formbook | 4a5309177d4f6abcd769add4273ecae79c990e124877765c1c4ab27b7236c8c2

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
Size

349KB
MD5

ba645c8235d19c8407c81d62470eedf8
SHA1

9b78b515d6869753e2bb3e46d1307deccef79e57
SHA256

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d
SHA512

7efa198fd976f2660fc033f708739c003210ae88e50938abec6ce919e85246ca4a6d4f3db0e105b16094b08a68ad1234b5986cfed43c90b239369a46e95a65de
SSDEEP

6144:jYa6a3R6bVzifniXpVKRNQfgwq+DMhfii10dqeH+QE:jY03RYV+Op8Ugwq+HiSg0PE

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/332-65-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

evmxs.exeevmxs.exe

pid process

1124 evmxs.exe
332 evmxs.exe
Loads dropped DLL 5 IoCs

Processes:

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exeevmxs.exeWerFault.exe

pid process

1288 50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
1124 evmxs.exe
1656 WerFault.exe
1656 WerFault.exe
1656 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

evmxs.exe

description pid process target process

PID 1124 set thread context of 332 1124 evmxs.exe evmxs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1656 332 WerFault.exe evmxs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

evmxs.exe

pid process

1124 evmxs.exe
1124 evmxs.exe

pid	process
1124	evmxs.exe
332	evmxs.exe

pid	process
1288	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
1124	evmxs.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe

description	pid	process	target process
PID 1124 set thread context of 332	1124	evmxs.exe	evmxs.exe

pid	pid_target	process	target process
1656	332	WerFault.exe	evmxs.exe

pid	process
1124	evmxs.exe
1124	evmxs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exeevmxs.exeevmxs.exe

description	pid	process	target process
PID 1288 wrote to memory of 1124	1288	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 1288 wrote to memory of 1124	1288	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 1288 wrote to memory of 1124	1288	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 1288 wrote to memory of 1124	1288	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 1124 wrote to memory of 332	1124	evmxs.exe	evmxs.exe
PID 1124 wrote to memory of 332	1124	evmxs.exe	evmxs.exe
PID 1124 wrote to memory of 332	1124	evmxs.exe	evmxs.exe
PID 1124 wrote to memory of 332	1124	evmxs.exe	evmxs.exe
PID 1124 wrote to memory of 332	1124	evmxs.exe	evmxs.exe
PID 332 wrote to memory of 1656	332	evmxs.exe	WerFault.exe
PID 332 wrote to memory of 1656	332	evmxs.exe	WerFault.exe
PID 332 wrote to memory of 1656	332	evmxs.exe	WerFault.exe
PID 332 wrote to memory of 1656	332	evmxs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
"C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\evmxs.exe
"C:\Users\Admin\AppData\Local\Temp\evmxs.exe" C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbc
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\evmxs.exe
"C:\Users\Admin\AppData\Local\Temp\evmxs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:1656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbc
Filesize
6KB

MD5
ff107dc03a00167424fec76cde7e8f78

SHA1
481d9285d50accef703baa71f56ce21359839cac

SHA256
9845f5fdaf0d4ccb3994540839f7eb9159d2ef1c93a01349f54974ebc214d591

SHA512
46542520a849ba3ab34958f656498cd72505af13141f9b90f692ae24acc2e2670eb95a942f7d67c1c55878a110ed6a9cbbe50e1ddd31339228a46d651b112325

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcngsrdjmk.x
Filesize
205KB

MD5
84da0b4d575e5b8f9fb6963ac4b5c1f8

SHA1
99662624073ee572fd5ca216c57ee216497ceb85

SHA256
82b34d99484accb13f617e6c4bce37a897f2713b3ad958e3518eb3ea04614af3

SHA512
296f66e1a7d177d4fe38e10c42a5085f6579e2fa1752189c6bd54905506ca01f5bfbfc697dbe11f9aebc809547cb39cd824b891f535925483da2e76a8c174474

Download Submit
\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
\Users\Admin\AppData\Local\Temp\evmxs.exe
Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
memory/332-65-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download