formbook | 66f34068c533bc957b3ef71f9aefb0f17d7f42a2bf84ec2eda416ca8c9f5d53a

General

Target

jets66700.exe
Size

258KB
MD5

c10e0b9756b38239fed5025e119db829
SHA1

b7a2ddbfd18fe7f0ea7683e73d84a595e966ebb9
SHA256

3603af319837f00dacace08ff3add606ccfd6faf64a53606575aae6f1a4ba782
SHA512

8d4d4edf987383774e8ccf54f5d06a8d08f1a52ee40592aacd5d512bc7c445f1d61b0333582b1c3f25cee14ee97aa4625941a9bd7425741c95736168f082f06c
SSDEEP

6144:QBn1/KUwq3q6YqZZ9f/EBqpObOiFzkiUF9FaP5qgJDa:gNslSEbOizk/9Foqg0

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3936-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4872-145-0x00000000004C0000-0x00000000004EF000-memory.dmp	formbook
behavioral2/memory/4872-148-0x00000000004C0000-0x00000000004EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

frevguizqj.exefrevguizqj.exe

pid process

640 frevguizqj.exe
3936 frevguizqj.exe

pid	process
640	frevguizqj.exe
3936	frevguizqj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

frevguizqj.exefrevguizqj.execmmon32.exe

description	pid	process	target process
PID 640 set thread context of 3936	640	frevguizqj.exe	frevguizqj.exe
PID 3936 set thread context of 900	3936	frevguizqj.exe	Explorer.EXE
PID 4872 set thread context of 900	4872	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

frevguizqj.execmmon32.exe

pid	process
3936	frevguizqj.exe
3936	frevguizqj.exe
3936	frevguizqj.exe
3936	frevguizqj.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe
4872	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

900 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

frevguizqj.exefrevguizqj.execmmon32.exe

pid process

640 frevguizqj.exe
3936 frevguizqj.exe
3936 frevguizqj.exe
3936 frevguizqj.exe
4872 cmmon32.exe
4872 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

frevguizqj.execmmon32.exe

description pid process

Token: SeDebugPrivilege 3936 frevguizqj.exe
Token: SeDebugPrivilege 4872 cmmon32.exe

pid	process
900	Explorer.EXE

pid	process
640	frevguizqj.exe
3936	frevguizqj.exe
3936	frevguizqj.exe
3936	frevguizqj.exe
4872	cmmon32.exe
4872	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	3936	frevguizqj.exe
Token: SeDebugPrivilege	4872	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jets66700.exefrevguizqj.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2292 wrote to memory of 640	2292	jets66700.exe	frevguizqj.exe
PID 2292 wrote to memory of 640	2292	jets66700.exe	frevguizqj.exe
PID 2292 wrote to memory of 640	2292	jets66700.exe	frevguizqj.exe
PID 640 wrote to memory of 3936	640	frevguizqj.exe	frevguizqj.exe
PID 640 wrote to memory of 3936	640	frevguizqj.exe	frevguizqj.exe
PID 640 wrote to memory of 3936	640	frevguizqj.exe	frevguizqj.exe
PID 640 wrote to memory of 3936	640	frevguizqj.exe	frevguizqj.exe
PID 900 wrote to memory of 4872	900	Explorer.EXE	cmmon32.exe
PID 900 wrote to memory of 4872	900	Explorer.EXE	cmmon32.exe
PID 900 wrote to memory of 4872	900	Explorer.EXE	cmmon32.exe
PID 4872 wrote to memory of 2416	4872	cmmon32.exe	cmd.exe
PID 4872 wrote to memory of 2416	4872	cmmon32.exe	cmd.exe
PID 4872 wrote to memory of 2416	4872	cmmon32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\jets66700.exe
"C:\Users\Admin\AppData\Local\Temp\jets66700.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
  "C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe" C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
    "C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3936

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
    3⤵
    PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjizfs.lz

Filesize
185KB

MD5
8bac75bd61c98adbaf416f929b6e8129

SHA1
8471f91aece334c2531d8dc639b75a7c9d781b9b

SHA256
b04d78f9a4c1042cbadf10f60f99e98bce9bb25e41f6d553c8645239cd5ed47e

SHA512
737a2300eec1cb18c7305d55f9091984f301994b83d601ffa2362e398b8034e25ef1a5999d91eb87a056492c023fe3df664a5ab19642ddac1f8ff88a5a3e0699

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe

Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe

Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe

Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl

Filesize
5KB

MD5
dd9c47dac95b2128bf0e1a02807b5814

SHA1
8766224d9845c3c5ce9405bb52ed734f357b6221

SHA256
ab078e8ed91a82953cb999f29e382ce8a29a0d03c6a0aa0da1bf54e60a4ab5f6

SHA512
ba1450493085d55a9f033060faf52c78e7020caed5fdf69ca684c7230788abd20e92488cb88bc0e3a35b5cdc9400734843afcc89ec737e02e90a3e3aa8e019f2

Download Submit
memory/640-132-0x0000000000000000-mapping.dmp

Download
memory/900-142-0x0000000003260000-0x000000000339E000-memory.dmp

Filesize
1.2MB

Download
memory/900-151-0x0000000008570000-0x000000000868C000-memory.dmp

Filesize
1.1MB

Download
memory/900-150-0x0000000008570000-0x000000000868C000-memory.dmp

Filesize
1.1MB

Download
memory/2416-146-0x0000000000000000-mapping.dmp

Download
memory/3936-137-0x0000000000000000-mapping.dmp

Download
memory/3936-141-0x0000000001900000-0x0000000001914000-memory.dmp

Filesize
80KB

Download
memory/3936-140-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download
memory/3936-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-143-0x0000000000000000-mapping.dmp

Download
memory/4872-145-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/4872-144-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/4872-147-0x00000000024D0000-0x000000000281A000-memory.dmp

Filesize
3.3MB

Download
memory/4872-148-0x00000000004C0000-0x00000000004EF000-memory.dmp

Filesize
188KB

Download
memory/4872-149-0x0000000002270000-0x0000000002303000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads