formbook | fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1

General

Target

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
Size

265KB
MD5

768c4d4ea9504c2363de391a4b3fe921
SHA1

57fe92563cc5e6746a6da4800bb561ae0186375e
SHA256

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1
SHA512

34fbc91a3b45a5d2631ebff44cdbb1226f41446548600f60e0d12c0fe3868afa6c3e27057f8abe1b0508a342e53074ffef741ec54b67cb2dfa8901a297438fbe
SSDEEP

6144:/Ya6mixpnPppladuAffgWV1Yb+QPn6EhjeVxvHAEp:/Y4YplaE6fgA1Yyon6EVep

Score

10^/10

formbook ar73 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ar73

Decoy

classgorilla.com

b6817.com

1wwuwa.top

dgslimited.africa

deepwaterships.com

hkshshoptw.shop

hurricanevalleyatvjamboree.com

ckpconsulting.com

laojiangmath.com

authenticityhacking.com

family-doctor-53205.com

investinstgeorgeut.com

lithoearthsolution.africa

quickhealcareltd.co.uk

delightkgrillw.top

freezeclosettoilet.com

coo1star.com

gemgamut.com

enrichednetworksolutions.com

betterbeeclean.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2108-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2108-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4696-153-0x0000000000680000-0x00000000006AF000-memory.dmp	formbook
behavioral2/memory/4696-155-0x0000000000680000-0x00000000006AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

wvxfi.exewvxfi.exe

pid process

1364 wvxfi.exe
2108 wvxfi.exe

pid	process
1364	wvxfi.exe
2108	wvxfi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wvxfi.exewvxfi.exeraserver.exe

description	pid	process	target process
PID 1364 set thread context of 2108	1364	wvxfi.exe	wvxfi.exe
PID 2108 set thread context of 772	2108	wvxfi.exe	Explorer.EXE
PID 4696 set thread context of 772	4696	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

wvxfi.exeraserver.exe

pid	process
2108	wvxfi.exe
2108	wvxfi.exe
2108	wvxfi.exe
2108	wvxfi.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe
4696	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

772 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

wvxfi.exewvxfi.exeraserver.exe

pid process

1364 wvxfi.exe
2108 wvxfi.exe
2108 wvxfi.exe
2108 wvxfi.exe
4696 raserver.exe
4696 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wvxfi.exeraserver.exe

description pid process

Token: SeDebugPrivilege 2108 wvxfi.exe
Token: SeDebugPrivilege 4696 raserver.exe

pid	process
772	Explorer.EXE

pid	process
1364	wvxfi.exe
2108	wvxfi.exe
2108	wvxfi.exe
2108	wvxfi.exe
4696	raserver.exe
4696	raserver.exe

description	pid	process
Token: SeDebugPrivilege	2108	wvxfi.exe
Token: SeDebugPrivilege	4696	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exewvxfi.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 368 wrote to memory of 1364	368	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 368 wrote to memory of 1364	368	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 368 wrote to memory of 1364	368	fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe	wvxfi.exe
PID 1364 wrote to memory of 2108	1364	wvxfi.exe	wvxfi.exe
PID 1364 wrote to memory of 2108	1364	wvxfi.exe	wvxfi.exe
PID 1364 wrote to memory of 2108	1364	wvxfi.exe	wvxfi.exe
PID 1364 wrote to memory of 2108	1364	wvxfi.exe	wvxfi.exe
PID 772 wrote to memory of 4696	772	Explorer.EXE	raserver.exe
PID 772 wrote to memory of 4696	772	Explorer.EXE	raserver.exe
PID 772 wrote to memory of 4696	772	Explorer.EXE	raserver.exe
PID 4696 wrote to memory of 4160	4696	raserver.exe	cmd.exe
PID 4696 wrote to memory of 4160	4696	raserver.exe	cmd.exe
PID 4696 wrote to memory of 4160	4696	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe
"C:\Users\Admin\AppData\Local\Temp\fda6fab33a82e877a04f4a49e6beec5a7e4f4bf5847851582a9bc211ab009ae1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe" C:\Users\Admin\AppData\Local\Temp\tdevkoheej.ia
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
"C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wvxfi.exe"
3⤵
PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fduvg.r
Filesize
205KB

MD5
a3cfe9e656be623838ed0e22d61bb520

SHA1
0594d1ca5cfb45e74f1f4984a5109506736dd00f

SHA256
c1a172acf27d6d002eb3b5184f36b87e67c27765d495cc86a80cbbd753bac5c7

SHA512
6f8d9391b14df0b878a9868e712efef5e8b631fb2b2032f14eed69de2652267363e65912b1a90d997ce14c4a713cd60cf8cdaf718113976ff37cb2f9233e082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdevkoheej.ia
Filesize
5KB

MD5
42d0393626e26d37e6c0fdfe945b8adf

SHA1
e2b3e20a6dd337c70cf4f709636f149b0e5e55dc

SHA256
d0bbe668b7824ab9c7051f921a9847937e700bba214c533a9875c3a9201d440f

SHA512
70ff28c9f584b51ef1ad009e04a3780f0f41a905536ffb94fd2aed4cc11ad146f77493ec7af22fb416b74d595ec981465de8ca5147eb8f9b8bd9813e180fe2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxfi.exe
Filesize
60KB

MD5
dca3efc049b0a9670473d9993f8f6b39

SHA1
a142e6d2373b0dc56b1e583520af2d985907f1f7

SHA256
a0c143b9fb1e34986005a05d2513b63c591620722983575a088d0b7baed3964c

SHA512
26dd5e230cfcfa46a5486cc8ca198c586ee028174fab0081f702e143d0a0a9e65e2dcdc9c56f7d52e1d2293e45d72a19dce3a91cecb59a80dca517737e8ce683

Download Submit
memory/772-149-0x0000000008CF0000-0x0000000008E73000-memory.dmp

Filesize
1.5MB

Download
memory/772-158-0x0000000008F70000-0x00000000090E7000-memory.dmp

Filesize
1.5MB

Download
memory/772-161-0x0000000008F70000-0x00000000090E7000-memory.dmp

Filesize
1.5MB

Download
memory/772-159-0x0000000008F70000-0x00000000090E7000-memory.dmp

Filesize
1.5MB

Download
memory/2108-147-0x0000000001570000-0x00000000018BA000-memory.dmp

Filesize
3.3MB

Download
memory/2108-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-148-0x0000000000EF0000-0x0000000000F04000-memory.dmp

Filesize
80KB

Download
memory/2108-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-153-0x0000000000680000-0x00000000006AF000-memory.dmp

Filesize
188KB

Download
memory/4696-155-0x0000000000680000-0x00000000006AF000-memory.dmp

Filesize
188KB

Download
memory/4696-157-0x0000000002690000-0x0000000002723000-memory.dmp

Filesize
588KB

Download
memory/4696-154-0x0000000002960000-0x0000000002CAA000-memory.dmp

Filesize
3.3MB

Download
memory/4696-152-0x0000000000660000-0x000000000067F000-memory.dmp

Filesize
124KB

Download
memory/4696-150-0x0000000000660000-0x000000000067F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads