formbook | f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2

General

Target

jetss432167.exe
Size

419KB
MD5

078a77dbb799897552d8d6a106ce2fd3
SHA1

6a1c8b38e0f06377a870f75512d64227ed9224bf
SHA256

f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
SHA512

ac49736ec267a809bf0ab95f0e4c8d2fc090b120935136ddfdbc8d8d6cec85e1179a678798d34d3d492414f86da6f66b2980dd9a0f7e5c0c6be40069b2896568
SSDEEP

6144:YbE/HUcl0KEU8KD5R9bq9eiewho5hWlShE/g4hEFmouobVW:Ybc0bC/wmhWl0EvmQXobVW

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/940-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

uigtaob.exe

pid process

1948 uigtaob.exe
Loads dropped DLL 3 IoCs

Processes:

jetss432167.exeuigtaob.exeuigtaob.exe

pid process

1752 jetss432167.exe
1948 uigtaob.exe
908 uigtaob.exe

pid	process
1948	uigtaob.exe

pid	process
1752	jetss432167.exe
1948	uigtaob.exe
908	uigtaob.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uigtaob.exeuigtaob.exechkdsk.exe

description	pid	process	target process
PID 1948 set thread context of 908	1948	uigtaob.exe	uigtaob.exe
PID 908 set thread context of 1356	908	uigtaob.exe	Explorer.EXE
PID 940 set thread context of 1356	940	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

uigtaob.exechkdsk.exe

pid	process
908	uigtaob.exe
908	uigtaob.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

uigtaob.exechkdsk.exe

pid process

908 uigtaob.exe
908 uigtaob.exe
908 uigtaob.exe
940 chkdsk.exe
940 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uigtaob.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 908 uigtaob.exe
Token: SeDebugPrivilege 940 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	908	uigtaob.exe
Token: SeDebugPrivilege	940	chkdsk.exe

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

jetss432167.exeuigtaob.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1752 wrote to memory of 1948	1752	jetss432167.exe	uigtaob.exe
PID 1752 wrote to memory of 1948	1752	jetss432167.exe	uigtaob.exe
PID 1752 wrote to memory of 1948	1752	jetss432167.exe	uigtaob.exe
PID 1752 wrote to memory of 1948	1752	jetss432167.exe	uigtaob.exe
PID 1948 wrote to memory of 908	1948	uigtaob.exe	uigtaob.exe
PID 1948 wrote to memory of 908	1948	uigtaob.exe	uigtaob.exe
PID 1948 wrote to memory of 908	1948	uigtaob.exe	uigtaob.exe
PID 1948 wrote to memory of 908	1948	uigtaob.exe	uigtaob.exe
PID 1948 wrote to memory of 908	1948	uigtaob.exe	uigtaob.exe
PID 1356 wrote to memory of 940	1356	Explorer.EXE	chkdsk.exe
PID 1356 wrote to memory of 940	1356	Explorer.EXE	chkdsk.exe
PID 1356 wrote to memory of 940	1356	Explorer.EXE	chkdsk.exe
PID 1356 wrote to memory of 940	1356	Explorer.EXE	chkdsk.exe
PID 940 wrote to memory of 1448	940	chkdsk.exe	cmd.exe
PID 940 wrote to memory of 1448	940	chkdsk.exe	cmd.exe
PID 940 wrote to memory of 1448	940	chkdsk.exe	cmd.exe
PID 940 wrote to memory of 1448	940	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\jetss432167.exe
"C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
3⤵
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qwpglg.qt
Filesize
185KB

MD5
257392ed9de5a35bcd1ebddb6e138f1a

SHA1
0a5f5c808e090851d0af4fabb0831562b9477d3d

SHA256
e69492f1d8968b1a0835b7e9cb2e465bf614de777f3e27939fb49e42255db307

SHA512
24c5c983d4501a2e89c94a4951eaf8261ed27c5d6e7b53a131793d8402ef01a0f97c19553e82a790a7b14b5d398e83b25eb40e48db8965b0766c82d6711aee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yznqspcrv.cl
Filesize
4KB

MD5
827acb35cfbccb4ec97484704a2cf6f5

SHA1
825e7c1768158818ed497c3bbbebca10c055b305

SHA256
8c94aa5a39e47c29a9b989ed69dfe3d34e27671fe312a1e3f1d3dacbfcd1f067

SHA512
1b6ca9a6f1bdaa4cd2ee9b6a6f2cba4f96cbfa2c3eec39bb510805d98fd5bdf4b0d3d733dccedb982be0bede7c91425dd8cb1a533a7001ddaefa10c5fcc5b2f2

Download Submit
\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
memory/908-65-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/908-66-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/908-63-0x000000000041F120-mapping.dmp

Download
memory/940-72-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/940-68-0x0000000000000000-mapping.dmp

Download
memory/940-70-0x0000000000C40000-0x0000000000C47000-memory.dmp

Filesize
28KB

Download
memory/940-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/940-73-0x0000000000930000-0x00000000009C3000-memory.dmp

Filesize
588KB

Download
memory/940-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1356-67-0x0000000003E80000-0x0000000003F3F000-memory.dmp

Filesize
764KB

Download
memory/1356-74-0x00000000048C0000-0x000000000499A000-memory.dmp

Filesize
872KB

Download
memory/1356-76-0x00000000048C0000-0x000000000499A000-memory.dmp

Filesize
872KB

Download
memory/1448-69-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads