formbook | 7416647e8ad9b50cc3a8da41679abefc154798e0536587c9795bde7f9ea90591

General

Target

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
Size

763KB
MD5

9df58df76c5826af2a9357287869e0f7
SHA1

c2d804fdeefc82563b51c04870b49cc998588712
SHA256

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af
SHA512

2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494
SSDEEP

12288:eQDFTPiULBMzvlKXj3Z+ka1XmrpVMSTUplRYgK+CVINEX9yKBg7vjG:HPh2NKXj8tVmpmGUpXYfia9yKe/

Score

10^/10

formbook ij84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3776-25-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3776-32-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1540-33-0x0000000000740000-0x000000000076F000-memory.dmp	formbook

Drops startup file 3 IoCs

Processes:

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GHUI.lnk	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

GHUI.exe

pid process

3724 GHUI.exe

pid	process
3724	GHUI.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

GHUI.exeAddInProcess32.exeNETSTAT.EXE

description	pid	process	target process
PID 3724 set thread context of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3776 set thread context of 3524	3776	AddInProcess32.exe	Explorer.EXE
PID 1540 set thread context of 3524	1540	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

1540 NETSTAT.EXE
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4888 PING.EXE
4300 PING.EXE

pid	process
1540	NETSTAT.EXE

pid	process
4888	PING.EXE
4300	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exeGHUI.exeAddInProcess32.exeNETSTAT.EXE

pid	process
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
3724	GHUI.exe
3724	GHUI.exe
3724	GHUI.exe
3724	GHUI.exe
3776	AddInProcess32.exe
3776	AddInProcess32.exe
3776	AddInProcess32.exe
3776	AddInProcess32.exe
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE
1540	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeNETSTAT.EXE

pid process

3776 AddInProcess32.exe
3776 AddInProcess32.exe
3776 AddInProcess32.exe
1540 NETSTAT.EXE
1540 NETSTAT.EXE

pid	process
3776	AddInProcess32.exe
3776	AddInProcess32.exe
3776	AddInProcess32.exe
1540	NETSTAT.EXE
1540	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exeGHUI.exeAddInProcess32.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
Token: SeDebugPrivilege	3724	GHUI.exe
Token: SeDebugPrivilege	3776	AddInProcess32.exe
Token: SeDebugPrivilege	1540	NETSTAT.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3524 Explorer.EXE

pid	process
3524	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.execmd.exeGHUI.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3192 wrote to memory of 4144	3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe	cmd.exe
PID 3192 wrote to memory of 4144	3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe	cmd.exe
PID 3192 wrote to memory of 4144	3192	6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe	cmd.exe
PID 4144 wrote to memory of 4888	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4888	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4888	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4300	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4300	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4300	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 3724	4144	cmd.exe	GHUI.exe
PID 4144 wrote to memory of 3724	4144	cmd.exe	GHUI.exe
PID 4144 wrote to memory of 3724	4144	cmd.exe	GHUI.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 2312	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3724 wrote to memory of 3776	3724	GHUI.exe	AddInProcess32.exe
PID 3524 wrote to memory of 1540	3524	Explorer.EXE	NETSTAT.EXE
PID 3524 wrote to memory of 1540	3524	Explorer.EXE	NETSTAT.EXE
PID 3524 wrote to memory of 1540	3524	Explorer.EXE	NETSTAT.EXE
PID 1540 wrote to memory of 4728	1540	NETSTAT.EXE	cmd.exe
PID 1540 wrote to memory of 4728	1540	NETSTAT.EXE	cmd.exe
PID 1540 wrote to memory of 4728	1540	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe
  "C:\Users\Admin\AppData\Local\Temp\6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe"
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 9
      4⤵
      Runs ping.exe
      PID:4888
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 9
      4⤵
      Runs ping.exe
      PID:4300
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:2312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jui\GHUI.exe

Filesize
763KB

MD5
9df58df76c5826af2a9357287869e0f7

SHA1
c2d804fdeefc82563b51c04870b49cc998588712

SHA256
6a220dfe065da94494e1f5a94311bdba17f6f56d66f40ca39af817798fea09af

SHA512
2f0a90bdf8748d4c616b0568ddbb9043dedbb536a5902cec3e6693ed37ba94fb2aec42c514722f09589d27d5bdb1bbe3c3c4d3338386459348ad695465b9f494

Download Submit
memory/1540-31-0x0000000000470000-0x000000000047B000-memory.dmp

Filesize
44KB

Download
memory/1540-33-0x0000000000740000-0x000000000076F000-memory.dmp

Filesize
188KB

Download
memory/3192-9-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3192-6-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3192-7-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/3192-5-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/3192-4-0x0000000005700000-0x0000000005744000-memory.dmp

Filesize
272KB

Download
memory/3192-11-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/3192-3-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3192-2-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/3192-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/3192-1-0x0000000000A50000-0x0000000000B16000-memory.dmp

Filesize
792KB

Download
memory/3524-30-0x000000000A530000-0x000000000A6C9000-memory.dmp

Filesize
1.6MB

Download
memory/3524-38-0x0000000008380000-0x000000000849C000-memory.dmp

Filesize
1.1MB

Download
memory/3524-36-0x000000000A530000-0x000000000A6C9000-memory.dmp

Filesize
1.6MB

Download
memory/3724-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3724-23-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3724-24-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3724-27-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3724-22-0x0000000009160000-0x0000000009166000-memory.dmp

Filesize
24KB

Download
memory/3724-21-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/3724-19-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3724-18-0x0000000000360000-0x0000000000426000-memory.dmp

Filesize
792KB

Download
memory/3724-17-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3776-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3776-28-0x0000000000F20000-0x000000000126A000-memory.dmp

Filesize
3.3MB

Download
memory/3776-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads