formbook | 788b816869fe860194e7288e7138e1efa96daea36480deb5fbb4ec5b894289b4

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2022 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ugojests09987.exe
Size

224KB
MD5

45bfc44bb1648f19fd5db3a19be64af5
SHA1

3c6c37db8fbf189adb1fccebc8a52e70358a9b25
SHA256

788b816869fe860194e7288e7138e1efa96daea36480deb5fbb4ec5b894289b4
SHA512

e8e960765925f04a03ca402982ce4dff8f63d1fb34b9314c3b2ff715dfe7251f18a6ffb5bf4b97bdbfa52d8acfe5a74e4a498f4b068e6f0496f3ad6cddf16292
SSDEEP

3072:WfJSq+ytGIon9KcSMGBQEke0FxjRSc6qZbm91qoS7D98oyTiFccgSXvGWTbKWDOZ:MEa0NZr99K/URhyTEcLSXnb307XtGyNJ

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2948-146-0x00000000001D0000-0x00000000001FF000-memory.dmp	formbook
behavioral2/memory/2948-149-0x00000000001D0000-0x00000000001FF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

nmcpchku.exenmcpchku.exe

pid process

4708 nmcpchku.exe
4768 nmcpchku.exe

pid	process
4708	nmcpchku.exe
4768	nmcpchku.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nmcpchku.exenmcpchku.exehelp.exe

description	pid	process	target process
PID 4708 set thread context of 4768	4708	nmcpchku.exe	nmcpchku.exe
PID 4768 set thread context of 2056	4768	nmcpchku.exe	Explorer.EXE
PID 2948 set thread context of 2056	2948	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

nmcpchku.exehelp.exe

pid	process
4768	nmcpchku.exe
4768	nmcpchku.exe
4768	nmcpchku.exe
4768	nmcpchku.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe
2948	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2056 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

nmcpchku.exenmcpchku.exehelp.exe

pid process

4708 nmcpchku.exe
4708 nmcpchku.exe
4768 nmcpchku.exe
4768 nmcpchku.exe
4768 nmcpchku.exe
2948 help.exe
2948 help.exe

pid	process
2056	Explorer.EXE

pid	process
4708	nmcpchku.exe
4708	nmcpchku.exe
4768	nmcpchku.exe
4768	nmcpchku.exe
4768	nmcpchku.exe
2948	help.exe
2948	help.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

nmcpchku.exehelp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4768	nmcpchku.exe
Token: SeDebugPrivilege	2948	help.exe
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE
Token: SeShutdownPrivilege	2056	Explorer.EXE
Token: SeCreatePagefilePrivilege	2056	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ugojests09987.exenmcpchku.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1848 wrote to memory of 4708	1848	ugojests09987.exe	nmcpchku.exe
PID 1848 wrote to memory of 4708	1848	ugojests09987.exe	nmcpchku.exe
PID 1848 wrote to memory of 4708	1848	ugojests09987.exe	nmcpchku.exe
PID 4708 wrote to memory of 4768	4708	nmcpchku.exe	nmcpchku.exe
PID 4708 wrote to memory of 4768	4708	nmcpchku.exe	nmcpchku.exe
PID 4708 wrote to memory of 4768	4708	nmcpchku.exe	nmcpchku.exe
PID 4708 wrote to memory of 4768	4708	nmcpchku.exe	nmcpchku.exe
PID 2056 wrote to memory of 2948	2056	Explorer.EXE	help.exe
PID 2056 wrote to memory of 2948	2056	Explorer.EXE	help.exe
PID 2056 wrote to memory of 2948	2056	Explorer.EXE	help.exe
PID 2948 wrote to memory of 2344	2948	help.exe	cmd.exe
PID 2948 wrote to memory of 2344	2948	help.exe	cmd.exe
PID 2948 wrote to memory of 2344	2948	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\ugojests09987.exe
"C:\Users\Admin\AppData\Local\Temp\ugojests09987.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
"C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
"C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe"
3⤵
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gqnmmylxww.r
Filesize
185KB

MD5
4bfea0681b9d8ebd78da74dba78bf3dc

SHA1
3a6a3e7764d2d236c67e433dd77598412f28ce87

SHA256
d421253a6f7962b012557e9dcdd261bdedaaae25a4bed93d953e8645da0d8cfe

SHA512
5a30c0d049f1adfecc6c7e86741e33df4423485e1eedda895892b9e2fd00666c468dc9ef57228a41a9822fd4b19ff24317adce5bfa16142bac26adf39d085280

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmcpchku.exe
Filesize
9KB

MD5
6ef159a366736560c939866256db9fe1

SHA1
1a6f2cc3effcd65771241c320bcaf6649f84e8f0

SHA256
d24439b545f7b6f855f54e13c75a22ce836a51a7427a21723cda7788e23b6cc0

SHA512
2f6ab16d8eabb2ad723188ee6fd4b85c27d2f98abdcb98c2cb1e278067835e1a392d38ad6273c78adb3e6e167b4d2bb287ba534525a838a0c4acb4bb7d253cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjvmfqjrtz.pc
Filesize
5KB

MD5
f016518342c8dad92104717893029d3b

SHA1
031c340b7f0891aae3c89269dd2b283374454129

SHA256
356f5697126ce7585c34d7eb95555f9da9ad22b985e0fd4bd396b6e9347f0e95

SHA512
b50ad539e5dfca66d3256285d2bd8ed59405017cdef96d17b23b7c62f9c6a0e32f5d0d4e50db77ba513f10ba20c77995138b847a003893c9f8edb10ee9ff9ce2

Download Submit
memory/2056-176-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-206-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-215-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-214-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-213-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-212-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-211-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-210-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-209-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-148-0x0000000002A40000-0x0000000002AF0000-memory.dmp

Filesize
704KB

Download
memory/2056-208-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-177-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-151-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-153-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-156-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-157-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-158-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-159-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-160-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-161-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-162-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-163-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-164-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-165-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000002A40000-0x0000000002AF0000-memory.dmp

Filesize
704KB

Download
memory/2056-167-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/2056-170-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-169-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-171-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-179-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-173-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-174-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-175-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-141-0x0000000002970000-0x0000000002A36000-memory.dmp

Filesize
792KB

Download
memory/2056-150-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-207-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2056-180-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-181-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-182-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-183-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-184-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-185-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-186-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-187-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-188-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-189-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-190-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-191-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-192-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-193-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-194-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-195-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-196-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/2056-197-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-198-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-199-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2056-200-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-201-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-202-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-203-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-204-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-205-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2056-178-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2344-143-0x0000000000000000-mapping.dmp

Download
memory/2948-142-0x0000000000000000-mapping.dmp

Download
memory/2948-149-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/2948-147-0x0000000000990000-0x0000000000A23000-memory.dmp

Filesize
588KB

Download
memory/2948-146-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/2948-145-0x0000000000B50000-0x0000000000E9A000-memory.dmp

Filesize
3.3MB

Download
memory/2948-144-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/4708-132-0x0000000000000000-mapping.dmp

Download
memory/4768-137-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x0000000000DF0000-0x000000000113A000-memory.dmp

Filesize
3.3MB

Download
memory/4768-140-0x0000000000CD0000-0x0000000000CE4000-memory.dmp

Filesize
80KB

Download