formbook | 9df726f24b0a1282ca604a08a4648f527dae3e61712ea3954305362dc3ef4e10

General

Target

indexxx.exe
Size

296KB
MD5

0e8ecafcc4dac9129241e73027dc38d6
SHA1

f18003b9ab2278a390f5728a2c83e7047737aa25
SHA256

9df726f24b0a1282ca604a08a4648f527dae3e61712ea3954305362dc3ef4e10
SHA512

075919fdd5f3fb21bd09d8dd41851584905e214580726b5c180eb87830109ae7435465f37c9d865c966c4240cb6ffd1f4af661a935bf49c99e4b35d5a14e5048

Score

10^/10

formbook jy0b rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1020-57-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1020-58-0x000000000041F150-mapping.dmp	formbook
behavioral1/memory/1732-66-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1432 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

indexxx.exe

pid process

1364 indexxx.exe

pid	process
1432	cmd.exe

pid	process
1364	indexxx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

indexxx.exeindexxx.exenetsh.exe

description	pid	process	target process
PID 1364 set thread context of 1020	1364	indexxx.exe	indexxx.exe
PID 1020 set thread context of 1284	1020	indexxx.exe	Explorer.EXE
PID 1732 set thread context of 1284	1732	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

indexxx.exenetsh.exe

pid	process
1020	indexxx.exe
1020	indexxx.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe
1732	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

indexxx.exenetsh.exe

pid process

1020 indexxx.exe
1020 indexxx.exe
1020 indexxx.exe
1732 netsh.exe
1732 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

indexxx.exenetsh.exe

description pid process

Token: SeDebugPrivilege 1020 indexxx.exe
Token: SeDebugPrivilege 1732 netsh.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1020	indexxx.exe
Token: SeDebugPrivilege	1732	netsh.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

indexxx.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1364 wrote to memory of 1020	1364	indexxx.exe	indexxx.exe
PID 1284 wrote to memory of 1732	1284	Explorer.EXE	netsh.exe
PID 1284 wrote to memory of 1732	1284	Explorer.EXE	netsh.exe
PID 1284 wrote to memory of 1732	1284	Explorer.EXE	netsh.exe
PID 1284 wrote to memory of 1732	1284	Explorer.EXE	netsh.exe
PID 1732 wrote to memory of 1432	1732	netsh.exe	cmd.exe
PID 1732 wrote to memory of 1432	1732	netsh.exe	cmd.exe
PID 1732 wrote to memory of 1432	1732	netsh.exe	cmd.exe
PID 1732 wrote to memory of 1432	1732	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\indexxx.exe
"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\indexxx.exe
"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1128

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
3⤵
- Deletes itself
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsnDEAC.tmp\vxlhto.dll
MD5
1cbb2db0be5023d1ab7f39a66f47c439

SHA1
cd0588d1b0f597a7541b36db3480d3380131f50e

SHA256
4e58bbb18e10dcdce812bae5ae8f9b927867a3af44c3829f6d3bd234dbdb2c33

SHA512
d275a0ed6066abc695ce1d5ad750979aaee9d146e2fd4fa8f70de80e1a5bb9873cb27492efa6c54e6e0567cf0c1bea5d010f4037951f88ef584b0ef645e371da

Download Submit
memory/1020-60-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1020-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-58-0x000000000041F150-mapping.dmp

Download
memory/1020-61-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/1284-62-0x0000000006AE0000-0x0000000006BEB000-memory.dmp

Filesize
1.0MB

Download
memory/1284-69-0x0000000007AF0000-0x0000000007C67000-memory.dmp

Filesize
1.5MB

Download
memory/1364-55-0x0000000076231000-0x0000000076233000-memory.dmp

Filesize
8KB

Download
memory/1432-64-0x0000000000000000-mapping.dmp

Download
memory/1732-63-0x0000000000000000-mapping.dmp

Download
memory/1732-65-0x00000000011C0000-0x00000000011DB000-memory.dmp

Filesize
108KB

Download
memory/1732-66-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1732-67-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/1732-68-0x0000000000920000-0x00000000009B3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads