formbook | b4894e0512db4aba5a1fd05d2415b5ad5f73474d456c9c9ddba8753e5ba37597

General

Target

SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
Size

214KB
MD5

6b3d29a22eeea61a865cd1deaef52404
SHA1

2dece08d70ac3a0d45c48d452a0c30a1e53b72e9
SHA256

b4894e0512db4aba5a1fd05d2415b5ad5f73474d456c9c9ddba8753e5ba37597
SHA512

bb16350dc81183e1f95c5d5a320bbfbc7a601f59430aa0436584b8f01e2d014229f60f0eddcf9186edbc01af71b2a4a79b01320e09867b0749a718f6ba0752d6
SSDEEP

6144:qweEpIIIg4H0ppuob6GzeFAQeKjGiaRhIsmN5cxPqO3r:btIdH0Z6GSOQeKqiAhIGCg

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/960-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1244-71-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/1244-76-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

bhltrjq.exebhltrjq.exe

pid process

1752 bhltrjq.exe
960 bhltrjq.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exebhltrjq.exe

pid process

1448 SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
1752 bhltrjq.exe

pid	process
1752	bhltrjq.exe
960	bhltrjq.exe

pid	process
1448	SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
1752	bhltrjq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bhltrjq.exebhltrjq.execmstp.exe

description	pid	process	target process
PID 1752 set thread context of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 960 set thread context of 1392	960	bhltrjq.exe	Explorer.EXE
PID 1244 set thread context of 1392	1244	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

bhltrjq.execmstp.exe

pid	process
960	bhltrjq.exe
960	bhltrjq.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe
1244	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bhltrjq.exebhltrjq.execmstp.exe

pid process

1752 bhltrjq.exe
960 bhltrjq.exe
960 bhltrjq.exe
960 bhltrjq.exe
1244 cmstp.exe
1244 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bhltrjq.execmstp.exe

description pid process

Token: SeDebugPrivilege 960 bhltrjq.exe
Token: SeDebugPrivilege 1244 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE

pid	process
1392	Explorer.EXE

pid	process
1752	bhltrjq.exe
960	bhltrjq.exe
960	bhltrjq.exe
960	bhltrjq.exe
1244	cmstp.exe
1244	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	960	bhltrjq.exe
Token: SeDebugPrivilege	1244	cmstp.exe

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exebhltrjq.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1448 wrote to memory of 1752	1448	SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe	bhltrjq.exe
PID 1448 wrote to memory of 1752	1448	SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe	bhltrjq.exe
PID 1448 wrote to memory of 1752	1448	SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe	bhltrjq.exe
PID 1448 wrote to memory of 1752	1448	SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe	bhltrjq.exe
PID 1752 wrote to memory of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 1752 wrote to memory of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 1752 wrote to memory of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 1752 wrote to memory of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 1752 wrote to memory of 960	1752	bhltrjq.exe	bhltrjq.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1392 wrote to memory of 1244	1392	Explorer.EXE	cmstp.exe
PID 1244 wrote to memory of 1152	1244	cmstp.exe	cmd.exe
PID 1244 wrote to memory of 1152	1244	cmstp.exe	cmd.exe
PID 1244 wrote to memory of 1152	1244	cmstp.exe	cmd.exe
PID 1244 wrote to memory of 1152	1244	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.7.4898.19865.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
"C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
"C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe"
3⤵
PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
Filesize
7KB

MD5
9d861b82ea38bfc26ec676c80bb32987

SHA1
9c8460764141b51b2bd84ab8f935c455574daf08

SHA256
68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

SHA512
eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
Filesize
7KB

MD5
9d861b82ea38bfc26ec676c80bb32987

SHA1
9c8460764141b51b2bd84ab8f935c455574daf08

SHA256
68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

SHA512
eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhltrjq.exe
Filesize
7KB

MD5
9d861b82ea38bfc26ec676c80bb32987

SHA1
9c8460764141b51b2bd84ab8f935c455574daf08

SHA256
68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

SHA512
eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjkxypvsinp.fa
Filesize
185KB

MD5
b79e7182bcc2361b01094fea856666d9

SHA1
954aad476f20d570a00fd45fc69141d4153cc9c1

SHA256
196aadf971787f7d8f40d12d82b65e62a7845fb6c9c9eb54076179a54d83cb6d

SHA512
30c0446f3113bcd69d1d74e6a9e9ee8b121b08ce2403e4076a74bf8bdf34d7fa67ea37e2291482a025193f4d515984b7124b109e82a8f0895be65b86b30277a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zltqwutxiat.ow
Filesize
5KB

MD5
8c5aa4d7bfde90f90bcadd4bd8cd0436

SHA1
bd996fa856445aba197c2b2e098cdb765034b8ec

SHA256
e3f2f6799c943952de4a4b38a29febccc171d6caabae3d84183bf009b3b428bb

SHA512
98194b83d8164b70bf1458135b8a495a1c99a89be069e1b2d6a4dbc843b31dd2dc0254b50800bbe6dc974bc2c9867ca2018ff060bb40bd7f3dd475fd9fc047df

Download Submit
\Users\Admin\AppData\Local\Temp\bhltrjq.exe
Filesize
7KB

MD5
9d861b82ea38bfc26ec676c80bb32987

SHA1
9c8460764141b51b2bd84ab8f935c455574daf08

SHA256
68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

SHA512
eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

Download Submit
\Users\Admin\AppData\Local\Temp\bhltrjq.exe
Filesize
7KB

MD5
9d861b82ea38bfc26ec676c80bb32987

SHA1
9c8460764141b51b2bd84ab8f935c455574daf08

SHA256
68442590d49dde3a3834a3841f367405d8098ed8cd1bb8fcdbe191b6e7f4545f

SHA512
eded9b3bdc31fc7b993fc716452f6df09695340d1374cd9100f325eed4c768b3f1765383a4eed556730bfcc0999b8430b79acce3fd53125a11e011bc6f6e8c10

Download Submit
memory/960-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-65-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/960-62-0x000000000041F120-mapping.dmp

Download
memory/960-66-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1152-72-0x0000000000000000-mapping.dmp

Download
memory/1244-68-0x0000000000000000-mapping.dmp

Download
memory/1244-70-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/1244-71-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1244-73-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/1244-74-0x00000000009D0000-0x0000000000A63000-memory.dmp

Filesize
588KB

Download
memory/1244-76-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1392-67-0x0000000004E20000-0x0000000004F36000-memory.dmp

Filesize
1.1MB

Download
memory/1392-75-0x00000000049A0000-0x0000000004A58000-memory.dmp

Filesize
736KB

Download
memory/1392-77-0x00000000049A0000-0x0000000004A58000-memory.dmp

Filesize
736KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads