formbook | f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc

General

Target

f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
Size

221KB
MD5

a818ccc5ba40d21ffd7976450afdffd8
SHA1

169c5175d227ecb5f5ca1b7f94a950252510d280
SHA256

f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc
SHA512

9b1c7fd187ed76692611280ca18903c924e9eac0e0b1fc50122242872ba68e4b82e88f304de4751ed6d880dc72937c191a0242a89b7c6d39cb292b98ca3cf221
SSDEEP

3072:WfJSq+ytGIon9KcSM49DB5TqFRhzmuhcrhVqefleb+8OOvQDni8OFlGmytV+4VEO:MEa0N4j5mw8crf9IoDhzn+b5e5ETOhv

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1524-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1524-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/864-73-0x00000000000B0000-0x00000000000DF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

ltylx.exeltylx.exe

pid process

692 ltylx.exe
1524 ltylx.exe
Loads dropped DLL 2 IoCs

Processes:

f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exeltylx.exe

pid process

1884 f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
692 ltylx.exe

pid	process
692	ltylx.exe
1524	ltylx.exe

pid	process
1884	f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
692	ltylx.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ltylx.exeltylx.execscript.exe

description	pid	process	target process
PID 692 set thread context of 1524	692	ltylx.exe	ltylx.exe
PID 1524 set thread context of 1284	1524	ltylx.exe	Explorer.EXE
PID 1524 set thread context of 1284	1524	ltylx.exe	Explorer.EXE
PID 864 set thread context of 1284	864	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

ltylx.execscript.exe

pid	process
1524	ltylx.exe
1524	ltylx.exe
1524	ltylx.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe
864	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ltylx.exeltylx.execscript.exe

pid process

692 ltylx.exe
1524 ltylx.exe
1524 ltylx.exe
1524 ltylx.exe
1524 ltylx.exe
864 cscript.exe
864 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ltylx.execscript.exe

description pid process

Token: SeDebugPrivilege 1524 ltylx.exe
Token: SeDebugPrivilege 864 cscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE

pid	process
692	ltylx.exe
1524	ltylx.exe
1524	ltylx.exe
1524	ltylx.exe
1524	ltylx.exe
864	cscript.exe
864	cscript.exe

description	pid	process
Token: SeDebugPrivilege	1524	ltylx.exe
Token: SeDebugPrivilege	864	cscript.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exeltylx.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1884 wrote to memory of 692	1884	f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe	ltylx.exe
PID 1884 wrote to memory of 692	1884	f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe	ltylx.exe
PID 1884 wrote to memory of 692	1884	f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe	ltylx.exe
PID 1884 wrote to memory of 692	1884	f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe	ltylx.exe
PID 692 wrote to memory of 1524	692	ltylx.exe	ltylx.exe
PID 692 wrote to memory of 1524	692	ltylx.exe	ltylx.exe
PID 692 wrote to memory of 1524	692	ltylx.exe	ltylx.exe
PID 692 wrote to memory of 1524	692	ltylx.exe	ltylx.exe
PID 692 wrote to memory of 1524	692	ltylx.exe	ltylx.exe
PID 1284 wrote to memory of 864	1284	Explorer.EXE	cscript.exe
PID 1284 wrote to memory of 864	1284	Explorer.EXE	cscript.exe
PID 1284 wrote to memory of 864	1284	Explorer.EXE	cscript.exe
PID 1284 wrote to memory of 864	1284	Explorer.EXE	cscript.exe
PID 864 wrote to memory of 1072	864	cscript.exe	cmd.exe
PID 864 wrote to memory of 1072	864	cscript.exe	cmd.exe
PID 864 wrote to memory of 1072	864	cscript.exe	cmd.exe
PID 864 wrote to memory of 1072	864	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe
"C:\Users\Admin\AppData\Local\Temp\f096f1b61ce802816976386c76224c9174aacdbb5516b37128c90849deb3addc.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\ltylx.exe
"C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Temp\ltylx.exe
"C:\Users\Admin\AppData\Local\Temp\ltylx.exe" C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ltylx.exe"
3⤵
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bnibs.ud
Filesize
185KB

MD5
451cc2d8a58d6f16a12b1540e5508e90

SHA1
94f862e0146f07956109f13b2fdada5f42134107

SHA256
c2f9553e56b24aa643be907333fef74e754c85abfd1ce9575d9eea82675e6004

SHA512
1a19cc6223b59e3dbaf47b1ca205febf45cfb437806c0688992e690409f86678eb0715d797eca0ee6a82280787171eb70f964b685fcb58b7ab3813b58d5269b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibagsul.bfa
Filesize
5KB

MD5
b9506fcf0615bfdcdcc9a59fa6fc738d

SHA1
07f7c933403dae801b95aceb5644b340bf54f28a

SHA256
dd6a5fd5e3e7cc978caf25ea67a14e3509ceb80ebef78671c3433227ed2bf834

SHA512
139026f6e1ae0c64093a303035f82bca28890421496a8820730dfc47a4f3d3492188be2200c726bfa53a0f94ea98070774e022f4c6080abf78511a6f3fd2b176

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe
Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe
Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltylx.exe
Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
\Users\Admin\AppData\Local\Temp\ltylx.exe
Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
\Users\Admin\AppData\Local\Temp\ltylx.exe
Filesize
7KB

MD5
b18c813bcde330f38bb21fd66ca2cccc

SHA1
ed2f3d0bab90a9bf52652cdfccf11a676b7b8f69

SHA256
4de10b78e4908438e444e50d0cebaba065b79ebe606951cae0c83120f2b2e2fc

SHA512
179965d27db4bd406ce7fc81cee6f2574be34650dc43450c8f3e5beb5262594793de2da6e994166db7619f1dcfc1c7b23ca5b21838837e4579ab1eac4b32abab

Download Submit
memory/692-56-0x0000000000000000-mapping.dmp

Download
memory/864-73-0x00000000000B0000-0x00000000000DF000-memory.dmp

Filesize
188KB

Download
memory/864-70-0x0000000000000000-mapping.dmp

Download
memory/864-76-0x0000000000990000-0x0000000000A23000-memory.dmp

Filesize
588KB

Download
memory/864-74-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/864-72-0x0000000000600000-0x0000000000622000-memory.dmp

Filesize
136KB

Download
memory/1072-75-0x0000000000000000-mapping.dmp

Download
memory/1284-67-0x00000000066B0000-0x0000000006817000-memory.dmp

Filesize
1.4MB

Download
memory/1284-69-0x0000000005030000-0x000000000511C000-memory.dmp

Filesize
944KB

Download
memory/1284-77-0x0000000006C50000-0x0000000006D9C000-memory.dmp

Filesize
1.3MB

Download
memory/1284-78-0x0000000006C50000-0x0000000006D9C000-memory.dmp

Filesize
1.3MB

Download
memory/1524-68-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1524-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-62-0x000000000041F120-mapping.dmp

Download
memory/1524-66-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1524-65-0x0000000000B60000-0x0000000000E63000-memory.dmp

Filesize
3.0MB

Download
memory/1524-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads