formbook | 4a5309177d4f6abcd769add4273ecae79c990e124877765c1c4ab27b7236c8c2

General

Target

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
Size

349KB
MD5

ba645c8235d19c8407c81d62470eedf8
SHA1

9b78b515d6869753e2bb3e46d1307deccef79e57
SHA256

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d
SHA512

7efa198fd976f2660fc033f708739c003210ae88e50938abec6ce919e85246ca4a6d4f3db0e105b16094b08a68ad1234b5986cfed43c90b239369a46e95a65de
SSDEEP

6144:jYa6a3R6bVzifniXpVKRNQfgwq+DMhfii10dqeH+QE:jY03RYV+Op8Ugwq+HiSg0PE

Score

10^/10

formbook ho62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ho62

Decoy

aqawonky.com

ancachsroadsideassistance.com

artologycreatlive.com

olesinfo.africa

lovebreatheandsleep.com

friendsofdragonsprings.com

homecomingmums.wiki

hg222.bet

precision-spares.co.uk

generalhospitaleu.africa

touchstone4x4.africa

dynamator.com

dental-implants-52531.com

efefear.buzz

bentonapp.net

89luxu.com

bridgesonelm.com

acesaigon.online

instantapprovals.loans

evuniverso.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1620-142-0x00000000007A0000-0x00000000007CF000-memory.dmp	formbook
behavioral2/memory/1524-152-0x0000000000910000-0x000000000093F000-memory.dmp	formbook
behavioral2/memory/1524-154-0x0000000000910000-0x000000000093F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

evmxs.exeevmxs.exe

pid process

4560 evmxs.exe
1620 evmxs.exe

pid	process
4560	evmxs.exe
1620	evmxs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

evmxs.exeevmxs.exewscript.exe

description	pid	process	target process
PID 4560 set thread context of 1620	4560	evmxs.exe	evmxs.exe
PID 1620 set thread context of 760	1620	evmxs.exe	Explorer.EXE
PID 1524 set thread context of 760	1524	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

evmxs.exewscript.exe

pid	process
1620	evmxs.exe
1620	evmxs.exe
1620	evmxs.exe
1620	evmxs.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe
1524	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

760 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

evmxs.exeevmxs.exewscript.exe

pid process

4560 evmxs.exe
4560 evmxs.exe
1620 evmxs.exe
1620 evmxs.exe
1620 evmxs.exe
1524 wscript.exe
1524 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

evmxs.exewscript.exe

description pid process

Token: SeDebugPrivilege 1620 evmxs.exe
Token: SeDebugPrivilege 1524 wscript.exe

pid	process
760	Explorer.EXE

pid	process
4560	evmxs.exe
4560	evmxs.exe
1620	evmxs.exe
1620	evmxs.exe
1620	evmxs.exe
1524	wscript.exe
1524	wscript.exe

description	pid	process
Token: SeDebugPrivilege	1620	evmxs.exe
Token: SeDebugPrivilege	1524	wscript.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exeevmxs.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 4772 wrote to memory of 4560	4772	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 4772 wrote to memory of 4560	4772	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 4772 wrote to memory of 4560	4772	50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe	evmxs.exe
PID 4560 wrote to memory of 1620	4560	evmxs.exe	evmxs.exe
PID 4560 wrote to memory of 1620	4560	evmxs.exe	evmxs.exe
PID 4560 wrote to memory of 1620	4560	evmxs.exe	evmxs.exe
PID 4560 wrote to memory of 1620	4560	evmxs.exe	evmxs.exe
PID 760 wrote to memory of 1524	760	Explorer.EXE	wscript.exe
PID 760 wrote to memory of 1524	760	Explorer.EXE	wscript.exe
PID 760 wrote to memory of 1524	760	Explorer.EXE	wscript.exe
PID 1524 wrote to memory of 2136	1524	wscript.exe	cmd.exe
PID 1524 wrote to memory of 2136	1524	wscript.exe	cmd.exe
PID 1524 wrote to memory of 2136	1524	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe
"C:\Users\Admin\AppData\Local\Temp\50fe8f68de11579bdf0d4703cc9e6a1f0f9817a5605b15977c229bf5c522338d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\evmxs.exe
"C:\Users\Admin\AppData\Local\Temp\evmxs.exe" C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbc
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\evmxs.exe
"C:\Users\Admin\AppData\Local\Temp\evmxs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\evmxs.exe"
3⤵
PID:2136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evmxs.exe

Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\evmxs.exe

Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\evmxs.exe

Filesize
97KB

MD5
ea54c194d2a03380c618bcb23669b78d

SHA1
2aa690e0d3091c736b5557c6462b75f68f06cd90

SHA256
bf5a00f352d12e5bbaba6a84d3e9a65157fec23dabfc0c67d05ad4d8344b74f1

SHA512
11879c7c9b5a2f47c4cc07047bc1e6cef880238ebb65ffe59335f429f0a8bc2ce23cef97278147d32443cfd94b4c8a991661ec96eebdc9e83ba8712a4ea93305

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrteztqgww.lbc

Filesize
6KB

MD5
ff107dc03a00167424fec76cde7e8f78

SHA1
481d9285d50accef703baa71f56ce21359839cac

SHA256
9845f5fdaf0d4ccb3994540839f7eb9159d2ef1c93a01349f54974ebc214d591

SHA512
46542520a849ba3ab34958f656498cd72505af13141f9b90f692ae24acc2e2670eb95a942f7d67c1c55878a110ed6a9cbbe50e1ddd31339228a46d651b112325

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcngsrdjmk.x

Filesize
205KB

MD5
84da0b4d575e5b8f9fb6963ac4b5c1f8

SHA1
99662624073ee572fd5ca216c57ee216497ceb85

SHA256
82b34d99484accb13f617e6c4bce37a897f2713b3ad958e3518eb3ea04614af3

SHA512
296f66e1a7d177d4fe38e10c42a5085f6579e2fa1752189c6bd54905506ca01f5bfbfc697dbe11f9aebc809547cb39cd824b891f535925483da2e76a8c174474

Download Submit
memory/760-149-0x00000000028A0000-0x0000000002A41000-memory.dmp

Filesize
1.6MB

Download
memory/760-160-0x0000000002A50000-0x0000000002B33000-memory.dmp

Filesize
908KB

Download
memory/760-158-0x0000000002A50000-0x0000000002B33000-memory.dmp

Filesize
908KB

Download
memory/760-157-0x0000000002A50000-0x0000000002B33000-memory.dmp

Filesize
908KB

Download
memory/1524-152-0x0000000000910000-0x000000000093F000-memory.dmp

Filesize
188KB

Download
memory/1524-150-0x0000000000DB0000-0x0000000000DD7000-memory.dmp

Filesize
156KB

Download
memory/1524-151-0x0000000000DB0000-0x0000000000DD7000-memory.dmp

Filesize
156KB

Download
memory/1524-153-0x0000000002B00000-0x0000000002E4A000-memory.dmp

Filesize
3.3MB

Download
memory/1524-154-0x0000000000910000-0x000000000093F000-memory.dmp

Filesize
188KB

Download
memory/1524-156-0x0000000002840000-0x00000000028D4000-memory.dmp

Filesize
592KB

Download
memory/1620-148-0x0000000000DE0000-0x0000000000DF5000-memory.dmp

Filesize
84KB

Download
memory/1620-147-0x0000000000E20000-0x000000000116A000-memory.dmp

Filesize
3.3MB

Download
memory/1620-142-0x00000000007A0000-0x00000000007CF000-memory.dmp

Filesize
188KB

Download
memory/4560-140-0x0000000001070000-0x0000000001072000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads