formbook | f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2

General

Target

jetss432167.exe
Size

419KB
MD5

078a77dbb799897552d8d6a106ce2fd3
SHA1

6a1c8b38e0f06377a870f75512d64227ed9224bf
SHA256

f448dfefcbd40ad805030d90957598cf16c67ace42cf1107fa95f041f78883f2
SHA512

ac49736ec267a809bf0ab95f0e4c8d2fc090b120935136ddfdbc8d8d6cec85e1179a678798d34d3d492414f86da6f66b2980dd9a0f7e5c0c6be40069b2896568
SSDEEP

6144:YbE/HUcl0KEU8KD5R9bq9eiewho5hWlShE/g4hEFmouobVW:Ybc0bC/wmhWl0EvmQXobVW

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3328-144-0x0000000000530000-0x000000000055F000-memory.dmp	formbook
behavioral2/memory/3328-150-0x0000000000530000-0x000000000055F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

uigtaob.exe

pid process

2068 uigtaob.exe
Loads dropped DLL 1 IoCs

Processes:

uigtaob.exe

pid process

4528 uigtaob.exe

pid	process
2068	uigtaob.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uigtaob.exeuigtaob.exesvchost.exe

description	pid	process	target process
PID 2068 set thread context of 4528	2068	uigtaob.exe	uigtaob.exe
PID 4528 set thread context of 2864	4528	uigtaob.exe	Explorer.EXE
PID 3328 set thread context of 2864	3328	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

uigtaob.exesvchost.exe

pid	process
4528	uigtaob.exe
4528	uigtaob.exe
4528	uigtaob.exe
4528	uigtaob.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe
3328	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2864 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

uigtaob.exesvchost.exe

pid process

4528 uigtaob.exe
4528 uigtaob.exe
4528 uigtaob.exe
3328 svchost.exe
3328 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uigtaob.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4528 uigtaob.exe
Token: SeDebugPrivilege 3328 svchost.exe

pid	process
2864	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4528	uigtaob.exe
Token: SeDebugPrivilege	3328	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetss432167.exeuigtaob.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4936 wrote to memory of 2068	4936	jetss432167.exe	uigtaob.exe
PID 4936 wrote to memory of 2068	4936	jetss432167.exe	uigtaob.exe
PID 4936 wrote to memory of 2068	4936	jetss432167.exe	uigtaob.exe
PID 2068 wrote to memory of 4528	2068	uigtaob.exe	uigtaob.exe
PID 2068 wrote to memory of 4528	2068	uigtaob.exe	uigtaob.exe
PID 2068 wrote to memory of 4528	2068	uigtaob.exe	uigtaob.exe
PID 2068 wrote to memory of 4528	2068	uigtaob.exe	uigtaob.exe
PID 2864 wrote to memory of 3328	2864	Explorer.EXE	svchost.exe
PID 2864 wrote to memory of 3328	2864	Explorer.EXE	svchost.exe
PID 2864 wrote to memory of 3328	2864	Explorer.EXE	svchost.exe
PID 3328 wrote to memory of 2092	3328	svchost.exe	cmd.exe
PID 3328 wrote to memory of 2092	3328	svchost.exe	cmd.exe
PID 3328 wrote to memory of 2092	3328	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\jetss432167.exe
"C:\Users\Admin\AppData\Local\Temp\jetss432167.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
"C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\uigtaob.exe"
3⤵
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qwpglg.qt
Filesize
185KB

MD5
257392ed9de5a35bcd1ebddb6e138f1a

SHA1
0a5f5c808e090851d0af4fabb0831562b9477d3d

SHA256
e69492f1d8968b1a0835b7e9cb2e465bf614de777f3e27939fb49e42255db307

SHA512
24c5c983d4501a2e89c94a4951eaf8261ed27c5d6e7b53a131793d8402ef01a0f97c19553e82a790a7b14b5d398e83b25eb40e48db8965b0766c82d6711aee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uigtaob.exe
Filesize
74KB

MD5
d1ea42b09eb3475b915f99140aef0d72

SHA1
260a5d0fb9db5f738a76cac42e279b54132372b8

SHA256
8245a406d7b6e1a3d1a247384decfb2c1c852fedcd2412395fe508392fcc0c4d

SHA512
d3af3ff2297df39c3cf3ab67d0ac3775f00bf5a3bd39d2b0615bd6371e97944b1f98210dd6bc65aa5afbda94937bdcdf26326c101230737e4d4023e482837ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yznqspcrv.cl
Filesize
4KB

MD5
827acb35cfbccb4ec97484704a2cf6f5

SHA1
825e7c1768158818ed497c3bbbebca10c055b305

SHA256
8c94aa5a39e47c29a9b989ed69dfe3d34e27671fe312a1e3f1d3dacbfcd1f067

SHA512
1b6ca9a6f1bdaa4cd2ee9b6a6f2cba4f96cbfa2c3eec39bb510805d98fd5bdf4b0d3d733dccedb982be0bede7c91425dd8cb1a533a7001ddaefa10c5fcc5b2f2

Download Submit
memory/2068-132-0x0000000000000000-mapping.dmp

Download
memory/2092-145-0x0000000000000000-mapping.dmp

Download
memory/2864-151-0x00000000025A0000-0x000000000267E000-memory.dmp

Filesize
888KB

Download
memory/2864-149-0x00000000025A0000-0x000000000267E000-memory.dmp

Filesize
888KB

Download
memory/2864-147-0x0000000007F20000-0x0000000008086000-memory.dmp

Filesize
1.4MB

Download
memory/2864-141-0x0000000007F20000-0x0000000008086000-memory.dmp

Filesize
1.4MB

Download
memory/3328-142-0x0000000000000000-mapping.dmp

Download
memory/3328-144-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/3328-143-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/3328-146-0x0000000001200000-0x000000000154A000-memory.dmp

Filesize
3.3MB

Download
memory/3328-148-0x00000000010A0000-0x0000000001133000-memory.dmp

Filesize
588KB

Download
memory/3328-150-0x0000000000530000-0x000000000055F000-memory.dmp

Filesize
188KB

Download
memory/4528-140-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/4528-139-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/4528-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads