formbook | 9df726f24b0a1282ca604a08a4648f527dae3e61712ea3954305362dc3ef4e10

General

Target

indexxx.exe
Size

296KB
MD5

0e8ecafcc4dac9129241e73027dc38d6
SHA1

f18003b9ab2278a390f5728a2c83e7047737aa25
SHA256

9df726f24b0a1282ca604a08a4648f527dae3e61712ea3954305362dc3ef4e10
SHA512

075919fdd5f3fb21bd09d8dd41851584905e214580726b5c180eb87830109ae7435465f37c9d865c966c4240cb6ffd1f4af661a935bf49c99e4b35d5a14e5048

Score

10^/10

formbook jy0b rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2312-119-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2312-120-0x000000000041F150-mapping.dmp	formbook
behavioral2/memory/4016-127-0x0000000002FA0000-0x0000000002FCF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

indexxx.exe

pid process

3600 indexxx.exe

pid	process
3600	indexxx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

indexxx.exeindexxx.exehelp.exe

description	pid	process	target process
PID 3600 set thread context of 2312	3600	indexxx.exe	indexxx.exe
PID 2312 set thread context of 2436	2312	indexxx.exe	Explorer.EXE
PID 4016 set thread context of 2436	4016	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

indexxx.exehelp.exe

pid	process
2312	indexxx.exe
2312	indexxx.exe
2312	indexxx.exe
2312	indexxx.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe
4016	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2436 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

indexxx.exehelp.exe

pid process

2312 indexxx.exe
2312 indexxx.exe
2312 indexxx.exe
4016 help.exe
4016 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

indexxx.exehelp.exe

description pid process

Token: SeDebugPrivilege 2312 indexxx.exe
Token: SeDebugPrivilege 4016 help.exe

pid	process
2436	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2312	indexxx.exe
Token: SeDebugPrivilege	4016	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

indexxx.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 3600 wrote to memory of 2312	3600	indexxx.exe	indexxx.exe
PID 2436 wrote to memory of 4016	2436	Explorer.EXE	help.exe
PID 2436 wrote to memory of 4016	2436	Explorer.EXE	help.exe
PID 2436 wrote to memory of 4016	2436	Explorer.EXE	help.exe
PID 4016 wrote to memory of 4052	4016	help.exe	cmd.exe
PID 4016 wrote to memory of 4052	4016	help.exe	cmd.exe
PID 4016 wrote to memory of 4052	4016	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\indexxx.exe
"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\indexxx.exe
"C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\indexxx.exe"
3⤵
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsg9433.tmp\vxlhto.dll
MD5
1cbb2db0be5023d1ab7f39a66f47c439

SHA1
cd0588d1b0f597a7541b36db3480d3380131f50e

SHA256
4e58bbb18e10dcdce812bae5ae8f9b927867a3af44c3829f6d3bd234dbdb2c33

SHA512
d275a0ed6066abc695ce1d5ad750979aaee9d146e2fd4fa8f70de80e1a5bb9873cb27492efa6c54e6e0567cf0c1bea5d010f4037951f88ef584b0ef645e371da

Download Submit
memory/2312-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2312-120-0x000000000041F150-mapping.dmp

Download
memory/2312-123-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/2312-122-0x0000000000AF0000-0x0000000000E10000-memory.dmp

Filesize
3.1MB

Download
memory/2436-131-0x00000000031A0000-0x0000000003267000-memory.dmp

Filesize
796KB

Download
memory/2436-124-0x0000000005A20000-0x0000000005B4B000-memory.dmp

Filesize
1.2MB

Download
memory/4016-125-0x0000000000000000-mapping.dmp

Download
memory/4016-127-0x0000000002FA0000-0x0000000002FCF000-memory.dmp

Filesize
188KB

Download
memory/4016-128-0x0000000003680000-0x00000000039A0000-memory.dmp

Filesize
3.1MB

Download
memory/4016-130-0x0000000003570000-0x0000000003603000-memory.dmp

Filesize
588KB

Download
memory/4016-126-0x0000000000C20000-0x0000000000C27000-memory.dmp

Filesize
28KB

Download
memory/4052-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads