formbook | 02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920

General

Target

jetsoff8906.exe
Size

1.1MB
MD5

69eddb992ebe64f55d5da7a653c1e1d7
SHA1

91429f21a3a7e97b77421b615233be645d096987
SHA256

02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920
SHA512

d68e0280c175e08c0c64701fc32cd44eb8cc9584a1c5adbf379ea10139361844608465b9685398dea604fc1bcd0ec040e7d886bc94c0a888f6e0f81e7c57a657
SSDEEP

24576:UAOcZXcxP6BS0sRWuogs+VocwuP3h3jKaGAuvZG31RMaas/x4p:CHasRWuogTVocwuPhNQA3XM91

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2016-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2016-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/824-140-0x0000000000400000-0x00000000008BC000-memory.dmp	formbook
behavioral2/memory/824-141-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/824-152-0x0000000000400000-0x00000000008BC000-memory.dmp	formbook
behavioral2/memory/2016-153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2188-156-0x0000000000BD0000-0x0000000000BFF000-memory.dmp	formbook
behavioral2/memory/2252-160-0x0000000001050000-0x000000000107F000-memory.dmp	formbook
behavioral2/memory/2252-163-0x0000000001050000-0x000000000107F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

msvbrvkxv.pif

pid process

4192 msvbrvkxv.pif

pid	process
4192	msvbrvkxv.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jetsoff8906.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	jetsoff8906.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

msvbrvkxv.pifRegSvcs.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 4192 set thread context of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 set thread context of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 824 set thread context of 3092	824	RegSvcs.exe	Explorer.EXE
PID 2016 set thread context of 3092	2016	RegSvcs.exe	Explorer.EXE
PID 2252 set thread context of 3092	2252	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2252 NETSTAT.EXE

pid	process
2252	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exeRegSvcs.exeNETSTAT.EXEcmmon32.exe

pid	process
824	RegSvcs.exe
824	RegSvcs.exe
2016	RegSvcs.exe
2016	RegSvcs.exe
824	RegSvcs.exe
824	RegSvcs.exe
2016	RegSvcs.exe
2016	RegSvcs.exe
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2188	cmmon32.exe
2188	cmmon32.exe
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE
2252	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3092 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeNETSTAT.EXE

pid process

824 RegSvcs.exe
2016 RegSvcs.exe
824 RegSvcs.exe
824 RegSvcs.exe
2016 RegSvcs.exe
2016 RegSvcs.exe
2252 NETSTAT.EXE
2252 NETSTAT.EXE

pid	process
3092	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeExplorer.EXENETSTAT.EXEcmmon32.exe

description	pid	process
Token: SeDebugPrivilege	824	RegSvcs.exe
Token: SeDebugPrivilege	2016	RegSvcs.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeDebugPrivilege	2252	NETSTAT.EXE
Token: SeDebugPrivilege	2188	cmmon32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

jetsoff8906.exemsvbrvkxv.pifExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1560 wrote to memory of 4192	1560	jetsoff8906.exe	msvbrvkxv.pif
PID 1560 wrote to memory of 4192	1560	jetsoff8906.exe	msvbrvkxv.pif
PID 1560 wrote to memory of 4192	1560	jetsoff8906.exe	msvbrvkxv.pif
PID 4192 wrote to memory of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 2016	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 4192 wrote to memory of 824	4192	msvbrvkxv.pif	RegSvcs.exe
PID 3092 wrote to memory of 2252	3092	Explorer.EXE	NETSTAT.EXE
PID 3092 wrote to memory of 2252	3092	Explorer.EXE	NETSTAT.EXE
PID 3092 wrote to memory of 2252	3092	Explorer.EXE	NETSTAT.EXE
PID 3092 wrote to memory of 2188	3092	Explorer.EXE	cmmon32.exe
PID 3092 wrote to memory of 2188	3092	Explorer.EXE	cmmon32.exe
PID 3092 wrote to memory of 2188	3092	Explorer.EXE	cmmon32.exe
PID 2252 wrote to memory of 544	2252	NETSTAT.EXE	cmd.exe
PID 2252 wrote to memory of 544	2252	NETSTAT.EXE	cmd.exe
PID 2252 wrote to memory of 544	2252	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe
"C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
"C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif" idrqqwdp.dre
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:544

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10_95\dvcpwg.bhv
Filesize
370KB

MD5
6ab5bf0e5c0cf24e9d123e98d81702c8

SHA1
8171fb5ca8d9de2fdab72bc17404a8435dc643a5

SHA256
d7c849c15e086045d3a96c88543fe04eef789383edccbf4ff3f93945a9207743

SHA512
5ed0e2b38aec216156f5c360ccd15b64ddad127f321103b8be295ca6fe98853fba4045e20a45257a9d9086258e57b16fffc94275e9d2febd3dd34324f07aab46

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\idrqqwdp.dre
Filesize
156.6MB

MD5
7a3a773624b241dbe5dc747806325e03

SHA1
dce22ee8dd9f7a9204e59a2aa6a83f92260fbb2e

SHA256
bbab596f83345b949c93f7e19902e96ace4e8499ff5fc23162849b46d8af95db

SHA512
070dfcce3ebc76ead33ea928778e0bf487d6dccb83a31c7474d166799c13ecb264fc0bc28b610a06d96e9cdb7409bb962748a948605f063c417adb0d248b22b5

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\xbrual.exe
Filesize
35KB

MD5
03416254f04f806585a48a75788ad7ba

SHA1
c869d64aac8abaf8e7e86550cf5c013e838dd2d3

SHA256
08736c3265e3dd2fc11e0c263fdd89072df720b742f145e273f3eb734d41fcfb

SHA512
56ffbc0262925332f195e88102138b8e5b3fa5df943fe61b1ef7a2d0cbc51bf3ea500d89b30f9f1daaf3dc850d547dada81013f4b311a9269511f2b33fd4e645

Download Submit
memory/544-154-0x0000000000000000-mapping.dmp

Download
memory/824-146-0x0000000001230000-0x0000000001244000-memory.dmp

Filesize
80KB

Download
memory/824-152-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/824-140-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/824-141-0x000000000041F120-mapping.dmp

Download
memory/824-144-0x00000000012A0000-0x00000000015EA000-memory.dmp

Filesize
3.3MB

Download
memory/2016-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-138-0x0000000000000000-mapping.dmp

Download
memory/2016-147-0x0000000000F70000-0x0000000000F84000-memory.dmp

Filesize
80KB

Download
memory/2016-145-0x00000000014E0000-0x000000000182A000-memory.dmp

Filesize
3.3MB

Download
memory/2016-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-157-0x0000000002D90000-0x00000000030DA000-memory.dmp

Filesize
3.3MB

Download
memory/2188-156-0x0000000000BD0000-0x0000000000BFF000-memory.dmp

Filesize
188KB

Download
memory/2188-155-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2188-151-0x0000000000000000-mapping.dmp

Download
memory/2252-150-0x0000000000000000-mapping.dmp

Download
memory/2252-158-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/2252-159-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/2252-160-0x0000000001050000-0x000000000107F000-memory.dmp

Filesize
188KB

Download
memory/2252-161-0x00000000015A0000-0x0000000001633000-memory.dmp

Filesize
588KB

Download
memory/2252-163-0x0000000001050000-0x000000000107F000-memory.dmp

Filesize
188KB

Download
memory/3092-148-0x0000000007CD0000-0x0000000007D88000-memory.dmp

Filesize
736KB

Download
memory/3092-149-0x0000000008620000-0x0000000008762000-memory.dmp

Filesize
1.3MB

Download
memory/3092-162-0x0000000008800000-0x00000000088D2000-memory.dmp

Filesize
840KB

Download
memory/3092-164-0x0000000008800000-0x00000000088D2000-memory.dmp

Filesize
840KB

Download
memory/4192-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads