formbook | 4873fc7cab19439ccbc5cfffcc818ed55cd682cd5475889c7062476a877438ce

General

Target

038159.exe
Size

251KB
MD5

f89aeda946171325b3cc41db4e0c7356
SHA1

83da10df168a7801bef8257fcbdc23bf18f0d15c
SHA256

5beadd0ecc9f1407dab89746630fddf7362dd00323e6a5e5413a0c286e2ee583
SHA512

229332eb6bec4208a2eb9055237ee5ac83a9da577ce04f2a0a9bad2c6c113b815ff60876d265f344d10d36d20da3bb4444ef2c8896fe9dc6005bac73a3c902ab
SSDEEP

6144:wBlL/cYzuovWn9oMSJgRXlD9LhVLwsLXUMn3ua/TY:Cecuo+yMSYlebMn3ua/TY

Score

10^/10

formbook w6ya rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w6ya

Decoy

auden-audio.com

zombieodyssey.com

hdpthg.com

toddtechnical.com

njsdgz.com

yieldfarm.world

guardsveirfynews.net

atmamandir.info

eskisehirtostcusu.online

arrozz.net

v99king.win

jaxonboxing.com

morganevans.net

syandeg.com

valleyofplants.com

corsosportorico.com

tak.support

blacktgpc.com

herdpetshop.com

iifkvhns.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/3068-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3068-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2668-21-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2668-23-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2168	038159.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 3068	2168	038159.exe	28
PID 3068 set thread context of 1172	3068	038159.exe	21
PID 2668 set thread context of 1172	2668	cmmon32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3068	038159.exe
3068	038159.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe
2668	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3068	038159.exe
3068	038159.exe
3068	038159.exe
2668	cmmon32.exe
2668	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	038159.exe
Token: SeDebugPrivilege	2668	cmmon32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 2168 wrote to memory of 3068	2168	038159.exe	28
PID 1172 wrote to memory of 2668	1172	Explorer.EXE	29
PID 1172 wrote to memory of 2668	1172	Explorer.EXE	29
PID 1172 wrote to memory of 2668	1172	Explorer.EXE	29
PID 1172 wrote to memory of 2668	1172	Explorer.EXE	29
PID 2668 wrote to memory of 2636	2668	cmmon32.exe	30
PID 2668 wrote to memory of 2636	2668	cmmon32.exe	30
PID 2668 wrote to memory of 2636	2668	cmmon32.exe	30
PID 2668 wrote to memory of 2636	2668	cmmon32.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\038159.exe
  "C:\Users\Admin\AppData\Local\Temp\038159.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\038159.exe
    "C:\Users\Admin\AppData\Local\Temp\038159.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\038159.exe"
    3⤵
    - Deletes itself
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy2A7B.tmp\jaqxzro.dll

Filesize
29KB

MD5
1e8aa5fcc0f7de7a0836081dd9efff05

SHA1
48317ef5f587f52fd34b42164dfb893dcde95e1b

SHA256
5389af7b3d0f5a3496cd2aa538a6ee01fd5a9bd1a8fcf3b9411f4112313d43af

SHA512
addd27d8923bf5d3f7d87e3eb2f6138d05532aa7c9340fde2f998a84fa87f227b63cd515176940de099d4f8dc46d1ab7467f4e347e266d0ef128d7337d79ea16

Download Submit
memory/1172-14-0x0000000003B20000-0x0000000003C20000-memory.dmp

Filesize
1024KB

Download
memory/1172-27-0x0000000005020000-0x000000000513F000-memory.dmp

Filesize
1.1MB

Download
memory/1172-16-0x0000000005020000-0x000000000513F000-memory.dmp

Filesize
1.1MB

Download
memory/2168-7-0x00000000748D0000-0x00000000748DB000-memory.dmp

Filesize
44KB

Download
memory/2168-10-0x00000000748D0000-0x00000000748DB000-memory.dmp

Filesize
44KB

Download
memory/2668-22-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/2668-18-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/2668-20-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/2668-21-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2668-23-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2668-25-0x0000000001D80000-0x0000000001E13000-memory.dmp

Filesize
588KB

Download
memory/3068-15-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/3068-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-12-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/3068-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing