formbook | ef4affb6a91e67cd7b1ee492589e18cf700653e6d6b32a66d5b1747ab861ef56

General

Target

MTCN TELLER RECEIPT.exe
Size

237KB
MD5

f9726a7a881f7182123ee36679c4d09b
SHA1

53b28856a51b66195ff4a3b799642b8d1f7025db
SHA256

9472d7a4e6028ef04c5b1a1a57844a3198229bd209b68c1d3534123e4fad8fb2
SHA512

1ea087c3d7311dbd07eeb03c4ca9ef37236fac517f11a305849ab022b8645baffd947d9e794f0418b6050a25f4a3b8f35137ad5f76591cb10e526df04050ac02
SSDEEP

6144:/Ya6i74F0L4ddME6oV38O0+yn9utn3HND:/YUcmL4X6oB8O0+Nt3HND

Score

10^/10

formbook ke03 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ke03

Decoy

fastartcustom.com

ikanggabus.xyz

aevum.ru

lacarretapps.com

arcaneacquisitions.net

fuulyshop.com

bloodbahis278.com

bullardrvpark.com

cowboy-hostel.xyz

empireoba.com

the-windsor-h.africa

help-desk-td.com

dofirosols.life

efefarmy.buzz

kewwrf.top

autoran.co.uk

moodysanalytics.boo

kulturemarket.com

ffwpu-kenya.com

heykon.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/2380-142-0x0000000000790000-0x00000000007BF000-memory.dmp	formbook
behavioral4/memory/4048-153-0x00000000002E0000-0x000000000030F000-memory.dmp	formbook
behavioral4/memory/4048-155-0x00000000002E0000-0x000000000030F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

otmflulrvh.exeotmflulrvh.exe

pid process

2720 otmflulrvh.exe
2380 otmflulrvh.exe

pid	process
2720	otmflulrvh.exe
2380	otmflulrvh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

otmflulrvh.exeotmflulrvh.exeWWAHost.exe

description	pid	process	target process
PID 2720 set thread context of 2380	2720	otmflulrvh.exe	otmflulrvh.exe
PID 2380 set thread context of 2780	2380	otmflulrvh.exe	Explorer.EXE
PID 4048 set thread context of 2780	4048	WWAHost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

otmflulrvh.exeWWAHost.exe

pid	process
2380	otmflulrvh.exe
2380	otmflulrvh.exe
2380	otmflulrvh.exe
2380	otmflulrvh.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe
4048	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2780 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

otmflulrvh.exeotmflulrvh.exeWWAHost.exe

pid process

2720 otmflulrvh.exe
2720 otmflulrvh.exe
2380 otmflulrvh.exe
2380 otmflulrvh.exe
2380 otmflulrvh.exe
4048 WWAHost.exe
4048 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

otmflulrvh.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 2380 otmflulrvh.exe
Token: SeDebugPrivilege 4048 WWAHost.exe

pid	process
2780	Explorer.EXE

pid	process
2720	otmflulrvh.exe
2720	otmflulrvh.exe
2380	otmflulrvh.exe
2380	otmflulrvh.exe
2380	otmflulrvh.exe
4048	WWAHost.exe
4048	WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	2380	otmflulrvh.exe
Token: SeDebugPrivilege	4048	WWAHost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

MTCN TELLER RECEIPT.exeotmflulrvh.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 4876 wrote to memory of 2720	4876	MTCN TELLER RECEIPT.exe	otmflulrvh.exe
PID 4876 wrote to memory of 2720	4876	MTCN TELLER RECEIPT.exe	otmflulrvh.exe
PID 4876 wrote to memory of 2720	4876	MTCN TELLER RECEIPT.exe	otmflulrvh.exe
PID 2720 wrote to memory of 2380	2720	otmflulrvh.exe	otmflulrvh.exe
PID 2720 wrote to memory of 2380	2720	otmflulrvh.exe	otmflulrvh.exe
PID 2720 wrote to memory of 2380	2720	otmflulrvh.exe	otmflulrvh.exe
PID 2720 wrote to memory of 2380	2720	otmflulrvh.exe	otmflulrvh.exe
PID 2780 wrote to memory of 4048	2780	Explorer.EXE	WWAHost.exe
PID 2780 wrote to memory of 4048	2780	Explorer.EXE	WWAHost.exe
PID 2780 wrote to memory of 4048	2780	Explorer.EXE	WWAHost.exe
PID 4048 wrote to memory of 4136	4048	WWAHost.exe	cmd.exe
PID 4048 wrote to memory of 4136	4048	WWAHost.exe	cmd.exe
PID 4048 wrote to memory of 4136	4048	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\MTCN TELLER RECEIPT.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe" C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
"C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe"
3⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oiaib.rm
Filesize
205KB

MD5
6c642712d39637fc8ced74cb3dcc7903

SHA1
ff0ddab33f478889515a061e7763f235450cb8f9

SHA256
3349be17dc030f34b0d2a9067897b91b45d87d585531fc108463be9174aab3c8

SHA512
290e24095925a6ce7c48e523f8fbccd22e8aab4481bd437850d411dd79f7f8cefa015aff0838b1d565c07a6623f4045aa904093a889b7d0a0b7fd7cf4baaa9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmflulrvh.exe
Filesize
5KB

MD5
086d2e81b0c19b74943ac4eeeb459a56

SHA1
448a2e6b3441d26c30ee12dc7d93de8a9c459c66

SHA256
af3ebfddb7d9356ba8272014df8a10fed3c0ce25f17d0958e34daee4bef90b77

SHA512
bebbdb06bff5e6ed36cf9a9e4bfe2230feeb0ad8e0d3192e835dbabf12eeaae2a784c9608ad91cc5d6e8ee7a1f413e1a7f29855f8371eef9db0dc3a894c74a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qubvvmzl.rk
Filesize
5KB

MD5
bc7836f77f8028836397e690f4e998ed

SHA1
dedfbfcb4399bf6e90a2005ae6911b602ff2fef1

SHA256
fd133ec88368b5125c6e886efc0f30e345eec49a887169a904601fb3c5e50dcf

SHA512
167e5f00b11409cade03214794bb146ff7db3ab62fd44620fddd98b64c81049ae5de4ccc57320a205554e957e6ce6b306a4525fec0d954b7629c819ce478c8af

Download Submit
memory/2380-148-0x0000000000E90000-0x0000000000EA4000-memory.dmp

Filesize
80KB

Download
memory/2380-147-0x0000000000F80000-0x00000000012CA000-memory.dmp

Filesize
3.3MB

Download
memory/2380-142-0x0000000000790000-0x00000000007BF000-memory.dmp

Filesize
188KB

Download
memory/2780-149-0x0000000002C70000-0x0000000002D42000-memory.dmp

Filesize
840KB

Download
memory/2780-158-0x0000000002F60000-0x0000000003056000-memory.dmp

Filesize
984KB

Download
memory/2780-159-0x0000000002F60000-0x0000000003056000-memory.dmp

Filesize
984KB

Download
memory/2780-161-0x0000000002F60000-0x0000000003056000-memory.dmp

Filesize
984KB

Download
memory/4048-150-0x0000000000D40000-0x0000000000E1C000-memory.dmp

Filesize
880KB

Download
memory/4048-152-0x0000000000D40000-0x0000000000E1C000-memory.dmp

Filesize
880KB

Download
memory/4048-153-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/4048-154-0x0000000001780000-0x0000000001ACA000-memory.dmp

Filesize
3.3MB

Download
memory/4048-155-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/4048-157-0x0000000000C40000-0x0000000000CD3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads