formbook | 788b816869fe860194e7288e7138e1efa96daea36480deb5fbb4ec5b894289b4

General

Target

ugojests09987.exe
Size

224KB
MD5

45bfc44bb1648f19fd5db3a19be64af5
SHA1

3c6c37db8fbf189adb1fccebc8a52e70358a9b25
SHA256

788b816869fe860194e7288e7138e1efa96daea36480deb5fbb4ec5b894289b4
SHA512

e8e960765925f04a03ca402982ce4dff8f63d1fb34b9314c3b2ff715dfe7251f18a6ffb5bf4b97bdbfa52d8acfe5a74e4a498f4b068e6f0496f3ad6cddf16292
SSDEEP

3072:WfJSq+ytGIon9KcSMGBQEke0FxjRSc6qZbm91qoS7D98oyTiFccgSXvGWTbKWDOZ:MEa0NZr99K/URhyTEcLSXnb307XtGyNJ

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1788-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

nmcpchku.exenmcpchku.exe

pid process

1964 nmcpchku.exe
1800 nmcpchku.exe
Loads dropped DLL 2 IoCs

Processes:

ugojests09987.exenmcpchku.exe

pid process

2044 ugojests09987.exe
1964 nmcpchku.exe

pid	process
1964	nmcpchku.exe
1800	nmcpchku.exe

pid	process
2044	ugojests09987.exe
1964	nmcpchku.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nmcpchku.exenmcpchku.exeNAPSTAT.EXE

description	pid	process	target process
PID 1964 set thread context of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1800 set thread context of 1340	1800	nmcpchku.exe	Explorer.EXE
PID 1788 set thread context of 1340	1788	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

nmcpchku.exeNAPSTAT.EXE

pid	process
1800	nmcpchku.exe
1800	nmcpchku.exe
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

nmcpchku.exenmcpchku.exeNAPSTAT.EXE

pid process

1964 nmcpchku.exe
1800 nmcpchku.exe
1800 nmcpchku.exe
1800 nmcpchku.exe
1788 NAPSTAT.EXE
1788 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nmcpchku.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 1800 nmcpchku.exe
Token: SeDebugPrivilege 1788 NAPSTAT.EXE

pid	process
1964	nmcpchku.exe
1800	nmcpchku.exe
1800	nmcpchku.exe
1800	nmcpchku.exe
1788	NAPSTAT.EXE
1788	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1800	nmcpchku.exe
Token: SeDebugPrivilege	1788	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ugojests09987.exenmcpchku.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 2044 wrote to memory of 1964	2044	ugojests09987.exe	nmcpchku.exe
PID 2044 wrote to memory of 1964	2044	ugojests09987.exe	nmcpchku.exe
PID 2044 wrote to memory of 1964	2044	ugojests09987.exe	nmcpchku.exe
PID 2044 wrote to memory of 1964	2044	ugojests09987.exe	nmcpchku.exe
PID 1964 wrote to memory of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1964 wrote to memory of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1964 wrote to memory of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1964 wrote to memory of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1964 wrote to memory of 1800	1964	nmcpchku.exe	nmcpchku.exe
PID 1340 wrote to memory of 1788	1340	Explorer.EXE	NAPSTAT.EXE
PID 1340 wrote to memory of 1788	1340	Explorer.EXE	NAPSTAT.EXE
PID 1340 wrote to memory of 1788	1340	Explorer.EXE	NAPSTAT.EXE
PID 1340 wrote to memory of 1788	1340	Explorer.EXE	NAPSTAT.EXE
PID 1788 wrote to memory of 2020	1788	NAPSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 2020	1788	NAPSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 2020	1788	NAPSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 2020	1788	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\ugojests09987.exe
"C:\Users\Admin\AppData\Local\Temp\ugojests09987.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
"C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
"C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
3⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gqnmmylxww.r
Filesize
185KB

MD5
4bfea0681b9d8ebd78da74dba78bf3dc

SHA1
3a6a3e7764d2d236c67e433dd77598412f28ce87

SHA256
d421253a6f7962b012557e9dcdd261bdedaaae25a4bed93d953e8645da0d8cfe

SHA512
5a30c0d049f1adfecc6c7e86741e33df4423485e1eedda895892b9e2fd00666c468dc9ef57228a41a9822fd4b19ff24317adce5bfa16142bac26adf39d085280

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjvmfqjrtz.pc
Filesize
5KB

MD5
f016518342c8dad92104717893029d3b

SHA1
031c340b7f0891aae3c89269dd2b283374454129

SHA256
356f5697126ce7585c34d7eb95555f9da9ad22b985e0fd4bd396b6e9347f0e95

SHA512
b50ad539e5dfca66d3256285d2bd8ed59405017cdef96d17b23b7c62f9c6a0e32f5d0d4e50db77ba513f10ba20c77995138b847a003893c9f8edb10ee9ff9ce2

Download Submit
\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
memory/1340-75-0x00000000072F0000-0x0000000007443000-memory.dmp

Filesize
1.3MB

Download
memory/1340-74-0x00000000072F0000-0x0000000007443000-memory.dmp

Filesize
1.3MB

Download
memory/1340-67-0x00000000066E0000-0x0000000006810000-memory.dmp

Filesize
1.2MB

Download
memory/1788-70-0x00000000002B0000-0x00000000002F6000-memory.dmp

Filesize
280KB

Download
memory/1788-73-0x0000000001C90000-0x0000000001D23000-memory.dmp

Filesize
588KB

Download
memory/1788-72-0x0000000001E70000-0x0000000002173000-memory.dmp

Filesize
3.0MB

Download
memory/1788-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1788-68-0x0000000000000000-mapping.dmp

Download
memory/1800-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-66-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/1800-65-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1800-62-0x000000000041F120-mapping.dmp

Download
memory/1964-56-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads