formbook | f251e63c6a599dd80da55e413f7571bf514213ed18c0816a40a4939eca6fe1e1

General

Target

New PO-RJ-IN-003 - Knauf Queimados.exe
Size

396KB
MD5

244fc9610f75225aa3dc09958195beb1
SHA1

ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
SHA256

05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
SHA512

5e37d34becf476a92c2b14917819c9f9366d99313e971554b4a94d4fe09e05a761355033b5bb59faf3d0a1e34621c31891ff4e5656a379aa581792a7ecc82f16
SSDEEP

6144:hBn7A5jMUCoQUg+p1vrgTr+H9I/LKUsBdVyXMLCMT5u9AG7Nmf:vrZ+1v0TSdcLKj0MLtlu9VNG

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

jaxdij.exejaxdij.exe

pid process

3596 jaxdij.exe
1256 jaxdij.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

jaxdij.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation jaxdij.exe

pid	process
3596	jaxdij.exe
1256	jaxdij.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	jaxdij.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jaxdij.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aekkvxebyca = "C:\\Users\\Admin\\AppData\\Roaming\\fqkyib\\rubthqnwyfue.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jaxdij.exe\" C:\\Users\\Admin\\AppData\\Local"	jaxdij.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jaxdij.exejaxdij.exenetsh.exe

description	pid	process	target process
PID 3596 set thread context of 1256	3596	jaxdij.exe	jaxdij.exe
PID 1256 set thread context of 3052	1256	jaxdij.exe	Explorer.EXE
PID 1256 set thread context of 3052	1256	jaxdij.exe	Explorer.EXE
PID 3132 set thread context of 3052	3132	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

jaxdij.exenetsh.exe

pid	process
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
3132	netsh.exe
3132	netsh.exe
3132	netsh.exe
3132	netsh.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

jaxdij.exejaxdij.exenetsh.exe

pid process

3596 jaxdij.exe
1256 jaxdij.exe
1256 jaxdij.exe
1256 jaxdij.exe
1256 jaxdij.exe
3132 netsh.exe
3132 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jaxdij.exenetsh.exe

description pid process

Token: SeDebugPrivilege 1256 jaxdij.exe
Token: SeDebugPrivilege 3132 netsh.exe

pid	process
3596	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
1256	jaxdij.exe
3132	netsh.exe
3132	netsh.exe

description	pid	process
Token: SeDebugPrivilege	1256	jaxdij.exe
Token: SeDebugPrivilege	3132	netsh.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

New PO-RJ-IN-003 - Knauf Queimados.exejaxdij.exeExplorer.EXE

description	pid	process	target process
PID 3200 wrote to memory of 3596	3200	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 3200 wrote to memory of 3596	3200	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 3200 wrote to memory of 3596	3200	New PO-RJ-IN-003 - Knauf Queimados.exe	jaxdij.exe
PID 3596 wrote to memory of 1256	3596	jaxdij.exe	jaxdij.exe
PID 3596 wrote to memory of 1256	3596	jaxdij.exe	jaxdij.exe
PID 3596 wrote to memory of 1256	3596	jaxdij.exe	jaxdij.exe
PID 3596 wrote to memory of 1256	3596	jaxdij.exe	jaxdij.exe
PID 3052 wrote to memory of 3132	3052	Explorer.EXE	netsh.exe
PID 3052 wrote to memory of 3132	3052	Explorer.EXE	netsh.exe
PID 3052 wrote to memory of 3132	3052	Explorer.EXE	netsh.exe
PID 3052 wrote to memory of 2020	3052	Explorer.EXE	netsh.exe
PID 3052 wrote to memory of 2020	3052	Explorer.EXE	netsh.exe
PID 3052 wrote to memory of 2020	3052	Explorer.EXE	netsh.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe
"C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
"C:\Users\Admin\AppData\Local\Temp\jaxdij.exe" C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
"C:\Users\Admin\AppData\Local\Temp\jaxdij.exe" C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:2020

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eojsm.wx
Filesize
185KB

MD5
8c5e7c152ed8f18a0b9de322e94a3ce2

SHA1
35c05fa705dc9e6c1998f53f248e0332bc4fb0e2

SHA256
b0950ec5415dcfc9bf3394770c2071fad57b1a02e28416e5e41c3b13266a720a

SHA512
0a42dac7f56cf6b765a52f230c3f1539940f0d507d8ce1c928d89d12bf675f3c41b7b9d9fa10a693ece96a281dbd8e83d481d310f5ca57812fb979df34a69ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
Filesize
144KB

MD5
2dd6c8b13ae7d028b0047435ff0dcb8a

SHA1
d50bc8834758e1583aee729b6c148e4849967097

SHA256
01cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a

SHA512
b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
Filesize
144KB

MD5
2dd6c8b13ae7d028b0047435ff0dcb8a

SHA1
d50bc8834758e1583aee729b6c148e4849967097

SHA256
01cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a

SHA512
b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxdij.exe
Filesize
144KB

MD5
2dd6c8b13ae7d028b0047435ff0dcb8a

SHA1
d50bc8834758e1583aee729b6c148e4849967097

SHA256
01cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a

SHA512
b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k
Filesize
7KB

MD5
a342bd922f1907e57d17e98f522b64ef

SHA1
934596a7680633634741a445c5d9e0bdcf9c3d8f

SHA256
1c1ad949b639cdd656a62b398660a1ccee4a7fc40e1912bf1a5bbab78e51b176

SHA512
6527a40317bc37d0e7274a3880a652e9bd0ee4e874def4478493d93bee7db4564cafec1574e8605945758963945aadc1d3219410cb877e0c331ceca6671a06ae

Download Submit
memory/1256-137-0x0000000000000000-mapping.dmp

Download
memory/1256-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1256-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1256-141-0x00000000018A0000-0x0000000001BEA000-memory.dmp

Filesize
3.3MB

Download
memory/1256-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1256-143-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/1256-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1256-145-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1256-146-0x0000000001840000-0x0000000001850000-memory.dmp

Filesize
64KB

Download
memory/3052-144-0x00000000082F0000-0x0000000008495000-memory.dmp

Filesize
1.6MB

Download
memory/3052-147-0x00000000084A0000-0x00000000085C4000-memory.dmp

Filesize
1.1MB

Download
memory/3052-155-0x00000000081C0000-0x000000000829C000-memory.dmp

Filesize
880KB

Download
memory/3052-157-0x00000000081C0000-0x000000000829C000-memory.dmp

Filesize
880KB

Download
memory/3132-148-0x0000000000000000-mapping.dmp

Download
memory/3132-151-0x00000000016B0000-0x00000000016CE000-memory.dmp

Filesize
120KB

Download
memory/3132-152-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/3132-153-0x0000000000E60000-0x00000000011AA000-memory.dmp

Filesize
3.3MB

Download
memory/3132-154-0x0000000000CC0000-0x0000000000D4F000-memory.dmp

Filesize
572KB

Download
memory/3132-156-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/3596-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads