formbook | da5141ac63120c792dcd641d11962804126ad650211651c27d264f18354cd2a8

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
Size

261KB
MD5

776a8a04a8b1138f49dd918ed437cc83
SHA1

e0f781ae75f7289946349579a3f48d155a5f372f
SHA256

da5141ac63120c792dcd641d11962804126ad650211651c27d264f18354cd2a8
SHA512

3c88a85093a4fc95bd2a2e9c894933e407ab3b822e69657e5f6cc4bc87838c8aec353131d06e614cb2b9c5e743f580ed9379169a765ed368cae9e5c24e342282
SSDEEP

6144:MEa0NflUKT9Imaq6e9KfScqCR0L943FrLhMtuwL4EbzoalbkgYG:XbT9ImnmacqCK43FLqCEbkalbV

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3448-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4968-146-0x0000000000920000-0x000000000094F000-memory.dmp	formbook
behavioral2/memory/4968-149-0x0000000000920000-0x000000000094F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

mswteajr.exemswteajr.exe

pid process

3496 mswteajr.exe
3448 mswteajr.exe

pid	process
3496	mswteajr.exe
3448	mswteajr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mswteajr.exemswteajr.exemsiexec.exe

description	pid	process	target process
PID 3496 set thread context of 3448	3496	mswteajr.exe	mswteajr.exe
PID 3448 set thread context of 2684	3448	mswteajr.exe	Explorer.EXE
PID 4968 set thread context of 2684	4968	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

mswteajr.exemsiexec.exe

pid	process
3448	mswteajr.exe
3448	mswteajr.exe
3448	mswteajr.exe
3448	mswteajr.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2684 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

mswteajr.exemswteajr.exemsiexec.exe

pid process

3496 mswteajr.exe
3448 mswteajr.exe
3448 mswteajr.exe
3448 mswteajr.exe
4968 msiexec.exe
4968 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mswteajr.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3448 mswteajr.exe
Token: SeDebugPrivilege 4968 msiexec.exe

pid	process
2684	Explorer.EXE

pid	process
3496	mswteajr.exe
3448	mswteajr.exe
3448	mswteajr.exe
3448	mswteajr.exe
4968	msiexec.exe
4968	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	3448	mswteajr.exe
Token: SeDebugPrivilege	4968	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exemswteajr.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3348 wrote to memory of 3496	3348	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 3348 wrote to memory of 3496	3348	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 3348 wrote to memory of 3496	3348	SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe	mswteajr.exe
PID 3496 wrote to memory of 3448	3496	mswteajr.exe	mswteajr.exe
PID 3496 wrote to memory of 3448	3496	mswteajr.exe	mswteajr.exe
PID 3496 wrote to memory of 3448	3496	mswteajr.exe	mswteajr.exe
PID 3496 wrote to memory of 3448	3496	mswteajr.exe	mswteajr.exe
PID 2684 wrote to memory of 4968	2684	Explorer.EXE	msiexec.exe
PID 2684 wrote to memory of 4968	2684	Explorer.EXE	msiexec.exe
PID 2684 wrote to memory of 4968	2684	Explorer.EXE	msiexec.exe
PID 4968 wrote to memory of 1300	4968	msiexec.exe	cmd.exe
PID 4968 wrote to memory of 1300	4968	msiexec.exe	cmd.exe
PID 4968 wrote to memory of 1300	4968	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.2757.17275.19129.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
"C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mswteajr.exe"
3⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswteajr.exe
Filesize
72KB

MD5
075a7da95f2a03eb3b6e47ed076c3ca0

SHA1
1e27e909c51bbd3dd7e36ad2a277c55a8e0e9720

SHA256
48ad1ef9c53284c357cce078a9fbde27642a9c49dd2b7bc1163c06c98d0d82c5

SHA512
aed0afd7379769e031f291761d5ebd974730258a38f16588b8e65bd6f4606e307f77930674ee58c18081fee454f17614d75bba29ed5e48f1c4543aa7bc274f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdotqyrlt.gb
Filesize
185KB

MD5
25682a4159819c4c0702c797897ccddb

SHA1
5cf8a2d77b7ecd2e1d7caa708d67285985485adc

SHA256
d68a7b5abcbf7b81772c7ed9d606f568cfa4f85beba98be01a8e63cd9629fca8

SHA512
d392e357629dff638a1119f41e14d10664597805112698ff62cb560ba2ab4ebf266cc0073eeaabe9254dcebe9e4ea54d3cdb625650407b09b506860f4f860911

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqgzc.xug
Filesize
5KB

MD5
1e975cc580e4b281f9e1cdad0c03fa60

SHA1
88add23dd2ba2e0711d27ba90c15abbd6ffb381c

SHA256
ed9443599ce57c069f481b8ea450c473d1532e5a0da3cc7d3b3bc0fe8ee09671

SHA512
1e398499c67196e734f1cccf89951f24d304a2ae5aa848cfa38dfe5cc6c07600194a95646691110a55927eaaba32dfcb7dffb5c1afcd41645db253cecc31110a

Download Submit
memory/1300-144-0x0000000000000000-mapping.dmp

Download
memory/2684-142-0x0000000002510000-0x0000000002671000-memory.dmp

Filesize
1.4MB

Download
memory/2684-151-0x00000000077C0000-0x0000000007947000-memory.dmp

Filesize
1.5MB

Download
memory/2684-150-0x00000000077C0000-0x0000000007947000-memory.dmp

Filesize
1.5MB

Download
memory/3448-137-0x0000000000000000-mapping.dmp

Download
memory/3448-141-0x00000000013A0000-0x00000000013B4000-memory.dmp

Filesize
80KB

Download
memory/3448-140-0x0000000000EE0000-0x000000000122A000-memory.dmp

Filesize
3.3MB

Download
memory/3448-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3496-132-0x0000000000000000-mapping.dmp

Download
memory/4968-143-0x0000000000000000-mapping.dmp

Download
memory/4968-145-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/4968-146-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download
memory/4968-147-0x0000000002A10000-0x0000000002D5A000-memory.dmp

Filesize
3.3MB

Download
memory/4968-148-0x0000000002880000-0x0000000002913000-memory.dmp

Filesize
588KB

Download
memory/4968-149-0x0000000000920000-0x000000000094F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads