formbook | 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9

Analysis

max time kernel
147s
max time network
136s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-11-2022 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
Size

357KB
MD5

8babf47c462b4c9dc2e4331d2cbbce2b
SHA1

9b3f3e7ab491450cfb595584d316a48cdf6c9138
SHA256

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
SHA512

518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
SSDEEP

6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2824-222-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2824-231-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2244-274-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook
behavioral1/memory/2244-283-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4408	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 2824	4408	jcwiqsmrvv.exe	67
PID 2824 set thread context of 3052	2824	jcwiqsmrvv.exe	28
PID 2824 set thread context of 3052	2824	jcwiqsmrvv.exe	28
PID 2244 set thread context of 3052	2244	msdt.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe
2244	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3052	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4408	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2824	jcwiqsmrvv.exe
2244	msdt.exe
2244	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	jcwiqsmrvv.exe
Token: SeDebugPrivilege	2244	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	66
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	66
PID 2660 wrote to memory of 4408	2660	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	66
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	67
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	67
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	67
PID 4408 wrote to memory of 2824	4408	jcwiqsmrvv.exe	67
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	68
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	68
PID 3052 wrote to memory of 2244	3052	Explorer.EXE	68
PID 2244 wrote to memory of 4300	2244	msdt.exe	69
PID 2244 wrote to memory of 4300	2244	msdt.exe	69
PID 2244 wrote to memory of 4300	2244	msdt.exe	69

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
  "C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
    "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
      "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2824
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"
    3⤵
    PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fonyd.vdc

Filesize
185KB

MD5
b2d0da6b66396d6bc3791ca1e5ad77d0

SHA1
8c0f795c8456fa97d0b5abaf510c9a05e9799eb8

SHA256
c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c

SHA512
fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe

Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe

Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe

Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g

Filesize
5KB

MD5
0343823aede78134d3eb866c1aa14be9

SHA1
f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54

SHA256
f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4

SHA512
0fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2

Download Submit
memory/2244-228-0x0000000000000000-mapping.dmp

Download
memory/2244-273-0x0000000000C80000-0x0000000000DF3000-memory.dmp

Filesize
1.4MB

Download
memory/2244-274-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/2244-275-0x0000000004DE0000-0x0000000005100000-memory.dmp

Filesize
3.1MB

Download
memory/2244-283-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/2244-284-0x0000000004AC0000-0x0000000004C4D000-memory.dmp

Filesize
1.6MB

Download
memory/2244-286-0x0000000004AC0000-0x0000000004C4D000-memory.dmp

Filesize
1.6MB

Download
memory/2660-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-116-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-115-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-117-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-118-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2660-119-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2824-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-226-0x0000000000800000-0x0000000000993000-memory.dmp

Filesize
1.6MB

Download
memory/2824-224-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/2824-223-0x00000000009A0000-0x0000000000CC0000-memory.dmp

Filesize
3.1MB

Download
memory/2824-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2824-200-0x000000000041F100-mapping.dmp

Download
memory/3052-227-0x0000000005E60000-0x0000000005F8C000-memory.dmp

Filesize
1.2MB

Download
memory/3052-225-0x0000000004CD0000-0x0000000004DF3000-memory.dmp

Filesize
1.1MB

Download
memory/3052-285-0x00000000058E0000-0x00000000059E4000-memory.dmp

Filesize
1.0MB

Download
memory/3052-287-0x00000000058E0000-0x00000000059E4000-memory.dmp

Filesize
1.0MB

Download
memory/4300-276-0x0000000000000000-mapping.dmp

Download
memory/4408-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-179-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-156-0x0000000000000000-mapping.dmp

Download