formbook | 8e5b19f0a617d54186f50e650b9eec8dba831b59b99fd4da8c0b16fe3fa52ab8

General

Target

jets80054.exe
Size

304KB
MD5

f57974ed632c9b3aed13be4e2d4dfd7b
SHA1

729614769140d585e61b63cf04da1ff528ca58b5
SHA256

5308026699c3ce88917c846e9b6ae9939fbe08415a88937ec6ab74fd507ed98a
SHA512

0688ca6cec67e33482d38f31ae108ff222740fa486e663ed139f632412394526a6bbc51ae4c712ca818a3c4800c1859ae1ed11c12cc3cea5ef30075f86c1d433
SSDEEP

6144:MEa0NMikS9Le6rGEsNirbtz6xl3Y0ansq0XTHpGMQ:XMikSraESiF+l3jHq0k

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2912-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2912-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4768-150-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook
behavioral2/memory/4768-153-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

kmqnvwtso.exekmqnvwtso.exe

pid process

4556 kmqnvwtso.exe
2912 kmqnvwtso.exe

pid	process
4556	kmqnvwtso.exe
2912	kmqnvwtso.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

kmqnvwtso.exekmqnvwtso.exehelp.exe

description	pid	process	target process
PID 4556 set thread context of 2912	4556	kmqnvwtso.exe	kmqnvwtso.exe
PID 2912 set thread context of 2456	2912	kmqnvwtso.exe	Explorer.EXE
PID 2912 set thread context of 2456	2912	kmqnvwtso.exe	Explorer.EXE
PID 4768 set thread context of 2456	4768	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

kmqnvwtso.exehelp.exe

pid	process
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe
4768	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2456 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

kmqnvwtso.exekmqnvwtso.exehelp.exe

pid process

4556 kmqnvwtso.exe
2912 kmqnvwtso.exe
2912 kmqnvwtso.exe
2912 kmqnvwtso.exe
2912 kmqnvwtso.exe
4768 help.exe
4768 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kmqnvwtso.exehelp.exe

description pid process

Token: SeDebugPrivilege 2912 kmqnvwtso.exe
Token: SeDebugPrivilege 4768 help.exe

pid	process
2456	Explorer.EXE

pid	process
4556	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
2912	kmqnvwtso.exe
4768	help.exe
4768	help.exe

description	pid	process
Token: SeDebugPrivilege	2912	kmqnvwtso.exe
Token: SeDebugPrivilege	4768	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jets80054.exekmqnvwtso.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2836 wrote to memory of 4556	2836	jets80054.exe	kmqnvwtso.exe
PID 2836 wrote to memory of 4556	2836	jets80054.exe	kmqnvwtso.exe
PID 2836 wrote to memory of 4556	2836	jets80054.exe	kmqnvwtso.exe
PID 4556 wrote to memory of 2912	4556	kmqnvwtso.exe	kmqnvwtso.exe
PID 4556 wrote to memory of 2912	4556	kmqnvwtso.exe	kmqnvwtso.exe
PID 4556 wrote to memory of 2912	4556	kmqnvwtso.exe	kmqnvwtso.exe
PID 4556 wrote to memory of 2912	4556	kmqnvwtso.exe	kmqnvwtso.exe
PID 2456 wrote to memory of 4768	2456	Explorer.EXE	help.exe
PID 2456 wrote to memory of 4768	2456	Explorer.EXE	help.exe
PID 2456 wrote to memory of 4768	2456	Explorer.EXE	help.exe
PID 4768 wrote to memory of 2536	4768	help.exe	cmd.exe
PID 4768 wrote to memory of 2536	4768	help.exe	cmd.exe
PID 4768 wrote to memory of 2536	4768	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\jets80054.exe
"C:\Users\Admin\AppData\Local\Temp\jets80054.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe
"C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe
"C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe"
3⤵
PID:2536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmqnvwtso.exe

Filesize
148KB

MD5
014a2943f1991ffdc86b423a97fc471e

SHA1
a7a0667632788a895b31f8a0a731e0dc2e0dd076

SHA256
de57839ddcc617f1a8ffbfe761c669e1b963b39673b102904e940697aea7a168

SHA512
2adfe9725b09ad1a30f909739808b1b98d9fad680b5590f28f0b47cfc5abeb50046449662c8b37ac799fb6643c4e72b0f41f1f3197388404d08bd89e271f5570

Download Submit
C:\Users\Admin\AppData\Local\Temp\qknrnneti.o

Filesize
185KB

MD5
947ca1871fc4b401f41b9c0dbc9af30f

SHA1
6e96ef23737597e516084152b06bedc8e1d71d5f

SHA256
4ab8376ef4acda68064e3542f9544fbeefa45a357b268411b5ec4de691ab0f5b

SHA512
9c21bb470385b308fe808883cb9ec08566ad803ec7e8777162affc53d45c38bfec75e46fcb318228ffcc9c4394bc50f0f0ceb6aa6e80327ef798f7011332f681

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpintmjypwl.fpk

Filesize
5KB

MD5
da70c58f3ee7c8cde24797591b5a5fb7

SHA1
44c1649bae5696694493c56ed4f3f8abfd2f908f

SHA256
7a0186ea7241932180c9e7f2ef6fd08541c66e53ef2b4b750190baf760f409c6

SHA512
7db41e091f768c397ab155d060eb9635116b1081d2c0dbbdcbb1c8849e0d2f2799601ba53628174cfd7dde60869bfb44a9b17cc0e5c4f59d49c33299f14eab30

Download Submit
memory/2456-142-0x0000000002E30000-0x0000000002EFF000-memory.dmp

Filesize
828KB

Download
memory/2456-154-0x00000000030D0000-0x00000000031CB000-memory.dmp

Filesize
1004KB

Download
memory/2456-152-0x00000000030D0000-0x00000000031CB000-memory.dmp

Filesize
1004KB

Download
memory/2456-144-0x0000000008630000-0x0000000008759000-memory.dmp

Filesize
1.2MB

Download
memory/2536-147-0x0000000000000000-mapping.dmp

Download
memory/2912-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-143-0x00000000010D0000-0x00000000010E4000-memory.dmp

Filesize
80KB

Download
memory/2912-140-0x0000000001570000-0x00000000018BA000-memory.dmp

Filesize
3.3MB

Download
memory/2912-141-0x0000000001050000-0x0000000001064000-memory.dmp

Filesize
80KB

Download
memory/2912-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-137-0x0000000000000000-mapping.dmp

Download
memory/4556-132-0x0000000000000000-mapping.dmp

Download
memory/4768-145-0x0000000000000000-mapping.dmp

Download
memory/4768-150-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/4768-149-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/4768-151-0x0000000001140000-0x00000000011D3000-memory.dmp

Filesize
588KB

Download
memory/4768-153-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/4768-148-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads