formbook | 5a1f5c9afd9762d7813453e8fd7017ed1cc61e991cb850b9a0d1d689e554f553

General

Target

jetsoff887453.exe
Size

226KB
MD5

1eea2dfdae7eb894956ca1c1640f68c5
SHA1

d84785baefe3f1fce5bbd9cf93c03bb09d8a20e8
SHA256

45b23c325946154b6990adf193926f99019ccc14f815a9768c208494197d3208
SHA512

64efce3783fd512b03cff3e3c3b93bda7ddf793f199e64809a13c64b948e91deb68dddb1394e5a24353ab42012df88e4a7f0a213b29e9ae3f006bff19755572d
SSDEEP

6144:MEa0NOhe6ib7DKeu/cIJyJJnJCDTRn5lAAfh:XONibPeOJnJY9Dh

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4036-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4312-145-0x00000000009A0000-0x00000000009CF000-memory.dmp	formbook
behavioral2/memory/4312-149-0x00000000009A0000-0x00000000009CF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

krwcwm.exekrwcwm.exe

pid process

1768 krwcwm.exe
4036 krwcwm.exe

pid	process
1768	krwcwm.exe
4036	krwcwm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

krwcwm.exekrwcwm.exeraserver.exe

description	pid	process	target process
PID 1768 set thread context of 4036	1768	krwcwm.exe	krwcwm.exe
PID 4036 set thread context of 2832	4036	krwcwm.exe	Explorer.EXE
PID 4312 set thread context of 2832	4312	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

krwcwm.exeraserver.exe

pid	process
4036	krwcwm.exe
4036	krwcwm.exe
4036	krwcwm.exe
4036	krwcwm.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe
4312	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2832 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

krwcwm.exekrwcwm.exeraserver.exe

pid process

1768 krwcwm.exe
4036 krwcwm.exe
4036 krwcwm.exe
4036 krwcwm.exe
4312 raserver.exe
4312 raserver.exe

pid	process
2832	Explorer.EXE

pid	process
1768	krwcwm.exe
4036	krwcwm.exe
4036	krwcwm.exe
4036	krwcwm.exe
4312	raserver.exe
4312	raserver.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

krwcwm.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4036	krwcwm.exe
Token: SeDebugPrivilege	4312	raserver.exe
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetsoff887453.exekrwcwm.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2180 wrote to memory of 1768	2180	jetsoff887453.exe	krwcwm.exe
PID 2180 wrote to memory of 1768	2180	jetsoff887453.exe	krwcwm.exe
PID 2180 wrote to memory of 1768	2180	jetsoff887453.exe	krwcwm.exe
PID 1768 wrote to memory of 4036	1768	krwcwm.exe	krwcwm.exe
PID 1768 wrote to memory of 4036	1768	krwcwm.exe	krwcwm.exe
PID 1768 wrote to memory of 4036	1768	krwcwm.exe	krwcwm.exe
PID 1768 wrote to memory of 4036	1768	krwcwm.exe	krwcwm.exe
PID 2832 wrote to memory of 4312	2832	Explorer.EXE	raserver.exe
PID 2832 wrote to memory of 4312	2832	Explorer.EXE	raserver.exe
PID 2832 wrote to memory of 4312	2832	Explorer.EXE	raserver.exe
PID 4312 wrote to memory of 1496	4312	raserver.exe	cmd.exe
PID 4312 wrote to memory of 1496	4312	raserver.exe	cmd.exe
PID 4312 wrote to memory of 1496	4312	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe
"C:\Users\Admin\AppData\Local\Temp\jetsoff887453.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
"C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2232

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2032

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2784

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1420

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4296

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\krwcwm.exe"
3⤵
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cmxapzchjh.mfg
Filesize
185KB

MD5
e0393404e1db74cc34660a5a4cdf44b9

SHA1
88c7398ff382baee47b03705c8fe9cae33b5c66d

SHA256
da3381d0f783bf287a0a7e4cf558732b4f3f6b952599463eb91e05a0993b78ad

SHA512
bb74b2ccfaf07ca73325b324af0beb344ac2244d2d09f3e4673efc9e7becc5b219ead7870be10332f82061d2e1c5bb793660837b9f8a9aedd1c1d34724377936

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwwsjbg.e
Filesize
5KB

MD5
fd5f4d91c7778d694137a815bbb14292

SHA1
6b3f4a6b14ccd69b3ff959376106876aaa5141df

SHA256
c6633251a0126effcad26a968b952b49d041105192fb212506162d95ec114722

SHA512
98d2ad43b1857894103702c8379dd672221d898c660bd4659cc46aaa5a8a3da321c85123464ab0cf626754973bc0b9e5f3a1941f80266bff91fe40aae9fb87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\krwcwm.exe
Filesize
13KB

MD5
89cb047bc134ce369ad1005598404480

SHA1
e662924b6095d90662fb01c22fc0546c72630feb

SHA256
ee792f2d3d5c85a9474eaf46db3f087594d427e2bd30bdfb0f6ff97d6ee734cd

SHA512
03648b80279202d5a6ba83244758e9be7e16b581c2eb0fc43bec886e59570d4db8cdbc942273b02c21184dd37a6b7c04636d459a3a8515b49e707c6530586f23

Download Submit
memory/1496-146-0x0000000000000000-mapping.dmp

Download
memory/1768-132-0x0000000000000000-mapping.dmp

Download
memory/2832-183-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-185-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-169-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-142-0x00000000028C0000-0x0000000002990000-memory.dmp

Filesize
832KB

Download
memory/2832-171-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-200-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-199-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-198-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-197-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2832-148-0x00000000028C0000-0x0000000002990000-memory.dmp

Filesize
832KB

Download
memory/2832-170-0x0000000002450000-0x0000000002460000-memory.dmp

Filesize
64KB

Download
memory/2832-195-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-151-0x0000000002990000-0x0000000002A5D000-memory.dmp

Filesize
820KB

Download
memory/2832-152-0x0000000002990000-0x0000000002A5D000-memory.dmp

Filesize
820KB

Download
memory/2832-153-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-154-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-155-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-156-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-157-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-158-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-159-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-160-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-162-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-161-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-163-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-164-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-165-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-166-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-167-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-168-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-194-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-196-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-193-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2832-172-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-173-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-174-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-175-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2832-176-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-177-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-178-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-179-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-180-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-181-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-182-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-192-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-184-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-191-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-186-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-187-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-188-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-189-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/2832-190-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/4036-140-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/4036-137-0x0000000000000000-mapping.dmp

Download
memory/4036-141-0x0000000001100000-0x0000000001114000-memory.dmp

Filesize
80KB

Download
memory/4036-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-143-0x0000000000000000-mapping.dmp

Download
memory/4312-149-0x00000000009A0000-0x00000000009CF000-memory.dmp

Filesize
188KB

Download
memory/4312-150-0x0000000002950000-0x00000000029E3000-memory.dmp

Filesize
588KB

Download
memory/4312-147-0x0000000002CB0000-0x0000000002FFA000-memory.dmp

Filesize
3.3MB

Download
memory/4312-145-0x00000000009A0000-0x00000000009CF000-memory.dmp

Filesize
188KB

Download
memory/4312-144-0x0000000000A50000-0x0000000000A6F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads