formbook | 029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b

General

Target

2022-571-GLS.exe
Size

268KB
MD5

6cc14805bbf5e6bfb4daae5c8a61af7e
SHA1

34836f2aa6a4e97705352a50d2a7147c857fea94
SHA256

029d4fe47cb21a8f4e1dbe1863cf43cba6ac777e008b9675d381fda82986196b
SHA512

5f1bb5a77d471e49e15ff414b24ac89858e5458884f8f672a92376434dd9363e6d80146d6448b4ee0233c70531f58c4c7d431d9f873e6d1a2fdacf680479b2c6
SSDEEP

6144:QBn14u11x6y/QH2tw81qVegiZU/S4RaXFKia7ZiOfu:g4uRX4WvqMgiZgSXFKhZiO2

Score

10^/10

formbook b31b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b31b

Decoy

deltafxtrading.com

alisonangl.com

cdfqs.com

easyentry.vip

dentalinfodomain.com

hiphoppianyc.com

pools-62911.com

supportteam26589.site

delldaypa.one

szanody.com

diaper-basket.art

ffscollab.com

freediverconnect.com

namesbrun.com

theprimone.top

lenzolab.com

cikmas.com

genyuei-no.space

hellofstyle.com

lamagall.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3568-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2960-145-0x0000000000AA0000-0x0000000000ACF000-memory.dmp	formbook
behavioral2/memory/2960-150-0x0000000000AA0000-0x0000000000ACF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jsqqecy.exejsqqecy.exe

pid process

4084 jsqqecy.exe
3568 jsqqecy.exe

pid	process
4084	jsqqecy.exe
3568	jsqqecy.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jsqqecy.exejsqqecy.exeraserver.exe

description	pid	process	target process
PID 4084 set thread context of 3568	4084	jsqqecy.exe	jsqqecy.exe
PID 3568 set thread context of 2408	3568	jsqqecy.exe	Explorer.EXE
PID 2960 set thread context of 2408	2960	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

jsqqecy.exeraserver.exe

pid	process
3568	jsqqecy.exe
3568	jsqqecy.exe
3568	jsqqecy.exe
3568	jsqqecy.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe
2960	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2408 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jsqqecy.exejsqqecy.exeraserver.exe

pid process

4084 jsqqecy.exe
3568 jsqqecy.exe
3568 jsqqecy.exe
3568 jsqqecy.exe
2960 raserver.exe
2960 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jsqqecy.exeraserver.exe

description pid process

Token: SeDebugPrivilege 3568 jsqqecy.exe
Token: SeDebugPrivilege 2960 raserver.exe

pid	process
2408	Explorer.EXE

pid	process
4084	jsqqecy.exe
3568	jsqqecy.exe
3568	jsqqecy.exe
3568	jsqqecy.exe
2960	raserver.exe
2960	raserver.exe

description	pid	process
Token: SeDebugPrivilege	3568	jsqqecy.exe
Token: SeDebugPrivilege	2960	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2022-571-GLS.exejsqqecy.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 536 wrote to memory of 4084	536	2022-571-GLS.exe	jsqqecy.exe
PID 536 wrote to memory of 4084	536	2022-571-GLS.exe	jsqqecy.exe
PID 536 wrote to memory of 4084	536	2022-571-GLS.exe	jsqqecy.exe
PID 4084 wrote to memory of 3568	4084	jsqqecy.exe	jsqqecy.exe
PID 4084 wrote to memory of 3568	4084	jsqqecy.exe	jsqqecy.exe
PID 4084 wrote to memory of 3568	4084	jsqqecy.exe	jsqqecy.exe
PID 4084 wrote to memory of 3568	4084	jsqqecy.exe	jsqqecy.exe
PID 2408 wrote to memory of 2960	2408	Explorer.EXE	raserver.exe
PID 2408 wrote to memory of 2960	2408	Explorer.EXE	raserver.exe
PID 2408 wrote to memory of 2960	2408	Explorer.EXE	raserver.exe
PID 2960 wrote to memory of 4892	2960	raserver.exe	cmd.exe
PID 2960 wrote to memory of 4892	2960	raserver.exe	cmd.exe
PID 2960 wrote to memory of 4892	2960	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe
"C:\Users\Admin\AppData\Local\Temp\2022-571-GLS.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
"C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe" C:\Users\Admin\AppData\Local\Temp\xduyswx.up
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe"
3⤵
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
Filesize
144KB

MD5
07875284ce0a6276f406b25f9e429270

SHA1
38a67882404fe8cd7473c8b1949a0b5384b36f94

SHA256
aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e

SHA512
5db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
Filesize
144KB

MD5
07875284ce0a6276f406b25f9e429270

SHA1
38a67882404fe8cd7473c8b1949a0b5384b36f94

SHA256
aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e

SHA512
5db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsqqecy.exe
Filesize
144KB

MD5
07875284ce0a6276f406b25f9e429270

SHA1
38a67882404fe8cd7473c8b1949a0b5384b36f94

SHA256
aed6b2a3fb3845ecbc1ab0dfe26aed0cffd1d220ca86f77bebb44eca02b3229e

SHA512
5db9ef373a1535012bfea4e4052616c4af565b57535b2f5f381261ad2d13213592bb4aa80ffde21139e00d8eb1b5a2612f205f72ca816613510f0d292c0a44c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xduyswx.up
Filesize
5KB

MD5
813ea3e20968dca381fd705cce6352af

SHA1
f5641ee0577e29603c5146827b0f3e920b307011

SHA256
ba88f948de0f61dd0e1e09d5abb977794a350380612c4f8e5ab7a7d5d3c5e108

SHA512
681484352435ef93b1e3ec909f30627c4373cb5f862a60c523da9a02ae5da9292004bd5c1787686e9025c81a19c47ab25f7b6f7072a86e3211728b02a95a63f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpnolg.oo
Filesize
185KB

MD5
1cba56aa7342010c42de3448072bffd6

SHA1
41750afcf5d21b6c3d1ef4d8b17cd5c283353206

SHA256
1f2933bb236406b4e5e0c84b64441f7103e8860c3db1014e1d07beabd47ac584

SHA512
e0dfb340e005729e784c828bebfd428c147db6ebc06a4261c960ce5cc2f5379a65dd723e7959a75a6d4f297ab5f7fc22abe255d17e29e6d971e2e78845adee61

Download Submit
memory/2408-142-0x0000000008260000-0x0000000008377000-memory.dmp

Filesize
1.1MB

Download
memory/2408-151-0x0000000008380000-0x000000000845E000-memory.dmp

Filesize
888KB

Download
memory/2408-149-0x0000000008380000-0x000000000845E000-memory.dmp

Filesize
888KB

Download
memory/2960-147-0x00000000029F0000-0x0000000002D3A000-memory.dmp

Filesize
3.3MB

Download
memory/2960-143-0x0000000000000000-mapping.dmp

Download
memory/2960-145-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

Filesize
188KB

Download
memory/2960-144-0x00000000000E0000-0x00000000000FF000-memory.dmp

Filesize
124KB

Download
memory/2960-148-0x0000000002830000-0x00000000028C3000-memory.dmp

Filesize
588KB

Download
memory/2960-150-0x0000000000AA0000-0x0000000000ACF000-memory.dmp

Filesize
188KB

Download
memory/3568-141-0x0000000001030000-0x0000000001044000-memory.dmp

Filesize
80KB

Download
memory/3568-140-0x0000000001500000-0x000000000184A000-memory.dmp

Filesize
3.3MB

Download
memory/3568-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-137-0x0000000000000000-mapping.dmp

Download
memory/4084-132-0x0000000000000000-mapping.dmp

Download
memory/4892-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads