formbook | d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc

General

Target

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
Size

1.1MB
MD5

c2744465d0bedc9aa98714338225a6f3
SHA1

3c50e3d5b630aa6a8015b349b4e18169b6c297da
SHA256

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc
SHA512

2eacf21b0b560ef3e7652c4e543fea5aad247f35562f746c9cfb178822dba752c14f6dfacd8c699f69af2f2d0d18ccd1b5be1901a1f79fe5951db896c277be03
SSDEEP

24576:iAOcZXp07zxTM+FFyvJjjcepfSjE+vRPGQFV0aBTjWFqwA4:oXzJZFYvhjdqvtGQFV9jWx

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4384-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4384-138-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3656-140-0x0000000000400000-0x0000000000A20000-memory.dmp	formbook
behavioral2/memory/3656-141-0x000000000041F120-mapping.dmp	formbook
behavioral2/memory/3656-144-0x0000000000400000-0x0000000000A20000-memory.dmp	formbook
behavioral2/memory/4384-153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/744-156-0x0000000000B60000-0x0000000000B8F000-memory.dmp	formbook
behavioral2/memory/612-157-0x0000000000170000-0x000000000019F000-memory.dmp	formbook
behavioral2/memory/744-159-0x0000000000B60000-0x0000000000B8F000-memory.dmp	formbook
behavioral2/memory/612-162-0x0000000000170000-0x000000000019F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

eqhxkjjkof.pif

pid process

3220 eqhxkjjkof.pif

pid	process
3220	eqhxkjjkof.pif

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

eqhxkjjkof.pifRegSvcs.exeRegSvcs.exewscript.exe

description	pid	process	target process
PID 3220 set thread context of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 set thread context of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3656 set thread context of 3036	3656	RegSvcs.exe	Explorer.EXE
PID 4384 set thread context of 3036	4384	RegSvcs.exe	Explorer.EXE
PID 612 set thread context of 3036	612	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exeRegSvcs.exewscript.execmd.exe

pid	process
4384	RegSvcs.exe
4384	RegSvcs.exe
3656	RegSvcs.exe
3656	RegSvcs.exe
3656	RegSvcs.exe
3656	RegSvcs.exe
4384	RegSvcs.exe
4384	RegSvcs.exe
612	wscript.exe
612	wscript.exe
744	cmd.exe
744	cmd.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe
612	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exewscript.exe

pid process

3656 RegSvcs.exe
4384 RegSvcs.exe
3656 RegSvcs.exe
3656 RegSvcs.exe
4384 RegSvcs.exe
4384 RegSvcs.exe
612 wscript.exe
612 wscript.exe

pid	process
3036	Explorer.EXE

pid	process
3656	RegSvcs.exe
4384	RegSvcs.exe
3656	RegSvcs.exe
3656	RegSvcs.exe
4384	RegSvcs.exe
4384	RegSvcs.exe
612	wscript.exe
612	wscript.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exeExplorer.EXEwscript.execmd.exe

description	pid	process
Token: SeDebugPrivilege	4384	RegSvcs.exe
Token: SeDebugPrivilege	3656	RegSvcs.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	612	wscript.exe
Token: SeDebugPrivilege	744	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exeeqhxkjjkof.pifExplorer.EXEwscript.exe

description	pid	process	target process
PID 3204 wrote to memory of 3220	3204	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 3204 wrote to memory of 3220	3204	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 3204 wrote to memory of 3220	3204	d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe	eqhxkjjkof.pif
PID 3220 wrote to memory of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 4384	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3220 wrote to memory of 3656	3220	eqhxkjjkof.pif	RegSvcs.exe
PID 3036 wrote to memory of 744	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 744	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 744	3036	Explorer.EXE	cmd.exe
PID 3036 wrote to memory of 612	3036	Explorer.EXE	wscript.exe
PID 3036 wrote to memory of 612	3036	Explorer.EXE	wscript.exe
PID 3036 wrote to memory of 612	3036	Explorer.EXE	wscript.exe
PID 612 wrote to memory of 184	612	wscript.exe	cmd.exe
PID 612 wrote to memory of 184	612	wscript.exe	cmd.exe
PID 612 wrote to memory of 184	612	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe
"C:\Users\Admin\AppData\Local\Temp\d2a40596de9ecbb325f4d6a7dced2a1bccec1cc8f83f786940835e83e1bc05dc.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
"C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif" pjubdliuxm.vxl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\eqhxkjjkof.pif
Filesize
906KB

MD5
f28aa08788132e64db4b8918ee2430b1

SHA1
ef32b1023a89dc36d7c5e98e22845fe87c5efef2

SHA256
f99b9fc041c177f0bee2c82d09f451ef0833696111b1b37cbfff8c975232ece2

SHA512
689cf6118061aa9e7d4b78118db99338aa767433df511610d471a989825a84a53119310248ed3870b10e48e77b47c429ef5a276dbc9c4ec53a7588e16093b50f

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\hdhvijr.aqo
Filesize
370KB

MD5
7cd5048c8d058a9b417310b6a0a6677e

SHA1
11963e0819174eca2f320b028c484ece23abc834

SHA256
9fd373d752d24341de34a5fc995ba1b32041312a416ca69ccbedd96c0e50ed17

SHA512
b20455dc4a8bc09b009fb7ea6e649ed5d163e88baaaedfb5851da6aedb90523953f580e1eb9244f147782ad036384170ba2f68943be7694cbbb4e794d3ea012c

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\keapunbfxl.xls
Filesize
44KB

MD5
2de51c2b93f68802b282f586c0be4489

SHA1
37733634e559bacd1273f078f8e39b0ba545a09f

SHA256
594dc478a8511e6ead7105bf87a93a746729f64b8eea0f4ce8d489981af4791f

SHA512
7fc91159c5b3c2f1c9e4af18a4e8705b3909035198e05a32f9930592b47dcfac71857c1bc2af62fe0312dda9deb2d87de9639f1727f53daa25f1f675720090de

Download Submit
C:\Users\Admin\AppData\Roaming\9_69\pjubdliuxm.vxl
Filesize
140.7MB

MD5
85de3305ce7b6461a266166d318c6296

SHA1
40d6336acbd0ab4152779d0dd78988ec245f78b0

SHA256
7336e8c7f812f6d657785f5ad22c04f712fbbcb27dc1c4c216b5d1035aa6f86c

SHA512
26c7689c5b3bf5cb9bb19776d2b70ae3d2151bc471e42d6c48e255a4880005bba4d288697e8357480108fa7b289b1973f41ac0151c8073191ae7b4fc07c0d456

Download Submit
memory/184-158-0x0000000000000000-mapping.dmp

Download
memory/612-161-0x0000000002630000-0x000000000297A000-memory.dmp

Filesize
3.3MB

Download
memory/612-162-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/612-151-0x0000000000000000-mapping.dmp

Download
memory/612-163-0x00000000023C0000-0x0000000002453000-memory.dmp

Filesize
588KB

Download
memory/612-157-0x0000000000170000-0x000000000019F000-memory.dmp

Filesize
188KB

Download
memory/612-154-0x0000000000AC0000-0x0000000000AE7000-memory.dmp

Filesize
156KB

Download
memory/744-160-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/744-159-0x0000000000B60000-0x0000000000B8F000-memory.dmp

Filesize
188KB

Download
memory/744-156-0x0000000000B60000-0x0000000000B8F000-memory.dmp

Filesize
188KB

Download
memory/744-155-0x0000000000160000-0x00000000001BA000-memory.dmp

Filesize
360KB

Download
memory/744-152-0x0000000000000000-mapping.dmp

Download
memory/3036-150-0x0000000008730000-0x00000000088AC000-memory.dmp

Filesize
1.5MB

Download
memory/3036-165-0x00000000088B0000-0x00000000089B4000-memory.dmp

Filesize
1.0MB

Download
memory/3036-149-0x0000000008AD0000-0x0000000008C4C000-memory.dmp

Filesize
1.5MB

Download
memory/3036-164-0x00000000088B0000-0x00000000089B4000-memory.dmp

Filesize
1.0MB

Download
memory/3220-132-0x0000000000000000-mapping.dmp

Download
memory/3656-140-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/3656-146-0x00000000015F0000-0x000000000193A000-memory.dmp

Filesize
3.3MB

Download
memory/3656-144-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/3656-141-0x000000000041F120-mapping.dmp

Download
memory/3656-147-0x0000000001040000-0x0000000001054000-memory.dmp

Filesize
80KB

Download
memory/4384-145-0x0000000001970000-0x0000000001CBA000-memory.dmp

Filesize
3.3MB

Download
memory/4384-148-0x0000000001930000-0x0000000001944000-memory.dmp

Filesize
80KB

Download
memory/4384-138-0x0000000000000000-mapping.dmp

Download
memory/4384-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads