formbook | da5141ac63120c792dcd641d11962804126ad650211651c27d264f18354cd2a8

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
Size

261KB
MD5

776a8a04a8b1138f49dd918ed437cc83
SHA1

e0f781ae75f7289946349579a3f48d155a5f372f
SHA256

da5141ac63120c792dcd641d11962804126ad650211651c27d264f18354cd2a8
SHA512

3c88a85093a4fc95bd2a2e9c894933e407ab3b822e69657e5f6cc4bc87838c8aec353131d06e614cb2b9c5e743f580ed9379169a765ed368cae9e5c24e342282
SSDEEP

6144:MEa0NflUKT9Imaq6e9KfScqCR0L943FrLhMtuwL4EbzoalbkgYG:XbT9ImnmacqCK43FLqCEbkalbV

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1712-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1572-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1572-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

mswteajr.exemswteajr.exe

pid process

1160 mswteajr.exe
1712 mswteajr.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exemswteajr.exe

pid process

1576 SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
1160 mswteajr.exe

pid	process
1160	mswteajr.exe
1712	mswteajr.exe

pid	process
1576	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
1160	mswteajr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mswteajr.exemswteajr.exeraserver.exe

description	pid	process	target process
PID 1160 set thread context of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1712 set thread context of 1276	1712	mswteajr.exe	Explorer.EXE
PID 1572 set thread context of 1276	1572	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

mswteajr.exeraserver.exe

pid	process
1712	mswteajr.exe
1712	mswteajr.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe
1572	raserver.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

mswteajr.exemswteajr.exeraserver.exe

pid process

1160 mswteajr.exe
1712 mswteajr.exe
1712 mswteajr.exe
1712 mswteajr.exe
1572 raserver.exe
1572 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mswteajr.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1712 mswteajr.exe
Token: SeDebugPrivilege 1572 raserver.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1160	mswteajr.exe
1712	mswteajr.exe
1712	mswteajr.exe
1712	mswteajr.exe
1572	raserver.exe
1572	raserver.exe

description	pid	process
Token: SeDebugPrivilege	1712	mswteajr.exe
Token: SeDebugPrivilege	1572	raserver.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exemswteajr.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1576 wrote to memory of 1160	1576	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 1576 wrote to memory of 1160	1576	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 1576 wrote to memory of 1160	1576	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 1576 wrote to memory of 1160	1576	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 1160 wrote to memory of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1160 wrote to memory of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1160 wrote to memory of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1160 wrote to memory of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1160 wrote to memory of 1712	1160	mswteajr.exe	mswteajr.exe
PID 1276 wrote to memory of 1572	1276	Explorer.EXE	raserver.exe
PID 1276 wrote to memory of 1572	1276	Explorer.EXE	raserver.exe
PID 1276 wrote to memory of 1572	1276	Explorer.EXE	raserver.exe
PID 1276 wrote to memory of 1572	1276	Explorer.EXE	raserver.exe
PID 1572 wrote to memory of 1432	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 1432	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 1432	1572	raserver.exe	cmd.exe
PID 1572 wrote to memory of 1432	1572	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
3⤵
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdotqyrlt.gb
Filesize
185KB

MD5
25682a4159819c4c0702c797897ccddb

SHA1
5cf8a2d77b7ecd2e1d7caa708d67285985485adc

SHA256
d68a7b5abcbf7b81772c7ed9d606f568cfa4f85beba98be01a8e63cd9629fca8

SHA512
d392e357629dff638a1119f41e14d10664597805112698ff62cb560ba2ab4ebf266cc0073eeaabe9254dcebe9e4ea54d3cdb625650407b09b506860f4f860911

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqgzc.xug
Filesize
5KB

MD5
1e975cc580e4b281f9e1cdad0c03fa60

SHA1
88add23dd2ba2e0711d27ba90c15abbd6ffb381c

SHA256
ed9443599ce57c069f481b8ea450c473d1532e5a0da3cc7d3b3bc0fe8ee09671

SHA512
1e398499c67196e734f1cccf89951f24d304a2ae5aa848cfa38dfe5cc6c07600194a95646691110a55927eaaba32dfcb7dffb5c1afcd41645db253cecc31110a

Download Submit
\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
memory/1160-56-0x0000000000000000-mapping.dmp

Download
memory/1276-67-0x00000000041D0000-0x00000000042AC000-memory.dmp

Filesize
880KB

Download
memory/1276-77-0x0000000006AD0000-0x0000000006C45000-memory.dmp

Filesize
1.5MB

Download
memory/1276-75-0x0000000006AD0000-0x0000000006C45000-memory.dmp

Filesize
1.5MB

Download
memory/1432-72-0x0000000000000000-mapping.dmp

Download
memory/1572-70-0x0000000000B80000-0x0000000000B9C000-memory.dmp

Filesize
112KB

Download
memory/1572-68-0x0000000000000000-mapping.dmp

Download
memory/1572-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1572-73-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/1572-74-0x0000000000900000-0x0000000000993000-memory.dmp

Filesize
588KB

Download
memory/1572-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1576-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1712-66-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1712-65-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/1712-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-62-0x000000000041F120-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads