formbook | 72903788ca82bf6ef459c9dc518bc1af0227dfa78f3800c982c7e00ced7ff6a7

General

Target

oofjets44321.exe
Size

225KB
MD5

99b61d1223377eb0a459e3d44738ed83
SHA1

9991fe427d8b8fd0e6475f1c4381efa2914ce5eb
SHA256

72903788ca82bf6ef459c9dc518bc1af0227dfa78f3800c982c7e00ced7ff6a7
SHA512

75cd2a94fd9b3c859325e0502bc2ff441bac87f4cbfd0ad7f2ccf98034b3cf32ec876495f07c07e3d41127af008a20f06da56bbc792f5f93836de76102b00504
SSDEEP

6144:MEa0NKeSRW2GwVuvqsZ1dyLvqU1Bpxdzc3c51xI5Rv4eT/d3bh:X2MwY7DdKyU1JPILweT/9bh

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4968-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4860-145-0x0000000000780000-0x00000000007AF000-memory.dmp	formbook
behavioral2/memory/4860-150-0x0000000000780000-0x00000000007AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

lsncl.exelsncl.exe

pid process

2624 lsncl.exe
4968 lsncl.exe

pid	process
2624	lsncl.exe
4968	lsncl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lsncl.exelsncl.execmmon32.exe

description	pid	process	target process
PID 2624 set thread context of 4968	2624	lsncl.exe	lsncl.exe
PID 4968 set thread context of 3044	4968	lsncl.exe	Explorer.EXE
PID 4860 set thread context of 3044	4860	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

lsncl.execmmon32.exe

pid	process
4968	lsncl.exe
4968	lsncl.exe
4968	lsncl.exe
4968	lsncl.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe
4860	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

lsncl.exelsncl.execmmon32.exe

pid process

2624 lsncl.exe
4968 lsncl.exe
4968 lsncl.exe
4968 lsncl.exe
4860 cmmon32.exe
4860 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lsncl.execmmon32.exe

description pid process

Token: SeDebugPrivilege 4968 lsncl.exe
Token: SeDebugPrivilege 4860 cmmon32.exe

pid	process
3044	Explorer.EXE

pid	process
2624	lsncl.exe
4968	lsncl.exe
4968	lsncl.exe
4968	lsncl.exe
4860	cmmon32.exe
4860	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	4968	lsncl.exe
Token: SeDebugPrivilege	4860	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

oofjets44321.exelsncl.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3996 wrote to memory of 2624	3996	oofjets44321.exe	lsncl.exe
PID 3996 wrote to memory of 2624	3996	oofjets44321.exe	lsncl.exe
PID 3996 wrote to memory of 2624	3996	oofjets44321.exe	lsncl.exe
PID 2624 wrote to memory of 4968	2624	lsncl.exe	lsncl.exe
PID 2624 wrote to memory of 4968	2624	lsncl.exe	lsncl.exe
PID 2624 wrote to memory of 4968	2624	lsncl.exe	lsncl.exe
PID 2624 wrote to memory of 4968	2624	lsncl.exe	lsncl.exe
PID 3044 wrote to memory of 4860	3044	Explorer.EXE	cmmon32.exe
PID 3044 wrote to memory of 4860	3044	Explorer.EXE	cmmon32.exe
PID 3044 wrote to memory of 4860	3044	Explorer.EXE	cmmon32.exe
PID 4860 wrote to memory of 3352	4860	cmmon32.exe	cmd.exe
PID 4860 wrote to memory of 3352	4860	cmmon32.exe	cmd.exe
PID 4860 wrote to memory of 3352	4860	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe
"C:\Users\Admin\AppData\Local\Temp\oofjets44321.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\lsncl.exe
"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\lsncl.exe
"C:\Users\Admin\AppData\Local\Temp\lsncl.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\lsncl.exe"
3⤵
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\akpbo.ka
Filesize
5KB

MD5
390d433d07acc1094fbeebf76b16fabe

SHA1
4c42359447505b626ec0547790f4bce21a870c02

SHA256
ee5d0ee5b1ee2f43dd4a1d81bcb65accd9d2cbfa245177c67824b8d7a082c5ac

SHA512
aadf015511bea083c69bb4bea3189ffcff20c26ec812376a115c0efdcc0d891e6c20d1586e5ef3c95ebe472c13779cb421c6691d55384ba3e7dc2582b804ff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsncl.exe
Filesize
10KB

MD5
fe6f55c67726aefb1996c012314a684e

SHA1
e3118a6539651e16c4464bddfae9d090876be7a2

SHA256
3acb3f1817a8ad85cd59adc236e62bfc40f806a1f23a2b22e1ffb389bdacfbc0

SHA512
6aaf5b5711ee69c7c4bcfd0f4ea03c08c9fc35bccbee5a74cf38c04ee84802432cf1bf5b5210ceec4c9546c113f917ff1b610a44143205adf1c471711dacb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\maelloflsq.oxq
Filesize
185KB

MD5
4e1d4df2d71cdb5df8fc1c0ad6bee489

SHA1
ca0c4674a8733c08b900d3bb8740aa0243097fe1

SHA256
c6a4424d5595be2badf65dee2472a70caeb07bbb41c767cfa2683502e66a9f16

SHA512
a8e621de16cafe2045aa35758970b01e038af44f2ec19100ae8f126e7ee281b6b2341e26d0ded09327659bab6ed6ac2567ad5a2f9e6db7be3775dd46f1f7f960

Download Submit
memory/2624-132-0x0000000000000000-mapping.dmp

Download
memory/3044-142-0x0000000007D10000-0x0000000007DFE000-memory.dmp

Filesize
952KB

Download
memory/3044-151-0x0000000007E00000-0x0000000007EB3000-memory.dmp

Filesize
716KB

Download
memory/3044-149-0x0000000007E00000-0x0000000007EB3000-memory.dmp

Filesize
716KB

Download
memory/3352-146-0x0000000000000000-mapping.dmp

Download
memory/4860-147-0x0000000002850000-0x0000000002B9A000-memory.dmp

Filesize
3.3MB

Download
memory/4860-143-0x0000000000000000-mapping.dmp

Download
memory/4860-145-0x0000000000780000-0x00000000007AF000-memory.dmp

Filesize
188KB

Download
memory/4860-144-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/4860-148-0x00000000026A0000-0x0000000002733000-memory.dmp

Filesize
588KB

Download
memory/4860-150-0x0000000000780000-0x00000000007AF000-memory.dmp

Filesize
188KB

Download
memory/4968-141-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/4968-140-0x0000000001120000-0x000000000146A000-memory.dmp

Filesize
3.3MB

Download
memory/4968-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads