formbook | 662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082

Analysis

max time kernel
163s
max time network
164s
platform
windows10_x64
resource
win10-en-20211208
submitted
27-01-2022 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
Size

681KB
MD5

b153fee758de5ba2af6f6b2ca4ea5cd8
SHA1

fb7309a6c4d10704ae202865b090d784906db2ab
SHA256

662c7dc1c6b6fbc7cb4622876c0b0b2a42dba7081adede8a65182aef085f7082
SHA512

6481414688630169f0c83ad7a93eb461e279bdf0320abc197e17a28b1d94c0be2a7a434a1a4f9de7996fd9298dfdf05ac1e6424beb558f67d431bd1fa80924d7

Score

10^/10

formbook gmfe persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gmfe

Decoy

boldaerospace.com

oleeoe.com

aucreuxducoeur.one

fatbellytonic.com

newfrontiermining.net

iphone13promax.guide

meltingpotspot.com

zuinigerijder.com

sigmagrup.com

thehekadivine.com

once-only.online

variouselectricianservice.com

xn--oy2b9rj5qfzo85aro.com

wuzuiso.com

inoutinsurance.xyz

company-intel.net

apppromaguginybuo.com

st666.tech

k-reborn-okayama.com

realteenpattix.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2984-210-0x0000000072480000-0x00000000724AF000-memory.dmp	formbook
behavioral2/memory/2508-263-0x0000000000480000-0x00000000004AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

3720 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

3720 ComputerDefaults.exe

pid	process
3720	ComputerDefaults.exe

pid	process
3720	ComputerDefaults.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jpcobmxenk = "C:\\Users\\Admin\\Contacts\\knexmbocpJ.url"	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exewlanext.exe

description	pid	process	target process
PID 2984 set thread context of 3000	2984	logagent.exe	Explorer.EXE
PID 2508 set thread context of 3000	2508	wlanext.exe	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2136 PING.EXE

pid	process
2136	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

logagent.exepowershell.exewlanext.exe

pid	process
2984	logagent.exe
2984	logagent.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2984	logagent.exe
2984	logagent.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe
2508	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exewlanext.exe

pid process

2984 logagent.exe
2984 logagent.exe
2984 logagent.exe
2508 wlanext.exe
2508 wlanext.exe

pid	process
3000	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

powershell.exelogagent.exeExplorer.EXEwlanext.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2984	logagent.exe
Token: SeIncreaseQuotaPrivilege	2556	powershell.exe
Token: SeSecurityPrivilege	2556	powershell.exe
Token: SeTakeOwnershipPrivilege	2556	powershell.exe
Token: SeLoadDriverPrivilege	2556	powershell.exe
Token: SeSystemProfilePrivilege	2556	powershell.exe
Token: SeSystemtimePrivilege	2556	powershell.exe
Token: SeProfSingleProcessPrivilege	2556	powershell.exe
Token: SeIncBasePriorityPrivilege	2556	powershell.exe
Token: SeCreatePagefilePrivilege	2556	powershell.exe
Token: SeBackupPrivilege	2556	powershell.exe
Token: SeRestorePrivilege	2556	powershell.exe
Token: SeShutdownPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeSystemEnvironmentPrivilege	2556	powershell.exe
Token: SeRemoteShutdownPrivilege	2556	powershell.exe
Token: SeUndockPrivilege	2556	powershell.exe
Token: SeManageVolumePrivilege	2556	powershell.exe
Token: 33	2556	powershell.exe
Token: 34	2556	powershell.exe
Token: 35	2556	powershell.exe
Token: 36	2556	powershell.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeDebugPrivilege	2508	wlanext.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Jpcobmxenkifocexvfhjaqibxbbcwurkhq.execmd.execmd.exeComputerDefaults.execmd.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 2984	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	logagent.exe
PID 2780 wrote to memory of 1304	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 2780 wrote to memory of 1304	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 2780 wrote to memory of 1304	2780	Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe	cmd.exe
PID 1304 wrote to memory of 2036	1304	cmd.exe	cmd.exe
PID 1304 wrote to memory of 2036	1304	cmd.exe	cmd.exe
PID 1304 wrote to memory of 2036	1304	cmd.exe	cmd.exe
PID 2036 wrote to memory of 3720	2036	cmd.exe	ComputerDefaults.exe
PID 2036 wrote to memory of 3720	2036	cmd.exe	ComputerDefaults.exe
PID 3720 wrote to memory of 3192	3720	ComputerDefaults.exe	cmd.exe
PID 3720 wrote to memory of 3192	3720	ComputerDefaults.exe	cmd.exe
PID 2036 wrote to memory of 2136	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 2136	2036	cmd.exe	PING.EXE
PID 2036 wrote to memory of 2136	2036	cmd.exe	PING.EXE
PID 3192 wrote to memory of 2556	3192	cmd.exe	powershell.exe
PID 3192 wrote to memory of 2556	3192	cmd.exe	powershell.exe
PID 3000 wrote to memory of 2508	3000	Explorer.EXE	wlanext.exe
PID 3000 wrote to memory of 2508	3000	Explorer.EXE	wlanext.exe
PID 3000 wrote to memory of 2508	3000	Explorer.EXE	wlanext.exe
PID 2508 wrote to memory of 1372	2508	wlanext.exe	cmd.exe
PID 2508 wrote to memory of 1372	2508	wlanext.exe	cmd.exe
PID 2508 wrote to memory of 1372	2508	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe
"C:\Users\Admin\AppData\Local\Temp\Jpcobmxenkifocexvfhjaqibxbbcwurkhq.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Contacts\Jpcobmxenkt.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\Contacts\JpcobmxenkO.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
6⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
5⤵
- Runs ping.exe
PID:2136

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3764

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Users\Admin\Contacts\JpcobmxenkO.bat
MD5
1ed9fbc4b43b9afb48d089e9cc5fe5fc

SHA1
005f37cbcb2c8fe85ff83ead0e4a3282130c2cf5

SHA256
be39b65cfbae921d0a42d2958f14a9dc783ace7a3880efeec0b0a5293f4dece4

SHA512
f99118c532ab00eccb608d2a385b5ff51bb4c461b51c51ee01eb9445b11ed98ee0b2975518d0e7e9570f80601d08344812d26278ffabcb9afc2ab0942f705fdf

Download Submit
C:\Users\Admin\Contacts\Jpcobmxenkt.bat
MD5
2c3ed647cb71e286c879e5fbf9ba2448

SHA1
0fb61b0368b340e2f7fe417dcce56fc78647bce8

SHA256
14afdff1cc4a2c742ca3bef0186b6b966b3907944d83be98d0e564f5feab225c

SHA512
6d7744000848c087998fe8c49b2872d5e679312989e50cded70b920080999e164d1633f723183ef92ec586fa78193e69b99cbfdb8fd2c08f7b2825d6aacf8f3c

Download Submit
C:\Users\Admin\Contacts\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Admin\Contacts\propsys.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
C:\Windows \System32\ComputerDefaults.exe
MD5
495f18535bbba007a18ec5ee708318fe

SHA1
991100111548b5cc7a09c65797543898dab34fd3

SHA256
64959878420834ffdf17823f1cc507261f1cef286ff476777c4f3da7d17afa24

SHA512
ab16974e135cc74c26a58d01820026dcbb57dd52c2da143ce96aa4f6bc4cddda3926a1b07e9429c430f653503c7a8a679bc0da4a6fb657057890d9fc4d752b4b

Download Submit
C:\Windows \System32\PROPSYS.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
C:\windows \system32\KDECO.bat
MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
\Windows \System32\propsys.dll
MD5
24436256806530d3a75f82d019c10666

SHA1
78d794ef9f7b9ff710a51175852342a095d74fe0

SHA256
8010cc9ea70156767432d0b7e719cf6338bf3f1fc675e2e560bd43b3f0c1fd0c

SHA512
354419e36e5fd422c21218a590af17cfe64355dd5b10fd16a98b815a06caa5490428ca095eddb5831d34976f7685a0859c8d9971d6ea4865bb1f116b74c1f500

Download Submit
memory/2508-264-0x0000000000B20000-0x0000000000E40000-memory.dmp

Filesize
3.1MB

Download
memory/2508-263-0x0000000000480000-0x00000000004AF000-memory.dmp

Filesize
188KB

Download
memory/2508-265-0x0000000000980000-0x0000000000B11000-memory.dmp

Filesize
1.6MB

Download
memory/2508-262-0x0000000001260000-0x0000000001277000-memory.dmp

Filesize
92KB

Download
memory/2556-224-0x000001953A190000-0x000001953A1B2000-memory.dmp

Filesize
136KB

Download
memory/2556-227-0x000001953A1F3000-0x000001953A1F5000-memory.dmp

Filesize
8KB

Download
memory/2556-230-0x000001953A5E0000-0x000001953A656000-memory.dmp

Filesize
472KB

Download
memory/2556-236-0x000001953A1F6000-0x000001953A1F8000-memory.dmp

Filesize
8KB

Download
memory/2556-225-0x000001953A1F0000-0x000001953A1F2000-memory.dmp

Filesize
8KB

Download
memory/2780-115-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2984-226-0x0000000004580000-0x00000000048A0000-memory.dmp

Filesize
3.1MB

Download
memory/2984-237-0x0000000002A40000-0x0000000002A54000-memory.dmp

Filesize
80KB

Download
memory/2984-210-0x0000000072480000-0x00000000724AF000-memory.dmp

Filesize
188KB

Download
memory/2984-209-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3000-238-0x0000000005880000-0x0000000005A21000-memory.dmp

Filesize
1.6MB

Download
memory/3000-266-0x0000000003420000-0x00000000034C9000-memory.dmp

Filesize
676KB

Download