formbook | d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc

General

Target

jestseewer.exe
Size

1.1MB
MD5

c2744465d0bedc9aa98714338225a6f3
SHA1

3c50e3d5b630aa6a8015b349b4e18169b6c297da
SHA256

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc
SHA512

2eacf21b0b560ef3e7652c4e543fea5aad247f35562f746c9cfb178822dba752c14f6dfacd8c699f69af2f2d0d18ccd1b5be1901a1f79fe5951db896c277be03
SSDEEP

24576:iAOcZXp07zxTM+FFyvJjjcepfSjE+vRPGQFV0aBTjWFqwA4:oXzJZFYvhjdqvtGQFV9jWx

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1772-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1772-69-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/2040-72-0x0000000000400000-0x0000000000A1C000-memory.dmp	formbook
behavioral1/memory/2040-73-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/2040-83-0x0000000000400000-0x0000000000A1C000-memory.dmp	formbook
behavioral1/memory/912-87-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1772-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1772-93-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/624-95-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/912-99-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

eqhxkjjkof.pif

pid process

1396 eqhxkjjkof.pif
Loads dropped DLL 4 IoCs

Processes:

jestseewer.exe

pid process

864 jestseewer.exe
864 jestseewer.exe
864 jestseewer.exe
864 jestseewer.exe

pid	process
1396	eqhxkjjkof.pif

pid	process
864	jestseewer.exe
864	jestseewer.exe
864	jestseewer.exe
864	jestseewer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

eqhxkjjkof.pifRegSvcs.exeRegSvcs.exesvchost.exe

description	pid	process	target process
PID 1396 set thread context of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 set thread context of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 2040 set thread context of 1236	2040	RegSvcs.exe	Explorer.EXE
PID 1772 set thread context of 1236	1772	RegSvcs.exe	Explorer.EXE
PID 1772 set thread context of 1236	1772	RegSvcs.exe	Explorer.EXE
PID 912 set thread context of 1236	912	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

RegSvcs.exeRegSvcs.exesvchost.exemsdt.exe

pid	process
2040	RegSvcs.exe
2040	RegSvcs.exe
1772	RegSvcs.exe
1772	RegSvcs.exe
912	svchost.exe
912	svchost.exe
1772	RegSvcs.exe
624	msdt.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe
912	svchost.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

RegSvcs.exeRegSvcs.exesvchost.exe

pid process

2040 RegSvcs.exe
1772 RegSvcs.exe
2040 RegSvcs.exe
2040 RegSvcs.exe
912 svchost.exe
1772 RegSvcs.exe
1772 RegSvcs.exe
1772 RegSvcs.exe
912 svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exesvchost.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	2040	RegSvcs.exe
Token: SeDebugPrivilege	1772	RegSvcs.exe
Token: SeDebugPrivilege	912	svchost.exe
Token: SeDebugPrivilege	624	msdt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

jestseewer.exeeqhxkjjkof.pifExplorer.EXEsvchost.exe

description	pid	process	target process
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 864 wrote to memory of 1396	864	jestseewer.exe	eqhxkjjkof.pif
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 1772	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1396 wrote to memory of 2040	1396	eqhxkjjkof.pif	RegSvcs.exe
PID 1236 wrote to memory of 912	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 912	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 912	1236	Explorer.EXE	svchost.exe
PID 1236 wrote to memory of 912	1236	Explorer.EXE	svchost.exe
PID 912 wrote to memory of 336	912	svchost.exe	cmd.exe
PID 912 wrote to memory of 336	912	svchost.exe	cmd.exe
PID 912 wrote to memory of 336	912	svchost.exe	cmd.exe
PID 912 wrote to memory of 336	912	svchost.exe	cmd.exe
PID 1236 wrote to memory of 624	1236	Explorer.EXE	msdt.exe
PID 1236 wrote to memory of 624	1236	Explorer.EXE	msdt.exe
PID 1236 wrote to memory of 624	1236	Explorer.EXE	msdt.exe
PID 1236 wrote to memory of 624	1236	Explorer.EXE	msdt.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\jestseewer.exe
"C:\Users\Admin\AppData\Local\Temp\jestseewer.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
"C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif" pjubdliuxm.vxl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:336

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\hdhvijr.aqo
Filesize
370KB

MD5
7cd5048c8d058a9b417310b6a0a6677e

SHA1
11963e0819174eca2f320b028c484ece23abc834

SHA256
9fd373d752d24341de34a5fc995ba1b32041312a416ca69ccbedd96c0e50ed17

SHA512
b20455dc4a8bc09b009fb7ea6e649ed5d163e88baaaedfb5851da6aedb90523953f580e1eb9244f147782ad036384170ba2f68943be7694cbbb4e794d3ea012c

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\keapunbfxl.xls
Filesize
44KB

MD5
2de51c2b93f68802b282f586c0be4489

SHA1
37733634e559bacd1273f078f8e39b0ba545a09f

SHA256
594dc478a8511e6ead7105bf87a93a746729f64b8eea0f4ce8d489981af4791f

SHA512
7fc91159c5b3c2f1c9e4af18a4e8705b3909035198e05a32f9930592b47dcfac71857c1bc2af62fe0312dda9deb2d87de9639f1727f53daa25f1f675720090de

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\pjubdliuxm.vxl
Filesize
140.7MB

MD5
85de3305ce7b6461a266166d318c6296

SHA1
40d6336acbd0ab4152779d0dd78988ec245f78b0

SHA256
7336e8c7f812f6d657785f5ad22c04f712fbbcb27dc1c4c216b5d1035aa6f86c

SHA512
26c7689c5b3bf5cb9bb19776d2b70ae3d2151bc471e42d6c48e255a4880005bba4d288697e8357480108fa7b289b1973f41ac0151c8073191ae7b4fc07c0d456

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
memory/336-84-0x0000000000000000-mapping.dmp

Download
memory/624-91-0x0000000000000000-mapping.dmp

Download
memory/624-95-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/624-94-0x00000000000B0000-0x00000000001A4000-memory.dmp

Filesize
976KB

Download
memory/624-96-0x00000000022C0000-0x00000000025C3000-memory.dmp

Filesize
3.0MB

Download
memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/912-85-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/912-97-0x0000000000450000-0x00000000004E3000-memory.dmp

Filesize
588KB

Download
memory/912-99-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/912-87-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/912-82-0x0000000000000000-mapping.dmp

Download
memory/912-86-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1236-98-0x0000000006DA0000-0x0000000006E93000-memory.dmp

Filesize
972KB

Download
memory/1236-100-0x0000000006DA0000-0x0000000006E93000-memory.dmp

Filesize
972KB

Download
memory/1236-90-0x00000000063B0000-0x000000000653D000-memory.dmp

Filesize
1.6MB

Download
memory/1236-79-0x00000000048D0000-0x00000000049E0000-memory.dmp

Filesize
1.1MB

Download
memory/1236-81-0x0000000006170000-0x00000000062D5000-memory.dmp

Filesize
1.4MB

Download
memory/1396-59-0x0000000000000000-mapping.dmp

Download
memory/1772-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-93-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-89-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/1772-80-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1772-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-69-0x000000000041F120-mapping.dmp

Download
memory/1772-77-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/2040-73-0x000000000041F120-mapping.dmp

Download
memory/2040-72-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/2040-70-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/2040-83-0x0000000000400000-0x0000000000A1C000-memory.dmp

Filesize
6.1MB

Download
memory/2040-76-0x0000000001010000-0x0000000001313000-memory.dmp

Filesize
3.0MB

Download
memory/2040-78-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads