formbook | b45ff8555c636c41fcf21d1c755229682de05208da77ba4a6c3cc321fd342af8

General

Target

jay.exe
Size

264KB
MD5

38f7e0b6fe905626e34446af373a7a14
SHA1

0fb7d32aa3da0ce81bd47acf3f85571ad78a2821
SHA256

b45ff8555c636c41fcf21d1c755229682de05208da77ba4a6c3cc321fd342af8
SHA512

eb3de471218197032eadcf7c2f2cab3b785fe93eb881378a876536e393e1e93d2ee8aadac4168bfc606cbda0bc47880543c4905a186aad46f6111d924666a310

Score

10^/10

formbook jy0b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2532-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2532-131-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1152-139-0x0000000000BC0000-0x0000000000BEF000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

jay.exe

pid process

4504 jay.exe

pid	process
4504	jay.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jay.exejay.execscript.exe

description	pid	process	target process
PID 4504 set thread context of 2532	4504	jay.exe	jay.exe
PID 2532 set thread context of 500	2532	jay.exe	Explorer.EXE
PID 2532 set thread context of 500	2532	jay.exe	Explorer.EXE
PID 1152 set thread context of 500	1152	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

jay.execscript.exe

pid	process
2532	jay.exe
2532	jay.exe
2532	jay.exe
2532	jay.exe
2532	jay.exe
2532	jay.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe
1152	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

500 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jay.execscript.exe

pid process

2532 jay.exe
2532 jay.exe
2532 jay.exe
2532 jay.exe
1152 cscript.exe
1152 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jay.execscript.exe

description pid process

Token: SeDebugPrivilege 2532 jay.exe
Token: SeDebugPrivilege 1152 cscript.exe

pid	process
500	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2532	jay.exe
Token: SeDebugPrivilege	1152	cscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

jay.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 4504 wrote to memory of 2532	4504	jay.exe	jay.exe
PID 500 wrote to memory of 1152	500	Explorer.EXE	cscript.exe
PID 500 wrote to memory of 1152	500	Explorer.EXE	cscript.exe
PID 500 wrote to memory of 1152	500	Explorer.EXE	cscript.exe
PID 1152 wrote to memory of 5116	1152	cscript.exe	cmd.exe
PID 1152 wrote to memory of 5116	1152	cscript.exe	cmd.exe
PID 1152 wrote to memory of 5116	1152	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\jay.exe
"C:\Users\Admin\AppData\Local\Temp\jay.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\jay.exe
"C:\Users\Admin\AppData\Local\Temp\jay.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jay.exe"
3⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshA7DE.tmp\wzlnr.dll
Filesize
43KB

MD5
234c2ab51d3099688f0a00151ae35651

SHA1
b6b29ea47b650b412c8e6b49695699db5aa24b9c

SHA256
30bece4f9e1dcfe6cf9cc063f4a53e229d272dc0be84e51ce3050844b1644a48

SHA512
12970f770ef2538929c2ea9e26a2ba8b2c4c0e73084828628f5a71a1d2d378f9f3aa3f93644053154b445211cbfce9eadf420edbe6601fb3a608564ea4cb932f

Download Submit
memory/500-135-0x0000000008580000-0x00000000086B5000-memory.dmp

Filesize
1.2MB

Download
memory/500-142-0x00000000087D0000-0x00000000088C1000-memory.dmp

Filesize
964KB

Download
memory/500-130-0x00000000073C0000-0x0000000007488000-memory.dmp

Filesize
800KB

Download
memory/1152-141-0x0000000002D50000-0x0000000002DE3000-memory.dmp

Filesize
588KB

Download
memory/1152-140-0x0000000002EE0000-0x000000000322A000-memory.dmp

Filesize
3.3MB

Download
memory/1152-139-0x0000000000BC0000-0x0000000000BEF000-memory.dmp

Filesize
188KB

Download
memory/1152-138-0x00000000005D0000-0x00000000005F7000-memory.dmp

Filesize
156KB

Download
memory/1152-136-0x0000000000000000-mapping.dmp

Download
memory/2532-129-0x0000000000B50000-0x0000000000E9A000-memory.dmp

Filesize
3.3MB

Download
memory/2532-134-0x0000000000A40000-0x0000000000A54000-memory.dmp

Filesize
80KB

Download
memory/2532-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-132-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2532-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-125-0x0000000000000000-mapping.dmp

Download
memory/4504-127-0x0000000074C70000-0x0000000074C80000-memory.dmp

Filesize
64KB

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads