formbook | a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a

General

Target

NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe
Size

342KB
MD5

07ea9abe8aeda1c72f42967c7d9f475a
SHA1

5f495b957acc693e5019ee2ccb5a1f458286f67f
SHA256

a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a
SHA512

8cbdfc199506f980e282b93691bcf97b09d1d0617e9a533785a67f54e2ed267e0a957181deea3d958b46c48058531004a99456790cb1f24ba7455e9186fa2e53
SSDEEP

6144:wBlL/90OO8k3NWzK22YTzxAdhlpOxWe+mJ/0u4p6+zTV28BkvTXR:C/0Oe3NWh2dhoWG/0u4s+fyXR

Score

10^/10

formbook fs35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs35

Decoy

latechdz.com

sdp-ploce.com

ss203.site

sm6yuy.net

needstothink.com

heginstwp.com

blueplumespirit.com

vemconferirshop.click

yorent-auto.com

eleononaly.com

medicalspacelocators.com

7law.info

imacanberra.online

bbtyss.top

onlyanfans.com

varenty.com

fappies.shop

313865.com

hongpools.com

babkacuisine.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2616-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2616-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2640-27-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/2640-29-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2640	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	lqhpvxmtbn.exe
2616	lqhpvxmtbn.exe

Loads dropped DLL 3 IoCs

pid	Process
2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe
2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe
2224	lqhpvxmtbn.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2616	2224	lqhpvxmtbn.exe	29
PID 2616 set thread context of 1268	2616	lqhpvxmtbn.exe	16
PID 2640 set thread context of 1268	2640	rundll32.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2616	lqhpvxmtbn.exe
2616	lqhpvxmtbn.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2224	lqhpvxmtbn.exe
2616	lqhpvxmtbn.exe
2616	lqhpvxmtbn.exe
2616	lqhpvxmtbn.exe
2640	rundll32.exe
2640	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	lqhpvxmtbn.exe
Token: SeDebugPrivilege	2640	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2224	2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe	28
PID 2188 wrote to memory of 2224	2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe	28
PID 2188 wrote to memory of 2224	2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe	28
PID 2188 wrote to memory of 2224	2188	NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe	28
PID 2224 wrote to memory of 2616	2224	lqhpvxmtbn.exe	29
PID 2224 wrote to memory of 2616	2224	lqhpvxmtbn.exe	29
PID 2224 wrote to memory of 2616	2224	lqhpvxmtbn.exe	29
PID 2224 wrote to memory of 2616	2224	lqhpvxmtbn.exe	29
PID 2224 wrote to memory of 2616	2224	lqhpvxmtbn.exe	29
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 1268 wrote to memory of 2640	1268	Explorer.EXE	30
PID 2640 wrote to memory of 2496	2640	rundll32.exe	31
PID 2640 wrote to memory of 2496	2640	rundll32.exe	31
PID 2640 wrote to memory of 2496	2640	rundll32.exe	31
PID 2640 wrote to memory of 2496	2640	rundll32.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.a0a6a1c54775713ad3e884b6bc49f2c74f393464a69175c8713221504ae6d72a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe
    "C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe
      "C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2616
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe"
    3⤵
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlgoeggba.f

Filesize
205KB

MD5
239f1ff96b0e979869e96c0b16b96196

SHA1
870933b2120c8a592648524a56d8b3a81871b0fa

SHA256
f60e2fb571c7a63cfe803c04c96afa011f04ff0767d78f1f10694ad96d017ea7

SHA512
7e03d69fb7b1138c4226313249536b3ddb13374dae458b76c805919d03137dcd1c74fbfa1fad925c0e1dabaa9bf267701b6033485b9ed0620b2d7958bf8584f7

Download Submit
\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
\Users\Admin\AppData\Local\Temp\lqhpvxmtbn.exe

Filesize
259KB

MD5
59d3466cb62ce44599445f169be90a8b

SHA1
fbc781048b2a66f62534cbf4b34a3574f4b17509

SHA256
0db8d28e0ef57e82a3dfe1b19a95ae245e53a72f43546f01d19e074055018c3a

SHA512
a3682fece2fd39865d64094ab1b831ab132ca088ac03954a09e71f4b2e1f1f003281b2d2e7b5c1f82009d778bbe56de180f0599dae71ae0774bbae5d2b19cd0d

Download Submit
memory/1268-18-0x0000000000190000-0x0000000000290000-memory.dmp

Filesize
1024KB

Download
memory/1268-32-0x0000000000190000-0x0000000000290000-memory.dmp

Filesize
1024KB

Download
memory/1268-38-0x00000000050D0000-0x0000000005186000-memory.dmp

Filesize
728KB

Download
memory/1268-35-0x0000000004F70000-0x00000000050C7000-memory.dmp

Filesize
1.3MB

Download
memory/1268-34-0x00000000050D0000-0x0000000005186000-memory.dmp

Filesize
728KB

Download
memory/1268-20-0x0000000004F70000-0x00000000050C7000-memory.dmp

Filesize
1.3MB

Download
memory/1268-33-0x00000000050D0000-0x0000000005186000-memory.dmp

Filesize
728KB

Download
memory/2224-9-0x00000000002C0000-0x00000000002C2000-memory.dmp

Filesize
8KB

Download
memory/2616-19-0x00000000002B0000-0x00000000002C5000-memory.dmp

Filesize
84KB

Download
memory/2616-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-15-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/2640-26-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2640-27-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2640-28-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/2640-29-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2640-24-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2640-31-0x0000000000490000-0x0000000000524000-memory.dmp

Filesize
592KB

Download
memory/2640-22-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing