formbook | b52df691d7fb9b73288ec52b8c8b3f3dc70e262ff8af122f275ac93300aede07

General

Target

99448ebd6bbde5bf60ce33bffdddf07a.exe
Size

463KB
MD5

99448ebd6bbde5bf60ce33bffdddf07a
SHA1

02cba5cd7ae83f06ce9d9e5c39d752a534e51a37
SHA256

b52df691d7fb9b73288ec52b8c8b3f3dc70e262ff8af122f275ac93300aede07
SHA512

c5b9163cd2926bd70d0e225294a5bb620151e317e7a8f2942fbdad1a9302559931e04d4d611b1b53f1f8aa03d7ea77039e6ada312d3efb4628648671cb471eee

Score

10^/10

formbook jy0b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3512-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3512-120-0x000000000041F150-mapping.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

99448ebd6bbde5bf60ce33bffdddf07a.exe

pid process

2648 99448ebd6bbde5bf60ce33bffdddf07a.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

99448ebd6bbde5bf60ce33bffdddf07a.exe

description pid process target process

PID 2648 set thread context of 3512 2648 99448ebd6bbde5bf60ce33bffdddf07a.exe 99448ebd6bbde5bf60ce33bffdddf07a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

99448ebd6bbde5bf60ce33bffdddf07a.exe

pid process

3512 99448ebd6bbde5bf60ce33bffdddf07a.exe
3512 99448ebd6bbde5bf60ce33bffdddf07a.exe

pid	process
2648	99448ebd6bbde5bf60ce33bffdddf07a.exe

description	pid	process	target process
PID 2648 set thread context of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe

pid	process
3512	99448ebd6bbde5bf60ce33bffdddf07a.exe
3512	99448ebd6bbde5bf60ce33bffdddf07a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

99448ebd6bbde5bf60ce33bffdddf07a.exe

description	pid	process	target process
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe
PID 2648 wrote to memory of 3512	2648	99448ebd6bbde5bf60ce33bffdddf07a.exe	99448ebd6bbde5bf60ce33bffdddf07a.exe

C:\Users\Admin\AppData\Local\Temp\99448ebd6bbde5bf60ce33bffdddf07a.exe
"C:\Users\Admin\AppData\Local\Temp\99448ebd6bbde5bf60ce33bffdddf07a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\99448ebd6bbde5bf60ce33bffdddf07a.exe
"C:\Users\Admin\AppData\Local\Temp\99448ebd6bbde5bf60ce33bffdddf07a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nseB519.tmp\rqnef.dll
MD5
4b7adc1a1a20b6c736e96e8e0ad28380

SHA1
bcf6b80fa2dd857efe7a72d26119339554343f68

SHA256
0298b4de640c4669681d1cb603377b0e812e8d526a07c2aa088ab7718f807962

SHA512
d33578040495febdc950a6794f257c21345f292b81af9648e18192eaaedd68a6d144e0a1a5c377c875a13f8a22fbcf638bb8a66eed2f1bbc1df28b6e90aac5a8

Download Submit
memory/3512-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3512-120-0x000000000041F150-mapping.dmp

Download
memory/3512-121-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing