formbook | 02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920

General

Target

jetsoff8906.exe
Size

1.1MB
MD5

69eddb992ebe64f55d5da7a653c1e1d7
SHA1

91429f21a3a7e97b77421b615233be645d096987
SHA256

02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920
SHA512

d68e0280c175e08c0c64701fc32cd44eb8cc9584a1c5adbf379ea10139361844608465b9685398dea604fc1bcd0ec040e7d886bc94c0a888f6e0f81e7c57a657
SSDEEP

24576:UAOcZXcxP6BS0sRWuogs+VocwuP3h3jKaGAuvZG31RMaas/x4p:CHasRWuogTVocwuPhNQA3XM91

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1764-69-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/1764-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1464-72-0x0000000000400000-0x0000000000B2F000-memory.dmp	formbook
behavioral1/memory/1464-73-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/1464-76-0x0000000000400000-0x0000000000B2F000-memory.dmp	formbook
behavioral1/memory/1764-84-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1768-89-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1232-93-0x0000000000180000-0x00000000001AF000-memory.dmp	formbook
behavioral1/memory/1232-96-0x0000000000180000-0x00000000001AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

msvbrvkxv.pif

pid process

1440 msvbrvkxv.pif
Loads dropped DLL 4 IoCs

Processes:

jetsoff8906.exe

pid process

1340 jetsoff8906.exe
1340 jetsoff8906.exe
1340 jetsoff8906.exe
1340 jetsoff8906.exe

pid	process
1440	msvbrvkxv.pif

pid	process
1340	jetsoff8906.exe
1340	jetsoff8906.exe
1340	jetsoff8906.exe
1340	jetsoff8906.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

msvbrvkxv.pifRegSvcs.exeRegSvcs.exewscript.exe

description	pid	process	target process
PID 1440 set thread context of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 set thread context of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1764 set thread context of 1208	1764	RegSvcs.exe	Explorer.EXE
PID 1464 set thread context of 1208	1464	RegSvcs.exe	Explorer.EXE
PID 1232 set thread context of 1208	1232	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

RegSvcs.exeRegSvcs.exewscript.execmstp.exe

pid	process
1764	RegSvcs.exe
1764	RegSvcs.exe
1464	RegSvcs.exe
1464	RegSvcs.exe
1232	wscript.exe
1768	cmstp.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe
1232	wscript.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exewscript.exe

pid process

1764 RegSvcs.exe
1464 RegSvcs.exe
1764 RegSvcs.exe
1764 RegSvcs.exe
1464 RegSvcs.exe
1464 RegSvcs.exe
1232 wscript.exe
1232 wscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exewscript.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1764	RegSvcs.exe
Token: SeDebugPrivilege	1464	RegSvcs.exe
Token: SeDebugPrivilege	1232	wscript.exe
Token: SeDebugPrivilege	1768	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

jetsoff8906.exemsvbrvkxv.pifExplorer.EXEwscript.exe

description	pid	process	target process
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1340 wrote to memory of 1440	1340	jetsoff8906.exe	msvbrvkxv.pif
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1764	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1440 wrote to memory of 1464	1440	msvbrvkxv.pif	RegSvcs.exe
PID 1208 wrote to memory of 1232	1208	Explorer.EXE	wscript.exe
PID 1208 wrote to memory of 1232	1208	Explorer.EXE	wscript.exe
PID 1208 wrote to memory of 1232	1208	Explorer.EXE	wscript.exe
PID 1208 wrote to memory of 1232	1208	Explorer.EXE	wscript.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1208 wrote to memory of 1768	1208	Explorer.EXE	cmstp.exe
PID 1232 wrote to memory of 1780	1232	wscript.exe	cmd.exe
PID 1232 wrote to memory of 1780	1232	wscript.exe	cmd.exe
PID 1232 wrote to memory of 1780	1232	wscript.exe	cmd.exe
PID 1232 wrote to memory of 1780	1232	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe
"C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
"C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif" idrqqwdp.dre
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1780

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10_95\dvcpwg.bhv
Filesize
370KB

MD5
6ab5bf0e5c0cf24e9d123e98d81702c8

SHA1
8171fb5ca8d9de2fdab72bc17404a8435dc643a5

SHA256
d7c849c15e086045d3a96c88543fe04eef789383edccbf4ff3f93945a9207743

SHA512
5ed0e2b38aec216156f5c360ccd15b64ddad127f321103b8be295ca6fe98853fba4045e20a45257a9d9086258e57b16fffc94275e9d2febd3dd34324f07aab46

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\idrqqwdp.dre
Filesize
156.6MB

MD5
7a3a773624b241dbe5dc747806325e03

SHA1
dce22ee8dd9f7a9204e59a2aa6a83f92260fbb2e

SHA256
bbab596f83345b949c93f7e19902e96ace4e8499ff5fc23162849b46d8af95db

SHA512
070dfcce3ebc76ead33ea928778e0bf487d6dccb83a31c7474d166799c13ecb264fc0bc28b610a06d96e9cdb7409bb962748a948605f063c417adb0d248b22b5

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\xbrual.exe
Filesize
35KB

MD5
03416254f04f806585a48a75788ad7ba

SHA1
c869d64aac8abaf8e7e86550cf5c013e838dd2d3

SHA256
08736c3265e3dd2fc11e0c263fdd89072df720b742f145e273f3eb734d41fcfb

SHA512
56ffbc0262925332f195e88102138b8e5b3fa5df943fe61b1ef7a2d0cbc51bf3ea500d89b30f9f1daaf3dc850d547dada81013f4b311a9269511f2b33fd4e645

Download Submit
\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
memory/1208-95-0x0000000006050000-0x0000000006174000-memory.dmp

Filesize
1.1MB

Download
memory/1208-82-0x0000000005E70000-0x0000000005F76000-memory.dmp

Filesize
1.0MB

Download
memory/1208-97-0x0000000006050000-0x0000000006174000-memory.dmp

Filesize
1.1MB

Download
memory/1208-80-0x0000000003F30000-0x0000000004009000-memory.dmp

Filesize
868KB

Download
memory/1232-96-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/1232-91-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/1232-94-0x0000000000450000-0x00000000004E3000-memory.dmp

Filesize
588KB

Download
memory/1232-92-0x0000000000500000-0x0000000000526000-memory.dmp

Filesize
152KB

Download
memory/1232-83-0x0000000000000000-mapping.dmp

Download
memory/1232-93-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/1340-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1440-59-0x0000000000000000-mapping.dmp

Download
memory/1464-70-0x0000000000400000-0x0000000000B2F000-memory.dmp

Filesize
7.2MB

Download
memory/1464-78-0x0000000000F50000-0x0000000001253000-memory.dmp

Filesize
3.0MB

Download
memory/1464-81-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/1464-76-0x0000000000400000-0x0000000000B2F000-memory.dmp

Filesize
7.2MB

Download
memory/1464-73-0x000000000041F120-mapping.dmp

Download
memory/1464-72-0x0000000000400000-0x0000000000B2F000-memory.dmp

Filesize
7.2MB

Download
memory/1764-77-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1764-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-79-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1764-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-69-0x000000000041F120-mapping.dmp

Download
memory/1768-89-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1768-90-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/1768-88-0x0000000000A60000-0x0000000000A78000-memory.dmp

Filesize
96KB

Download
memory/1768-85-0x0000000000000000-mapping.dmp

Download
memory/1780-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads