formbook | fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1

Analysis

max time kernel
151s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-04-2023 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
Size

265KB
MD5

768c4d4ea9504c2363de391a4b3fe921
SHA1

57fe92563cc5e6746a6da4800bb561ae0186375e
SHA256

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1
SHA512

34fbc91a3b45a5d2631ebff44cdbb1226f41446548600f60e0d12c0fe3868afa6c3e27057f8abe1b0508a342e53074ffef741ec54b67cb2dfa8901a297438fbe
SSDEEP

6144:/Ya6mixpnPppladuAffgWV1Yb+QPn6EhjeVxvHAEp:/Y4YplaE6fgA1Yyon6EVep

Score

10^/10

formbook ar73 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/596-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/596-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1536-79-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/1536-81-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

wvxfi.exewvxfi.exe

pid process

1124 wvxfi.exe
596 wvxfi.exe

pid	process
1124	wvxfi.exe
596	wvxfi.exe

Loads dropped DLL 3 IoCs

Processes:

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exewvxfi.exe

pid	process
936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
1124	wvxfi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wvxfi.exewvxfi.execmmon32.exe

description	pid	process	target process
PID 1124 set thread context of 596	1124	wvxfi.exe	wvxfi.exe
PID 596 set thread context of 1268	596	wvxfi.exe	Explorer.EXE
PID 1536 set thread context of 1268	1536	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

wvxfi.execmmon32.exe

pid	process
596	wvxfi.exe
596	wvxfi.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe
1536	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

wvxfi.exewvxfi.execmmon32.exe

pid process

1124 wvxfi.exe
596 wvxfi.exe
596 wvxfi.exe
596 wvxfi.exe
1536 cmmon32.exe
1536 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wvxfi.execmmon32.exe

description pid process

Token: SeDebugPrivilege 596 wvxfi.exe
Token: SeDebugPrivilege 1536 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE

pid	process
1124	wvxfi.exe
596	wvxfi.exe
596	wvxfi.exe
596	wvxfi.exe
1536	cmmon32.exe
1536	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	596	wvxfi.exe
Token: SeDebugPrivilege	1536	cmmon32.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exewvxfi.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 936 wrote to memory of 1124	936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 936 wrote to memory of 1124	936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 936 wrote to memory of 1124	936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 936 wrote to memory of 1124	936	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 1124 wrote to memory of 596	1124	wvxfi.exe	wvxfi.exe
PID 1124 wrote to memory of 596	1124	wvxfi.exe	wvxfi.exe
PID 1124 wrote to memory of 596	1124	wvxfi.exe	wvxfi.exe
PID 1124 wrote to memory of 596	1124	wvxfi.exe	wvxfi.exe
PID 1124 wrote to memory of 596	1124	wvxfi.exe	wvxfi.exe
PID 1268 wrote to memory of 1536	1268	Explorer.EXE	cmmon32.exe
PID 1268 wrote to memory of 1536	1268	Explorer.EXE	cmmon32.exe
PID 1268 wrote to memory of 1536	1268	Explorer.EXE	cmmon32.exe
PID 1268 wrote to memory of 1536	1268	Explorer.EXE	cmmon32.exe
PID 1536 wrote to memory of 1524	1536	cmmon32.exe	cmd.exe
PID 1536 wrote to memory of 1524	1536	cmmon32.exe	cmd.exe
PID 1536 wrote to memory of 1524	1536	cmmon32.exe	cmd.exe
PID 1536 wrote to memory of 1524	1536	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
"C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe" C:\Users\Admin\AppData\Local\Temp\tdevkoheej.ia
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1872

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1668

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:560

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"
3⤵
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fduvg.r
Filesize
205KB

MD5
a3cfe9e656be623838ed0e22d61bb520

SHA1
0594d1ca5cfb45e74f1f4984a5109506736dd00f

SHA256
c1a172acf27d6d002eb3b5184f36b87e67c27765d495cc86a80cbbd753bac5c7

SHA512
6f8d9391b14df0b878a9868e712efef5e8b631fb2b2032f14eed69de2652267363e65912b1a90d997ce14c4a713cd60cf8cdaf718113976ff37cb2f9233e082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdevkoheej.ia
Filesize
5KB

MD5
42d0393626e26d37e6c0fdfe945b8adf

SHA1
e2b3e20a6dd337c70cf4f709636f149b0e5e55dc

SHA256
d0bbe668b7824ab9c7051f921a9847937e700bba214c533a9875c3a9201d440f

SHA512
70ff28c9f584b51ef1ad009e04a3780f0f41a905536ffb94fd2aed4cc11ad146f77493ec7af22fb416b74d595ec981465de8ca5147eb8f9b8bd9813e180fe2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
memory/596-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-74-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/596-75-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/596-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-84-0x0000000003980000-0x0000000003A21000-memory.dmp

Filesize
644KB

Download
memory/1268-76-0x0000000007330000-0x0000000007462000-memory.dmp

Filesize
1.2MB

Download
memory/1268-88-0x0000000003980000-0x0000000003A21000-memory.dmp

Filesize
644KB

Download
memory/1268-85-0x0000000003980000-0x0000000003A21000-memory.dmp

Filesize
644KB

Download
memory/1536-79-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1536-81-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1536-83-0x0000000000470000-0x0000000000503000-memory.dmp

Filesize
588KB

Download
memory/1536-80-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/1536-78-0x0000000000460000-0x000000000046D000-memory.dmp

Filesize
52KB

Download
memory/1536-77-0x0000000000460000-0x000000000046D000-memory.dmp

Filesize
52KB

Download