formbook | 699fbd0e90c9d904ccde9fa7326ca0139c169b268a4d698dfa9b82e68950f7b2

General

Target

jestyyfre44321.exe
Size

1.1MB
MD5

c2d4e5290155193ed854fc6d27ec83a4
SHA1

de83fd85e5496b9ccc8f56bd162d27381835c1af
SHA256

e4c4e4111a17d0130da8cfb7694900d1d7f16bfb74ab45eff550e6319d88a602
SHA512

e873f5dc3e318be701bbcdc55f2a61060e72a54c58c17fc2b339b9faf5b9b52f764241d7c6f1c5758884fa76cb1257c605ea2cc1c9d085e99fd51fd457e65e73
SSDEEP

24576:UAOcZXcxP6P4C6oV5Ogn+pN6k77rvyOMF5:CH9C6qX+pN6kDbE5

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3128-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3128-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3888-141-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/3888-140-0x0000000000400000-0x00000000008C9000-memory.dmp	formbook
behavioral2/memory/3128-151-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/216-153-0x0000000000950000-0x000000000097F000-memory.dmp	formbook
behavioral2/memory/3888-156-0x0000000000400000-0x00000000008C9000-memory.dmp	formbook
behavioral2/memory/2832-159-0x0000000000150000-0x000000000017F000-memory.dmp	formbook
behavioral2/memory/2832-160-0x0000000000150000-0x000000000017F000-memory.dmp	formbook
behavioral2/memory/216-162-0x0000000000950000-0x000000000097F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

45 216 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

isab.pif

pid process

4792 isab.pif

flow	pid	process
45	216	cmd.exe

pid	process
4792	isab.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jestyyfre44321.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	jestyyfre44321.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

isab.pifRegSvcs.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 4792 set thread context of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 set thread context of 3888	4792	isab.pif	RegSvcs.exe
PID 3128 set thread context of 776	3128	RegSvcs.exe	Explorer.EXE
PID 3888 set thread context of 776	3888	RegSvcs.exe	Explorer.EXE
PID 216 set thread context of 776	216	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

RegSvcs.exeRegSvcs.execmd.exesvchost.exe

pid	process
3128	RegSvcs.exe
3128	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
3128	RegSvcs.exe
3128	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
216	cmd.exe
216	cmd.exe
2832	svchost.exe
2832	svchost.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe
216	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

776 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.execmd.exe

pid process

3128 RegSvcs.exe
3888 RegSvcs.exe
3128 RegSvcs.exe
3128 RegSvcs.exe
3888 RegSvcs.exe
3888 RegSvcs.exe
216 cmd.exe
216 cmd.exe

pid	process
776	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeExplorer.EXEcmd.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3128	RegSvcs.exe
Token: SeDebugPrivilege	3888	RegSvcs.exe
Token: SeShutdownPrivilege	776	Explorer.EXE
Token: SeCreatePagefilePrivilege	776	Explorer.EXE
Token: SeShutdownPrivilege	776	Explorer.EXE
Token: SeCreatePagefilePrivilege	776	Explorer.EXE
Token: SeDebugPrivilege	216	cmd.exe
Token: SeDebugPrivilege	2832	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

jestyyfre44321.exeisab.pifExplorer.EXEcmd.exe

description	pid	process	target process
PID 1048 wrote to memory of 4792	1048	jestyyfre44321.exe	isab.pif
PID 1048 wrote to memory of 4792	1048	jestyyfre44321.exe	isab.pif
PID 1048 wrote to memory of 4792	1048	jestyyfre44321.exe	isab.pif
PID 4792 wrote to memory of 3888	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3888	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3888	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3128	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3888	4792	isab.pif	RegSvcs.exe
PID 4792 wrote to memory of 3888	4792	isab.pif	RegSvcs.exe
PID 776 wrote to memory of 216	776	Explorer.EXE	cmd.exe
PID 776 wrote to memory of 216	776	Explorer.EXE	cmd.exe
PID 776 wrote to memory of 216	776	Explorer.EXE	cmd.exe
PID 776 wrote to memory of 2832	776	Explorer.EXE	svchost.exe
PID 776 wrote to memory of 2832	776	Explorer.EXE	svchost.exe
PID 776 wrote to memory of 2832	776	Explorer.EXE	svchost.exe
PID 216 wrote to memory of 4008	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 4008	216	cmd.exe	cmd.exe
PID 216 wrote to memory of 4008	216	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe
  "C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\9_53\isab.pif
    "C:\Users\Admin\9_53\isab.pif" telx.ogt
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4008
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\9_53\aoss.xls

Filesize
40KB

MD5
c54a5a90e3803c572ed12150b510f97d

SHA1
8e2f02b84fd5f6e873cf51d343fb96a531a45e45

SHA256
87cd75d6b1a5607b39e5940d9021ca9281c3d47217e597e0601f6f6d02b06bf8

SHA512
d8f5395fde12d62e94e7969b7d298f03733c56adf3139de5a6167a59c497152c384631d6da12380136b00d10119a7fdec4a53208f5152c578a71b589b8f9e776

Download Submit
C:\Users\Admin\9_53\gcvbihuje.mro

Filesize
370KB

MD5
d40060faa63c30e509e8f6c5be0dcdc4

SHA1
4ec1022751784dc6b2a8819e6d4b860d6b38d82f

SHA256
15994b50140988529c4b8c18aebabcb60fedc34b45dfdac906569bda318f3414

SHA512
1761c72937b4476c666ffb93b96bb94427068dae217fe03c021082e5a988a09e3dacfd306b6440ca90de3ce48afa2aeb85829a1e76f3ff2fc2e636180f0eb1da

Download Submit
C:\Users\Admin\9_53\isab.pif

Filesize
820KB

MD5
0c996fa7285452f1302d8c781bd72972

SHA1
93b2a1bce155afec134804b3a2ef6b40ac0a4178

SHA256
470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

SHA512
e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

Download Submit
C:\Users\Admin\9_53\isab.pif

Filesize
820KB

MD5
0c996fa7285452f1302d8c781bd72972

SHA1
93b2a1bce155afec134804b3a2ef6b40ac0a4178

SHA256
470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

SHA512
e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

Download Submit
C:\Users\Admin\9_53\telx.ogt

Filesize
140.7MB

MD5
343cb3dddbe37534a60c685b58cdebec

SHA1
9e50469f0695487b6671557662483ff2515ef339

SHA256
2524fff1f4e7697b92525ffd96ac6c584bc84f281886daaf8526f65fac86a38f

SHA512
75a163a07ab55670ae81fb87a6cf29b6cac0f8ae370bef2889bf125bbffa3c78b5cb0c7f5dce5a770cbe24b883a5c385fd4a7842e1049256c3956d44c9d156a3

Download Submit
memory/216-162-0x0000000000950000-0x000000000097F000-memory.dmp

Filesize
188KB

Download
memory/216-163-0x0000000001370000-0x0000000001403000-memory.dmp

Filesize
588KB

Download
memory/216-157-0x0000000001530000-0x000000000187A000-memory.dmp

Filesize
3.3MB

Download
memory/216-153-0x0000000000950000-0x000000000097F000-memory.dmp

Filesize
188KB

Download
memory/216-152-0x0000000000410000-0x000000000046A000-memory.dmp

Filesize
360KB

Download
memory/216-150-0x0000000000000000-mapping.dmp

Download
memory/776-165-0x00000000083E0000-0x0000000008487000-memory.dmp

Filesize
668KB

Download
memory/776-164-0x00000000083E0000-0x0000000008487000-memory.dmp

Filesize
668KB

Download
memory/776-149-0x0000000003140000-0x00000000032A2000-memory.dmp

Filesize
1.4MB

Download
memory/776-147-0x0000000008230000-0x00000000083D5000-memory.dmp

Filesize
1.6MB

Download
memory/2832-158-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2832-159-0x0000000000150000-0x000000000017F000-memory.dmp

Filesize
188KB

Download
memory/2832-154-0x0000000000000000-mapping.dmp

Download
memory/2832-161-0x0000000000990000-0x0000000000CDA000-memory.dmp

Filesize
3.3MB

Download
memory/2832-160-0x0000000000150000-0x000000000017F000-memory.dmp

Filesize
188KB

Download
memory/3128-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-146-0x0000000000A80000-0x0000000000A94000-memory.dmp

Filesize
80KB

Download
memory/3128-138-0x0000000000000000-mapping.dmp

Download
memory/3128-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-142-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/3888-140-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/3888-156-0x0000000000400000-0x00000000008C9000-memory.dmp

Filesize
4.8MB

Download
memory/3888-148-0x0000000001470000-0x0000000001484000-memory.dmp

Filesize
80KB

Download
memory/3888-141-0x000000000041F120-mapping.dmp

Download
memory/3888-145-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/4008-155-0x0000000000000000-mapping.dmp

Download
memory/4792-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads