formbook | 662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082

General

Target

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
Size

681KB
MD5

b153fee758de5ba2af6f6b2ca4ea5cd8
SHA1

fb7309a6c4d10704ae202865b090d784906db2ab
SHA256

662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
SHA512

6481414688630169f0c83ad7a93eb461e279bdf0320abc197e17a28b1d94c0be2a7a434a1a4f9de7996fd9298dfdf05ac1e6424beb558f67d431bd1fa80924d7

Score

10^/10

formbook modiloader gmfe persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gmfe

Decoy

boldaerospace.com

oleeoe.com

aucreuxducoeur.one

fatbellytonic.com

newfrontiermining.net

iphone13promax.guide

meltingpotspot.com

zuinigerijder.com

sigmagrup.com

thehekadivine.com

once-only.online

variouselectricianservice.com

xn--oy2b9rj5qfzo85aro.com

wuzuiso.com

inoutinsurance.xyz

company-intel.net

apppromaguginybuo.com

st666.tech

k-reborn-okayama.com

realteenpattix.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-84-0x0000000072480000-0x00000000724AF000-memory.dmp	formbook
behavioral1/memory/1332-92-0x0000000000130000-0x000000000015F000-memory.dmp	formbook

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/752-68-0x0000000004220000-0x00000000042A8000-memory.dmp	modiloader_stage2
behavioral1/memory/752-70-0x0000000004220000-0x00000000042A8000-memory.dmp	modiloader_stage2
behavioral1/memory/752-69-0x0000000004220000-0x00000000042A8000-memory.dmp	modiloader_stage2
behavioral1/memory/752-97-0x0000000004220000-0x00000000042A8000-memory.dmp	modiloader_stage2
behavioral1/memory/752-96-0x0000000004220000-0x00000000042A8000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

ComputerDefaults.exeComputerDefaults.exe

pid process

1980 ComputerDefaults.exe
932 ComputerDefaults.exe

pid	process
1980	ComputerDefaults.exe
932	ComputerDefaults.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jpcobmxenk = "C:\\Users\\Admin\\Contacts\\knexmbocpJ.url"	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DpiScaling.exewininit.exe

description	pid	process	target process
PID 1992 set thread context of 1216	1992	DpiScaling.exe	Explorer.EXE
PID 1332 set thread context of 1216	1332	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1964 PING.EXE

pid	process
1964	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

DpiScaling.exewininit.exe

pid	process
1992	DpiScaling.exe
1992	DpiScaling.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe
1332	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DpiScaling.exewininit.exe

pid process

1992 DpiScaling.exe
1992 DpiScaling.exe
1992 DpiScaling.exe
1332 wininit.exe
1332 wininit.exe

pid	process
1216	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

DpiScaling.exeExplorer.EXEwininit.exe

description	pid	process
Token: SeDebugPrivilege	1992	DpiScaling.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeDebugPrivilege	1332	wininit.exe
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE
Token: SeShutdownPrivilege	1216	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.execmd.exeExplorer.EXEwininit.execmd.exe

description	pid	process	target process
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1992	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	DpiScaling.exe
PID 752 wrote to memory of 1364	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 752 wrote to memory of 1364	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 752 wrote to memory of 1364	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 752 wrote to memory of 1364	752	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 1364 wrote to memory of 2028	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 2028	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 2028	1364	cmd.exe	cmd.exe
PID 1364 wrote to memory of 2028	1364	cmd.exe	cmd.exe
PID 1216 wrote to memory of 1332	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1332	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1332	1216	Explorer.EXE	wininit.exe
PID 1216 wrote to memory of 1332	1216	Explorer.EXE	wininit.exe
PID 1332 wrote to memory of 1148	1332	wininit.exe	cmd.exe
PID 1332 wrote to memory of 1148	1332	wininit.exe	cmd.exe
PID 1332 wrote to memory of 1148	1332	wininit.exe	cmd.exe
PID 1332 wrote to memory of 1148	1332	wininit.exe	cmd.exe
PID 2028 wrote to memory of 1964	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1964	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1964	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1964	2028	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
"C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Contacts\Jpcobmxenkt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\JpcobmxenkO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
PID:1980

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
5⤵
- Runs ping.exe
PID:1964

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Users\Admin\Contacts\JpcobmxenkO.bat
MD5
1ed9fbc4b43b9afb48d089e9cc5fe5fc

SHA1
005f37cbcb2c8fe85ff83ead0e4a3282130c2cf5

SHA256
be39b65cfbae921d0a42d2958f14a9dc783ace7a3880efeec0b0a5293f4dece4

SHA512
f99118c532ab00eccb608d2a385b5ff51bb4c461b51c51ee01eb9445b11ed98ee0b2975518d0e7e9570f80601d08344812d26278ffabcb9afc2ab0942f705fdf

Download Submit
C:\Users\Admin\Contacts\Jpcobmxenkt.bat
MD5
2c3ed647cb71e286c879e5fbf9ba2448

SHA1
0fb61b0368b340e2f7fe417dcce56fc78647bce8

SHA256
14afdff1cc4a2c742ca3bef0186b6b966b3907944d83be98d0e564f5feab225c

SHA512
6d7744000848c087998fe8c49b2872d5e679312989e50cded70b920080999e164d1633f723183ef92ec586fa78193e69b99cbfdb8fd2c08f7b2825d6aacf8f3c

Download Submit
C:\Users\Admin\Contacts\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Admin\Contacts\propsys.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
C:\Windows \System32\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Windows \System32\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
memory/752-69-0x0000000004220000-0x00000000042A8000-memory.dmp

Filesize
544KB

Download
memory/752-70-0x0000000004220000-0x00000000042A8000-memory.dmp

Filesize
544KB

Download
memory/752-68-0x0000000004220000-0x00000000042A8000-memory.dmp

Filesize
544KB

Download
memory/752-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/752-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/752-96-0x0000000004220000-0x00000000042A8000-memory.dmp

Filesize
544KB

Download
memory/752-97-0x0000000004220000-0x00000000042A8000-memory.dmp

Filesize
544KB

Download
memory/1216-89-0x0000000004B10000-0x0000000004BF9000-memory.dmp

Filesize
932KB

Download
memory/1216-99-0x000007FEDBBA0000-0x000007FEDBBAA000-memory.dmp

Filesize
40KB

Download
memory/1216-98-0x000007FEF6520000-0x000007FEF6663000-memory.dmp

Filesize
1.3MB

Download
memory/1216-95-0x00000000067F0000-0x00000000068D6000-memory.dmp

Filesize
920KB

Download
memory/1332-93-0x0000000001F00000-0x0000000002203000-memory.dmp

Filesize
3.0MB

Download
memory/1332-91-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1332-92-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1332-94-0x0000000001C30000-0x0000000001CC3000-memory.dmp

Filesize
588KB

Download
memory/1992-74-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1992-88-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1992-87-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/1992-86-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1992-84-0x0000000072480000-0x00000000724AF000-memory.dmp

Filesize
188KB

Download
memory/1992-73-0x0000000072480000-0x00000000724AF000-memory.dmp

Filesize
188KB

Download
memory/2028-90-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads