fb7a5630b121aba4ec920f

SHA256
278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842

SHA512
23405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe
Filesize
54KB

MD5
b0801f1a8bbce88b7af329c2c3136eea

SHA1
b475c2697dd8b8b022fb7a5630b121aba4ec920f

SHA256
278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842

SHA512
23405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvxcbg.exe
Filesize
54KB

MD5
b0801f1a8bbce88b7af329c2c3136eea

SHA1
b475c2697dd8b8b022fb7a5630b121aba4ec920f

SHA256
278ba33778f9138db710ab127ed29a4376891ba3c4557d44d052fb07b6c10842

SHA512
23405ec5bd8297798acc3a3a4d98242d99301550c0aa6aea3f980d206898d0908aa309e97c679342c9573e688c78172bd9dd3f71938485b8e264d029bb9eb215

Download Submit
memory/1112-154-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1112-148-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1112-152-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1112-159-0x0000000002130000-0x00000000021C4000-memory.dmp

Filesize
592KB

Download
memory/1112-156-0x0000000002290000-0x00000000025DA000-memory.dmp

Filesize
3.3MB

Download
memory/1112-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-163-0x0000000008930000-0x0000000008A87000-memory.dmp

Filesize
1.3MB

Download
memory/3156-161-0x0000000008930000-0x0000000008A87000-memory.dmp

Filesize
1.3MB

Download
memory/3156-147-0x00000000082D0000-0x00000000083F3000-memory.dmp

Filesize
1.1MB

Download
memory/3156-160-0x0000000008930000-0x0000000008A87000-memory.dmp

Filesize
1.3MB

Download
memory/4888-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4888-146-0x00000000009E0000-0x00000000009F5000-memory.dmp

Filesize
84KB

Download
memory/4888-145-0x0000000000AE0000-0x0000000000E2A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads