formbook | d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc

General

Target

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
Size

1.1MB
MD5

c2744465d0bedc9aa98714338225a6f3
SHA1

3c50e3d5b630aa6a8015b349b4e18169b6c297da
SHA256

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc
SHA512

2eacf21b0b560ef3e7652c4e543fea5aad247f35562f746c9cfb178822dba752c14f6dfacd8c699f69af2f2d0d18ccd1b5be1901a1f79fe5951db896c277be03
SSDEEP

24576:iAOcZXp07zxTM+FFyvJjjcepfSjE+vRPGQFV0aBTjWFqwA4:oXzJZFYvhjdqvtGQFV9jWx

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1784-69-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/940-72-0x0000000000400000-0x0000000000ADC000-memory.dmp	formbook
behavioral1/memory/940-73-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/940-76-0x0000000000400000-0x0000000000ADC000-memory.dmp	formbook
behavioral1/memory/2016-86-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1784-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1044-91-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2016-96-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

eqhxkjjkof.pif

pid process

1736 eqhxkjjkof.pif

pid	process
1736	eqhxkjjkof.pif

Loads dropped DLL 4 IoCs

Processes:

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe

pid	process
1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

eqhxkjjkof.pifRegSvcs.exeRegSvcs.exeipconfig.exe

description	pid	process	target process
PID 1736 set thread context of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 set thread context of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 940 set thread context of 1352	940	RegSvcs.exe	Explorer.EXE
PID 1784 set thread context of 1352	1784	RegSvcs.exe	Explorer.EXE
PID 2016 set thread context of 1352	2016	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2016 ipconfig.exe

pid	process
2016	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

RegSvcs.exeRegSvcs.exeipconfig.exeNAPSTAT.EXE

pid	process
1784	RegSvcs.exe
940	RegSvcs.exe
1784	RegSvcs.exe
940	RegSvcs.exe
2016	ipconfig.exe
1044	NAPSTAT.EXE
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe
2016	ipconfig.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeipconfig.exe

pid process

940 RegSvcs.exe
1784 RegSvcs.exe
940 RegSvcs.exe
940 RegSvcs.exe
1784 RegSvcs.exe
1784 RegSvcs.exe
2016 ipconfig.exe
2016 ipconfig.exe

pid	process
940	RegSvcs.exe
1784	RegSvcs.exe
940	RegSvcs.exe
940	RegSvcs.exe
1784	RegSvcs.exe
1784	RegSvcs.exe
2016	ipconfig.exe
2016	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exeipconfig.exeNAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1784	RegSvcs.exe
Token: SeDebugPrivilege	940	RegSvcs.exe
Token: SeDebugPrivilege	2016	ipconfig.exe
Token: SeDebugPrivilege	1044	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exeeqhxkjjkof.pifExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1608 wrote to memory of 1736	1608	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 1784	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1736 wrote to memory of 940	1736	eqhxkjjkof.pif	RegSvcs.exe
PID 1352 wrote to memory of 1044	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 1044	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 1044	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 1044	1352	Explorer.EXE	NAPSTAT.EXE
PID 1352 wrote to memory of 2016	1352	Explorer.EXE	ipconfig.exe
PID 1352 wrote to memory of 2016	1352	Explorer.EXE	ipconfig.exe
PID 1352 wrote to memory of 2016	1352	Explorer.EXE	ipconfig.exe
PID 1352 wrote to memory of 2016	1352	Explorer.EXE	ipconfig.exe
PID 2016 wrote to memory of 1420	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 1420	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 1420	2016	ipconfig.exe	cmd.exe
PID 2016 wrote to memory of 1420	2016	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
"C:\Users\Admin\AppData\Local\Temp\d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
"C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif" pjubdliuxm.vxl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1420

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\hdhvijr.aqo
Filesize
370KB

MD5
7cd5048c8d058a9b417310b6a0a6677e

SHA1
11963e0819174eca2f320b028c484ece23abc834

SHA256
9fd373d752d24341de34a5fc995ba1b32041312a416ca69ccbedd96c0e50ed17

SHA512
b20455dc4a8bc09b009fb7ea6e649ed5d163e88baaaedfb5851da6aedb90523953f580e1eb9244f147782ad036384170ba2f68943be7694cbbb4e794d3ea012c

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\keapunbfxl.xls
Filesize
44KB

MD5
2de51c2b93f68802b282f586c0be4489

SHA1
37733634e559bacd1273f078f8e39b0ba545a09f

SHA256
594dc478a8511e6ead7105bf87a93a746729f64b8eea0f4ce8d489981af4791f

SHA512
7fc91159c5b3c2f1c9e4af18a4e8705b3909035198e05a32f9930592b47dcfac71857c1bc2af62fe0312dda9deb2d87de9639f1727f53daa25f1f675720090de

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\pjubdliuxm.vxl
Filesize
140.7MB

MD5
85de3305ce7b6461a266166d318c6296

SHA1
40d6336acbd0ab4152779d0dd78988ec245f78b0

SHA256
7336e8c7f812f6d657785f5ad22c04f712fbbcb27dc1c4c216b5d1035aa6f86c

SHA512
26c7689c5b3bf5cb9bb19776d2b70ae3d2151bc471e42d6c48e255a4880005bba4d288697e8357480108fa7b289b1973f41ac0151c8073191ae7b4fc07c0d456

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
memory/940-79-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/940-70-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/940-78-0x0000000000FC0000-0x00000000012C3000-memory.dmp

Filesize
3.0MB

Download
memory/940-76-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/940-73-0x000000000041F120-mapping.dmp

Download
memory/940-72-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1044-89-0x0000000000540000-0x0000000000586000-memory.dmp

Filesize
280KB

Download
memory/1044-91-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1044-87-0x0000000000000000-mapping.dmp

Download
memory/1044-90-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/1352-95-0x0000000004D90000-0x0000000004EEF000-memory.dmp

Filesize
1.4MB

Download
memory/1352-82-0x0000000003F80000-0x0000000004047000-memory.dmp

Filesize
796KB

Download
memory/1352-97-0x0000000004D90000-0x0000000004EEF000-memory.dmp

Filesize
1.4MB

Download
memory/1352-81-0x0000000004C10000-0x0000000004D89000-memory.dmp

Filesize
1.5MB

Download
memory/1420-92-0x0000000000000000-mapping.dmp

Download
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1736-59-0x0000000000000000-mapping.dmp

Download
memory/1784-77-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/1784-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-80-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/1784-69-0x000000000041F120-mapping.dmp

Download
memory/1784-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-86-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2016-85-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2016-83-0x0000000000000000-mapping.dmp

Download
memory/2016-93-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/2016-94-0x00000000009C0000-0x0000000000A53000-memory.dmp

Filesize
588KB

Download
memory/2016-96-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads