formbook | d24b7e7271c82af4f78b94743d6db6b3d224d0aaf7cb54038445356e229c8df0

General

Target

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
Size

357KB
MD5

8babf47c462b4c9dc2e4331d2cbbce2b
SHA1

9b3f3e7ab491450cfb595584d316a48cdf6c9138
SHA256

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9
SHA512

518c2fa8b1ec096079cbc54f49c0ce8df7a1e0c8c590c4e993e8013cc17f565cc125e9441c80c946bbfd4e7aa7e3741f7c9cc8c8a3d0eae171c8ea76e68c461a
SSDEEP

6144:HEa0eDyf/UBrohN9DYGWKkmHiQIKXNa6OltJae/Sa+tSV93niGBk:LdNGWKhcltJatSf3n/k

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1176-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1568-75-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1568-79-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exe

pid process

2032 jcwiqsmrvv.exe
1176 jcwiqsmrvv.exe

pid	process
2032	jcwiqsmrvv.exe
1176	jcwiqsmrvv.exe

Loads dropped DLL 3 IoCs

Processes:

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exejcwiqsmrvv.exe

pid	process
1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
2032	jcwiqsmrvv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exerundll32.exe

description	pid	process	target process
PID 2032 set thread context of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 1176 set thread context of 1268	1176	jcwiqsmrvv.exe	Explorer.EXE
PID 1568 set thread context of 1268	1568	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

jcwiqsmrvv.exerundll32.exe

pid	process
1176	jcwiqsmrvv.exe
1176	jcwiqsmrvv.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jcwiqsmrvv.exejcwiqsmrvv.exerundll32.exe

pid process

2032 jcwiqsmrvv.exe
1176 jcwiqsmrvv.exe
1176 jcwiqsmrvv.exe
1176 jcwiqsmrvv.exe
1568 rundll32.exe
1568 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jcwiqsmrvv.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1176 jcwiqsmrvv.exe
Token: SeDebugPrivilege 1568 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
2032	jcwiqsmrvv.exe
1176	jcwiqsmrvv.exe
1176	jcwiqsmrvv.exe
1176	jcwiqsmrvv.exe
1568	rundll32.exe
1568	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1176	jcwiqsmrvv.exe
Token: SeDebugPrivilege	1568	rundll32.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exejcwiqsmrvv.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1896 wrote to memory of 2032	1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 1896 wrote to memory of 2032	1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 1896 wrote to memory of 2032	1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 1896 wrote to memory of 2032	1896	53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe	jcwiqsmrvv.exe
PID 2032 wrote to memory of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2032 wrote to memory of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2032 wrote to memory of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2032 wrote to memory of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 2032 wrote to memory of 1176	2032	jcwiqsmrvv.exe	jcwiqsmrvv.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1268 wrote to memory of 1568	1268	Explorer.EXE	rundll32.exe
PID 1568 wrote to memory of 1616	1568	rundll32.exe	cmd.exe
PID 1568 wrote to memory of 1616	1568	rundll32.exe	cmd.exe
PID 1568 wrote to memory of 1616	1568	rundll32.exe	cmd.exe
PID 1568 wrote to memory of 1616	1568	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe
"C:\Users\Admin\AppData\Local\Temp\53495ecf8b97a44f42431f7a069d6d993728788af54c20ce7ece289640c3e1c9.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
"C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe" C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe"
3⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fonyd.vdc
Filesize
185KB

MD5
b2d0da6b66396d6bc3791ca1e5ad77d0

SHA1
8c0f795c8456fa97d0b5abaf510c9a05e9799eb8

SHA256
c2cb370782192eb5f69107e3fe46e0c568db7a6a21e3668d43c1bc328709f82c

SHA512
fc66d84dff9f4cb7051a1294a6094ae88b7abe567722267d717477f65308ad307fe0156d5aee1a15413195b431a4ae987713788819505a5d7e78f3a2d5b7f7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\trrvkycokyj.g
Filesize
5KB

MD5
0343823aede78134d3eb866c1aa14be9

SHA1
f60903bb00eafdb1a1f1b2f9159cb5ec67e02b54

SHA256
f36dafcc703552003196d2da66b6ec1d594a1944b65d7d395383c95cf466c5f4

SHA512
0fa976372d784ba8c8788a607b63311aea6147f37b395b7ed0f07e7c95d48dd8998a2a88f8825fbee83c8331b82fb99e6a62512b00663e8f808c38c0419370f2

Download Submit
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
\Users\Admin\AppData\Local\Temp\jcwiqsmrvv.exe
Filesize
91KB

MD5
62ddc9e0961180e9ac4777d398f11c40

SHA1
f1cc1e39c4268f4dc00cc4ba345e187bb6603dc6

SHA256
35095c1492d707085e5aa8c8391d747658c0e696e972880044a502e894723665

SHA512
d5ef82bc75489aae42b14008648fad0fdf98f197cf0233ed402e7a89dcb3d1420df70779410e8637193ca8ad5e40fb5cb37363eaa93b2b80bd3404f58c15a47a

Download Submit
memory/1176-67-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/1176-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-64-0x000000000041F100-mapping.dmp

Download
memory/1176-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-68-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/1268-80-0x0000000006B30000-0x0000000006C87000-memory.dmp

Filesize
1.3MB

Download
memory/1268-69-0x0000000006A10000-0x0000000006B21000-memory.dmp

Filesize
1.1MB

Download
memory/1268-78-0x0000000006B30000-0x0000000006C87000-memory.dmp

Filesize
1.3MB

Download
memory/1568-77-0x0000000000830000-0x00000000008C3000-memory.dmp

Filesize
588KB

Download
memory/1568-74-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1568-75-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1568-76-0x00000000020F0000-0x00000000023F3000-memory.dmp

Filesize
3.0MB

Download
memory/1568-70-0x0000000000000000-mapping.dmp

Download
memory/1568-79-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1616-73-0x0000000000000000-mapping.dmp

Download
memory/1896-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads