formbook | 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9

Analysis

max time kernel
147s
max time network
136s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-11-2022 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
Size

357KB
MD5

8babf47c462b4c9dc2e4331d2cbbce2b
SHA1

9b3f3e7ab491450cfb595584d316a48cdf6c9138
SHA256

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
SHA512

518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
SSDEEP

6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2824-222-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2824-231-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2244-274-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook
behavioral1/memory/2244-283-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exe

pid process

4408 jcwiqsmrvv.exe
2824 jcwiqsmrvv.exe

pid	process
4408	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exemsdt.exe

description	pid	process	target process
PID 4408 set thread context of 2824	4408	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2824 set thread context of 3052	2824	jcwiqsmrvv.exe	Explorer.EXE
PID 2824 set thread context of 3052	2824	jcwiqsmrvv.exe	Explorer.EXE
PID 2244 set thread context of 3052	2244	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

jcwiqsmrvv.exemsdt.exe

pid	process
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exemsdt.exe

pid process

4408 jcwiqsmrvv.exe
2824 jcwiqsmrvv.exe
2824 jcwiqsmrvv.exe
2824 jcwiqsmrvv.exe
2824 jcwiqsmrvv.exe
2244 msdt.exe
2244 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jcwiqsmrvv.exemsdt.exe

description pid process

Token: SeDebugPrivilege 2824 jcwiqsmrvv.exe
Token: SeDebugPrivilege 2244 msdt.exe

pid	process
3052	Explorer.EXE

pid	process
4408	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2244	msdt.exe
2244	msdt.exe

description	pid	process
Token: SeDebugPrivilege	2824	jcwiqsmrvv.exe
Token: SeDebugPrivilege	2244	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exejcwiqsmrvv.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	msdt.exe
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	msdt.exe
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	msdt.exe
PID 2244 wrote to memory of 4300	2244	msdt.exe	cmd.exe
PID 2244 wrote to memory of 4300	2244	msdt.exe	cmd.exe
PID 2244 wrote to memory of 4300	2244	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
"C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"
3⤵
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fonyd.vdc
Filesize
185KB

MD5
b2d0da6b66396d6bc3791ca1e5ad77d0

SHA1
8c0f795c8456fa97d0b5abaf510c9a05e9799eb8

SHA256
c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c

SHA512
fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
Filesize
5KB

MD5
0343823aede78134d3eb866c1aa14be9

SHA1
f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54

SHA256
f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4

SHA512
0fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2

Download Submit
memory/2244-228-0x0000000000000000-mapping.dmp

Download
memory/2244-273-0x0000000000C80000-0x0000000000DF3000-memory.dmp

Filesize
1.4MB

Download
memory/2244-274-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/2244-275-0x0000000004DE0000-0x0000000005100000-memory.dmp

Filesize
3.1MB

Download
memory/2244-283-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/2244-284-0x0000000004AC0000-0x0000000004C4D000-memory.dmp

Filesize
1.6MB

Download
memory/2244-286-0x0000000004AC0000-0x0000000004C4D000-memory.dmp

Filesize
1.6MB

Download
memory/2660-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-116-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-115-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-117-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-118-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-119-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-226-0x0000000000800000-0x0000000000993000-memory.dmp

Filesize
1.6MB

Download
memory/2824-224-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/2824-223-0x00000000009A0000-0x0000000000CC0000-memory.dmp

Filesize
3.1MB

Download
memory/2824-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-200-0x000000000041F100-mapping.dmp

Download
memory/3052-227-0x0000000005E60000-0x0000000005F8C000-memory.dmp

Filesize
1.2MB

Download
memory/3052-225-0x0000000004CD0000-0x0000000004DF3000-memory.dmp

Filesize
1.1MB

Download
memory/3052-285-0x00000000058E0000-0x00000000059E4000-memory.dmp

Filesize
1.0MB

Download
memory/3052-287-0x00000000058E0000-0x00000000059E4000-memory.dmp

Filesize
1.0MB

Download
memory/4300-276-0x0000000000000000-mapping.dmp

Download
memory/4408-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-156-0x0000000000000000-mapping.dmp

Download