formbook | 53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9

General

Target

shedfmb2.1.exe
Size

357KB
MD5

8babf47c462b4c9dc2e4331d2cbbce2b
SHA1

9b3f3e7ab491450cfb595584d316a48cdf6c9138
SHA256

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
SHA512

518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
SSDEEP

6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3728-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3728-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3632-146-0x0000000000E00000-0x0000000000E2F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exe

pid process

3816 jcwiqsmrvv.exe
3728 jcwiqsmrvv.exe

pid	process
3816	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.execmmon32.exe

description	pid	process	target process
PID 3816 set thread context of 3728	3816	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 3728 set thread context of 2640	3728	jcwiqsmrvv.exe	Explorer.EXE
PID 3632 set thread context of 2640	3632	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

jcwiqsmrvv.execmmon32.exe

pid	process
3728	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe
3632	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.execmmon32.exe

pid process

3816 jcwiqsmrvv.exe
3728 jcwiqsmrvv.exe
3728 jcwiqsmrvv.exe
3728 jcwiqsmrvv.exe
3632 cmmon32.exe
3632 cmmon32.exe

pid	process
2640	Explorer.EXE

pid	process
3816	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3728	jcwiqsmrvv.exe
3632	cmmon32.exe
3632	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

jcwiqsmrvv.execmmon32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3728	jcwiqsmrvv.exe
Token: SeDebugPrivilege	3632	cmmon32.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE
2640 Explorer.EXE

pid	process
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

shedfmb2.1.exejcwiqsmrvv.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1792 wrote to memory of 3816	1792	shedfmb2.1.exe	jcwiqsmrvv.exe
PID 1792 wrote to memory of 3816	1792	shedfmb2.1.exe	jcwiqsmrvv.exe
PID 1792 wrote to memory of 3816	1792	shedfmb2.1.exe	jcwiqsmrvv.exe
PID 3816 wrote to memory of 3728	3816	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 3816 wrote to memory of 3728	3816	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 3816 wrote to memory of 3728	3816	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 3816 wrote to memory of 3728	3816	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2640 wrote to memory of 3632	2640	Explorer.EXE	cmmon32.exe
PID 2640 wrote to memory of 3632	2640	Explorer.EXE	cmmon32.exe
PID 2640 wrote to memory of 3632	2640	Explorer.EXE	cmmon32.exe
PID 3632 wrote to memory of 2636	3632	cmmon32.exe	cmd.exe
PID 3632 wrote to memory of 2636	3632	cmmon32.exe	cmd.exe
PID 3632 wrote to memory of 2636	3632	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\shedfmb2.1.exe
"C:\Users\Admin\AppData\Local\Temp\shedfmb2.1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"
3⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fonyd.vdc
Filesize
185KB

MD5
b2d0da6b66396d6bc3791ca1e5ad77d0

SHA1
8c0f795c8456fa97d0b5abaf510c9a05e9799eb8

SHA256
c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c

SHA512
fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
Filesize
5KB

MD5
0343823aede78134d3eb866c1aa14be9

SHA1
f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54

SHA256
f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4

SHA512
0fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2

Download Submit
memory/2636-149-0x0000000000000000-mapping.dmp

Download
memory/2640-152-0x0000000007BF0000-0x0000000007D01000-memory.dmp

Filesize
1.1MB

Download
memory/2640-151-0x0000000007BF0000-0x0000000007D01000-memory.dmp

Filesize
1.1MB

Download
memory/2640-142-0x0000000002CF0000-0x0000000002DA6000-memory.dmp

Filesize
728KB

Download
memory/2640-148-0x0000000002CF0000-0x0000000002DA6000-memory.dmp

Filesize
728KB

Download
memory/3632-147-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/3632-150-0x0000000002B20000-0x0000000002BB3000-memory.dmp

Filesize
588KB

Download
memory/3632-143-0x0000000000000000-mapping.dmp

Download
memory/3632-145-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/3632-146-0x0000000000E00000-0x0000000000E2F000-memory.dmp

Filesize
188KB

Download
memory/3728-137-0x0000000000000000-mapping.dmp

Download
memory/3728-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-141-0x0000000000DF0000-0x0000000000E04000-memory.dmp

Filesize
80KB

Download
memory/3728-140-0x0000000000990000-0x0000000000CDA000-memory.dmp

Filesize
3.3MB

Download
memory/3728-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads