formbook | 9b0bfd03394e34336bb2dc5bc9001243a95c553ca2cdaf3d79820787a4e39226

General

Target

jetsjets6654.exe
Size

1.2MB
MD5

957242e6d5769a32406189f7f05f50af
SHA1

42297b45d76f9c475842fe6cbc60426aea470d8c
SHA256

3eeec1884c0a7d2c7c49991d08bcf731f563fd55faff77cf02b5c6f73f34b5f1
SHA512

e812a0d87b4c3af2bc2f7c25cb11256414a1b9577e405f8e0cfa86384bbdb998da21fdd015c17c57188db4e107b746acc0d579504b81050c6e1af05b101c305a
SSDEEP

24576:iAOcZXp00Sjm2GbobhjkmK3cLSzv7w84UopeOH+2UNUquptQZCU:oDl44U3hvUUbJZupXU

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4368-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4368-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4480-140-0x0000000000400000-0x0000000000B55000-memory.dmp	formbook
behavioral2/memory/4480-141-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/4368-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4480-153-0x0000000000400000-0x0000000000B55000-memory.dmp	formbook
behavioral2/memory/4372-156-0x0000000000D00000-0x0000000000D2F000-memory.dmp	formbook
behavioral2/memory/860-159-0x0000000000E40000-0x0000000000E6F000-memory.dmp	formbook
behavioral2/memory/860-163-0x0000000000E40000-0x0000000000E6F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

kgxqxqi.pif

pid process

3004 kgxqxqi.pif

pid	process
3004	kgxqxqi.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jetsjets6654.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	jetsjets6654.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

kgxqxqi.pifRegSvcs.exeRegSvcs.exerundll32.exe

description	pid	process	target process
PID 3004 set thread context of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 set thread context of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 4368 set thread context of 1396	4368	RegSvcs.exe	Explorer.EXE
PID 4480 set thread context of 1396	4480	RegSvcs.exe	Explorer.EXE
PID 860 set thread context of 1396	860	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exeRegSvcs.exerundll32.exemstsc.exe

pid	process
4368	RegSvcs.exe
4368	RegSvcs.exe
4368	RegSvcs.exe
4368	RegSvcs.exe
4480	RegSvcs.exe
4480	RegSvcs.exe
4480	RegSvcs.exe
4480	RegSvcs.exe
860	rundll32.exe
860	rundll32.exe
4372	mstsc.exe
4372	mstsc.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe
860	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exerundll32.exe

pid process

4368 RegSvcs.exe
4480 RegSvcs.exe
4368 RegSvcs.exe
4368 RegSvcs.exe
4480 RegSvcs.exe
4480 RegSvcs.exe
860 rundll32.exe
860 rundll32.exe

pid	process
1396	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeExplorer.EXErundll32.exemstsc.exe

description	pid	process
Token: SeDebugPrivilege	4368	RegSvcs.exe
Token: SeDebugPrivilege	4480	RegSvcs.exe
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeCreatePagefilePrivilege	1396	Explorer.EXE
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeCreatePagefilePrivilege	1396	Explorer.EXE
Token: SeDebugPrivilege	860	rundll32.exe
Token: SeDebugPrivilege	4372	mstsc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

jetsjets6654.exekgxqxqi.pifExplorer.EXErundll32.exe

description	pid	process	target process
PID 4980 wrote to memory of 3004	4980	jetsjets6654.exe	kgxqxqi.pif
PID 4980 wrote to memory of 3004	4980	jetsjets6654.exe	kgxqxqi.pif
PID 4980 wrote to memory of 3004	4980	jetsjets6654.exe	kgxqxqi.pif
PID 3004 wrote to memory of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4368	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 3004 wrote to memory of 4480	3004	kgxqxqi.pif	RegSvcs.exe
PID 1396 wrote to memory of 860	1396	Explorer.EXE	rundll32.exe
PID 1396 wrote to memory of 860	1396	Explorer.EXE	rundll32.exe
PID 1396 wrote to memory of 860	1396	Explorer.EXE	rundll32.exe
PID 1396 wrote to memory of 4372	1396	Explorer.EXE	mstsc.exe
PID 1396 wrote to memory of 4372	1396	Explorer.EXE	mstsc.exe
PID 1396 wrote to memory of 4372	1396	Explorer.EXE	mstsc.exe
PID 860 wrote to memory of 2764	860	rundll32.exe	cmd.exe
PID 860 wrote to memory of 2764	860	rundll32.exe	cmd.exe
PID 860 wrote to memory of 2764	860	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\jetsjets6654.exe
"C:\Users\Admin\AppData\Local\Temp\jetsjets6654.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4980

C:\2_44\kgxqxqi.pif
"C:\2_44\kgxqxqi.pif" bslxdvw.ewe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2764

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2_44\ahlaua.wee
Filesize
370KB

MD5
1f7784b35717cf5181ee1c018937792c

SHA1
66d56f668f55e4258f850213229e719b2b01de50

SHA256
a21e8ca9bbb50777a3835572ed47b631721845992ad1023bd71e11850c5f7306

SHA512
1cbc109083f22de2ee7eb43ad1ff601120a3b8e558ad032e58779e91f81b82f38480c2b76eb7ce201102fb8392d3043309e16b6877d4ba4f40e2204822ecf647

Download Submit
C:\2_44\bslxdvw.ewe
Filesize
209.8MB

MD5
9cb368a913059188e9b574baf7a8d635

SHA1
50b0670ef6f2d549c7df40703c25d0c49978224a

SHA256
8370925435336bbe0e555746e495ece28caf01f5af58091233b02c64d607c4a8

SHA512
9fea90d4432992321a92e81778a71d4ce450330709786060caba9ab63c1f7940f0de1d676b4be6a23727f4096c63eb16af426d8ce02808ca75085b8d2e97c83c

Download Submit
C:\2_44\dqpro.mp3
Filesize
37KB

MD5
39dd82a2f9cbca0b7cc3175df545834f

SHA1
e7abbd2ddb91092e5a9eaa8360da0cdc23485781

SHA256
3ee3bb319091cc00f0e950a54f65642878059fb600bc321a2ad8a91aed28375d

SHA512
7e3e43472a184ece773555b9ae3aba6d86fe1466e30d3031dfaa4da3b070fd3e02834faec2523698773a96fd13ef586ab3ba6fe64197abdce307d70da8dc0eb6

Download Submit
C:\2_44\kgxqxqi.pif
Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
C:\2_44\kgxqxqi.pif
Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
memory/860-163-0x0000000000E40000-0x0000000000E6F000-memory.dmp

Filesize
188KB

Download
memory/860-151-0x0000000000000000-mapping.dmp

Download
memory/860-161-0x0000000002AF0000-0x0000000002B83000-memory.dmp

Filesize
588KB

Download
memory/860-160-0x0000000002DB0000-0x00000000030FA000-memory.dmp

Filesize
3.3MB

Download
memory/860-159-0x0000000000E40000-0x0000000000E6F000-memory.dmp

Filesize
188KB

Download
memory/860-158-0x0000000000710000-0x0000000000724000-memory.dmp

Filesize
80KB

Download
memory/1396-164-0x00000000071F0000-0x00000000072AA000-memory.dmp

Filesize
744KB

Download
memory/1396-162-0x00000000071F0000-0x00000000072AA000-memory.dmp

Filesize
744KB

Download
memory/1396-148-0x0000000008280000-0x00000000083E8000-memory.dmp

Filesize
1.4MB

Download
memory/1396-150-0x0000000008960000-0x0000000008B00000-memory.dmp

Filesize
1.6MB

Download
memory/2764-154-0x0000000000000000-mapping.dmp

Download
memory/3004-132-0x0000000000000000-mapping.dmp

Download
memory/4368-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-138-0x0000000000000000-mapping.dmp

Download
memory/4368-145-0x0000000000A30000-0x0000000000D7A000-memory.dmp

Filesize
3.3MB

Download
memory/4368-147-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/4372-157-0x0000000002BA0000-0x0000000002EEA000-memory.dmp

Filesize
3.3MB

Download
memory/4372-156-0x0000000000D00000-0x0000000000D2F000-memory.dmp

Filesize
188KB

Download
memory/4372-155-0x0000000000600000-0x000000000073A000-memory.dmp

Filesize
1.2MB

Download
memory/4372-152-0x0000000000000000-mapping.dmp

Download
memory/4480-149-0x0000000001440000-0x0000000001454000-memory.dmp

Filesize
80KB

Download
memory/4480-146-0x0000000001910000-0x0000000001C5A000-memory.dmp

Filesize
3.3MB

Download
memory/4480-141-0x000000000041F120-mapping.dmp

Download
memory/4480-140-0x0000000000400000-0x0000000000B55000-memory.dmp

Filesize
7.3MB

Download
memory/4480-153-0x0000000000400000-0x0000000000B55000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads