formbook | 2be2ed27eb905845a8aa93628a2b3ba857aa226a76c040a4960eb33e118d7308

General

Target

jetsjest4321.exe
Size

221KB
MD5

a818ccc5ba40d21ffd7976450afdffd8
SHA1

169c5175d227ecb5f5ca1b7f94a950252510d280
SHA256

f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc
SHA512

9b1c7fd187ed76692611280ca18903c924e9eac0e0b1fc50122242872ba68e4b82e88f304de4751ed6d880dc72937c191a0242a89b7c6d39cb292b98ca3cf221
SSDEEP

3072:WfJSq+ytGIon9KcSM49DB5TqFRhzmuhcrhVqefleb+8OOvQDni8OFlGmytV+4VEO:MEa0N4j5mw8crf9IoDhzn+b5e5ETOhv

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2196-146-0x0000000000860000-0x000000000088F000-memory.dmp	formbook
behavioral2/memory/2196-147-0x0000000000860000-0x000000000088F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ltylx.exeltylx.exe

pid process

2108 ltylx.exe
1736 ltylx.exe

pid	process
2108	ltylx.exe
1736	ltylx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ltylx.exeltylx.exehelp.exe

description	pid	process	target process
PID 2108 set thread context of 1736	2108	ltylx.exe	ltylx.exe
PID 1736 set thread context of 780	1736	ltylx.exe	Explorer.EXE
PID 2196 set thread context of 780	2196	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

ltylx.exehelp.exe

pid	process
1736	ltylx.exe
1736	ltylx.exe
1736	ltylx.exe
1736	ltylx.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe
2196	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

780 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ltylx.exeltylx.exehelp.exe

pid process

2108 ltylx.exe
2108 ltylx.exe
1736 ltylx.exe
1736 ltylx.exe
1736 ltylx.exe
2196 help.exe
2196 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ltylx.exehelp.exe

description pid process

Token: SeDebugPrivilege 1736 ltylx.exe
Token: SeDebugPrivilege 2196 help.exe

pid	process
780	Explorer.EXE

pid	process
2108	ltylx.exe
2108	ltylx.exe
1736	ltylx.exe
1736	ltylx.exe
1736	ltylx.exe
2196	help.exe
2196	help.exe

description	pid	process
Token: SeDebugPrivilege	1736	ltylx.exe
Token: SeDebugPrivilege	2196	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetsjest4321.exeltylx.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1416 wrote to memory of 2108	1416	jetsjest4321.exe	ltylx.exe
PID 1416 wrote to memory of 2108	1416	jetsjest4321.exe	ltylx.exe
PID 1416 wrote to memory of 2108	1416	jetsjest4321.exe	ltylx.exe
PID 2108 wrote to memory of 1736	2108	ltylx.exe	ltylx.exe
PID 2108 wrote to memory of 1736	2108	ltylx.exe	ltylx.exe
PID 2108 wrote to memory of 1736	2108	ltylx.exe	ltylx.exe
PID 2108 wrote to memory of 1736	2108	ltylx.exe	ltylx.exe
PID 780 wrote to memory of 2196	780	Explorer.EXE	help.exe
PID 780 wrote to memory of 2196	780	Explorer.EXE	help.exe
PID 780 wrote to memory of 2196	780	Explorer.EXE	help.exe
PID 2196 wrote to memory of 3168	2196	help.exe	cmd.exe
PID 2196 wrote to memory of 3168	2196	help.exe	cmd.exe
PID 2196 wrote to memory of 3168	2196	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\jetsjest4321.exe
  "C:\Users\Admin\AppData\Local\Temp\jetsjest4321.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\ltylx.exe
    "C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\ltylx.exe
      "C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1736
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ltylx.exe"
    3⤵
    PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnibs.ud

Filesize
185KB

MD5
451cc2d8a58d6f16a12b1540e5508e90

SHA1
94f862e0146f07956109f13b2fdada5f42134107

SHA256
c2f9553e56b24aa643be907333fef74e754c85abfd1ce9575d9eea82675e6004

SHA512
1a19cc6223b59e3dbaf47b1ca205febf45cfb437806c0688992e690409f86678eb0715d797eca0ee6a82280787171eb70f964b685fcb58b7ab3813b58d5269b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa

Filesize
5KB

MD5
b9506fcf0615bfdcdcc9a59fa6fc738d

SHA1
07f7c933403dae801b95aceb5644b340bf54f28a

SHA256
dd6a5fd5e3e7cc978caf25ea67a14e3509ceb80ebef78671c3433227ed2bf834

SHA512
139026f6e1ae0c64093a303035f82bca28890421496a8820730dfc47a4f3d3492188be2200c726bfa53a0f94ea98070774e022f4c6080abf78511a6f3fd2b176

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe

Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe

Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe

Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
memory/780-150-0x0000000007E70000-0x0000000007FE1000-memory.dmp

Filesize
1.4MB

Download
memory/780-149-0x0000000007E70000-0x0000000007FE1000-memory.dmp

Filesize
1.4MB

Download
memory/780-141-0x00000000078C0000-0x00000000079AE000-memory.dmp

Filesize
952KB

Download
memory/1736-140-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/1736-139-0x0000000000C30000-0x0000000000F7A000-memory.dmp

Filesize
3.3MB

Download
memory/1736-137-0x0000000000000000-mapping.dmp

Download
memory/2108-132-0x0000000000000000-mapping.dmp

Download
memory/2196-142-0x0000000000000000-mapping.dmp

Download
memory/2196-144-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/2196-145-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/2196-146-0x0000000000860000-0x000000000088F000-memory.dmp

Filesize
188KB

Download
memory/2196-148-0x0000000000E10000-0x0000000000EA3000-memory.dmp

Filesize
588KB

Download
memory/2196-147-0x0000000000860000-0x000000000088F000-memory.dmp

Filesize
188KB

Download
memory/3168-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads