formbook | ae9df04eea9083e5d41bbf60f60bf0f30154518db24f29ffcf50e716aed2acfe

General

Target

jets8879.exe
Size

327KB
MD5

8fa5b93b0e8551f6d134dd5bcc423775
SHA1

04df2a601d983b7c6ff069c731620a9485f23067
SHA256

ae9df04eea9083e5d41bbf60f60bf0f30154518db24f29ffcf50e716aed2acfe
SHA512

c931b674d43541b05d183643b21fcd32a3f06732d3dbaeb7600b8b5bce3d741cb2c5fd4d4e675e76ccf6bcf019612da50575ed370bf7ac249bf33d938c35f91e
SSDEEP

6144:9kw+4/tHX/dDjqZsMEbcDf6IMfwzOOTgD7xvyIBWr75n3L4YnYTgQO:q49vkZsM/DiIytZ1BSF4Yb/

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3144-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3144-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4116-147-0x0000000001030000-0x000000000105F000-memory.dmp	formbook
behavioral2/memory/4116-151-0x0000000001030000-0x000000000105F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

xndovcoc.exexndovcoc.exe

pid process

5024 xndovcoc.exe
3144 xndovcoc.exe

pid	process
5024	xndovcoc.exe
3144	xndovcoc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xndovcoc.exexndovcoc.exemsiexec.exe

description	pid	process	target process
PID 5024 set thread context of 3144	5024	xndovcoc.exe	xndovcoc.exe
PID 3144 set thread context of 3000	3144	xndovcoc.exe	Explorer.EXE
PID 4116 set thread context of 3000	4116	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

xndovcoc.exemsiexec.exe

pid	process
3144	xndovcoc.exe
3144	xndovcoc.exe
3144	xndovcoc.exe
3144	xndovcoc.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe
4116	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

xndovcoc.exexndovcoc.exemsiexec.exe

pid process

5024 xndovcoc.exe
3144 xndovcoc.exe
3144 xndovcoc.exe
3144 xndovcoc.exe
4116 msiexec.exe
4116 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xndovcoc.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3144 xndovcoc.exe
Token: SeDebugPrivilege 4116 msiexec.exe

pid	process
3000	Explorer.EXE

pid	process
5024	xndovcoc.exe
3144	xndovcoc.exe
3144	xndovcoc.exe
3144	xndovcoc.exe
4116	msiexec.exe
4116	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	3144	xndovcoc.exe
Token: SeDebugPrivilege	4116	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jets8879.exexndovcoc.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4452 wrote to memory of 5024	4452	jets8879.exe	xndovcoc.exe
PID 4452 wrote to memory of 5024	4452	jets8879.exe	xndovcoc.exe
PID 4452 wrote to memory of 5024	4452	jets8879.exe	xndovcoc.exe
PID 5024 wrote to memory of 3144	5024	xndovcoc.exe	xndovcoc.exe
PID 5024 wrote to memory of 3144	5024	xndovcoc.exe	xndovcoc.exe
PID 5024 wrote to memory of 3144	5024	xndovcoc.exe	xndovcoc.exe
PID 5024 wrote to memory of 3144	5024	xndovcoc.exe	xndovcoc.exe
PID 3000 wrote to memory of 4116	3000	Explorer.EXE	msiexec.exe
PID 3000 wrote to memory of 4116	3000	Explorer.EXE	msiexec.exe
PID 3000 wrote to memory of 4116	3000	Explorer.EXE	msiexec.exe
PID 4116 wrote to memory of 2368	4116	msiexec.exe	cmd.exe
PID 4116 wrote to memory of 2368	4116	msiexec.exe	cmd.exe
PID 4116 wrote to memory of 2368	4116	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\jets8879.exe
  "C:\Users\Admin\AppData\Local\Temp\jets8879.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe
    "C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe" C:\Users\Admin\AppData\Local\Temp\gkeiqcnaami.sdw
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe
      "C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3144
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe"
    3⤵
    PID:2368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gkeiqcnaami.sdw

Filesize
5KB

MD5
83389c5af191d574aa7d6a89bb45ac2c

SHA1
f28c63cc4231c3a805523634efe80404ec099377

SHA256
aaa06259fddb6dde4a666a75b387761814a1a5043cc12bbf15331068abc60be2

SHA512
c7a41f5cde2aacf8ea295b538521f7fa944c85014bcc674d31bee268be80a2300fe2cf8cdb8e4cad92ba148ba677e394a0b18edc773683df57e3a7f5855c8886

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwgohqxr.b

Filesize
185KB

MD5
b785a9615ee2d65546fb809413c4874e

SHA1
c7d50e11e44446567b31b72c5d3706b8ac169aeb

SHA256
a811cfbdaeda03379031987f7d754b9ee70e38b1d609767ac80ef40023e06873

SHA512
5492284e2d7755a8498abcbdbf5de9a5dfd2fdb0fe674ace1b18e744822e4b100d885074132be265ecefa5a3e2dcf13eba224b7d54a9cec76a81803284b9ab1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe

Filesize
287KB

MD5
60f2075f7d9e7e3ac0c7bc7b532ec8e8

SHA1
310f6b153efb3cd12375834d62ebc30e4cf8dd3e

SHA256
00d6ad142363cedb55e84690cdf856b4e4580f36e8bc54c9974f17acc6d40be4

SHA512
88fd45a32fb8efadac8a10863d90ac510979a46d5589ea789af3f9f49d2c2f1df5cbd2d94630d1526edd8519abae0a190cb3fe719f3456d86f2f48bef37837d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe

Filesize
287KB

MD5
60f2075f7d9e7e3ac0c7bc7b532ec8e8

SHA1
310f6b153efb3cd12375834d62ebc30e4cf8dd3e

SHA256
00d6ad142363cedb55e84690cdf856b4e4580f36e8bc54c9974f17acc6d40be4

SHA512
88fd45a32fb8efadac8a10863d90ac510979a46d5589ea789af3f9f49d2c2f1df5cbd2d94630d1526edd8519abae0a190cb3fe719f3456d86f2f48bef37837d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xndovcoc.exe

Filesize
287KB

MD5
60f2075f7d9e7e3ac0c7bc7b532ec8e8

SHA1
310f6b153efb3cd12375834d62ebc30e4cf8dd3e

SHA256
00d6ad142363cedb55e84690cdf856b4e4580f36e8bc54c9974f17acc6d40be4

SHA512
88fd45a32fb8efadac8a10863d90ac510979a46d5589ea789af3f9f49d2c2f1df5cbd2d94630d1526edd8519abae0a190cb3fe719f3456d86f2f48bef37837d4

Download Submit
memory/2368-145-0x0000000000000000-mapping.dmp

Download
memory/3000-142-0x0000000007B00000-0x0000000007C40000-memory.dmp

Filesize
1.2MB

Download
memory/3000-152-0x0000000008060000-0x00000000081B3000-memory.dmp

Filesize
1.3MB

Download
memory/3000-150-0x0000000008060000-0x00000000081B3000-memory.dmp

Filesize
1.3MB

Download
memory/3144-137-0x0000000000000000-mapping.dmp

Download
memory/3144-141-0x0000000001C30000-0x0000000001C44000-memory.dmp

Filesize
80KB

Download
memory/3144-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-140-0x0000000001740000-0x0000000001A8A000-memory.dmp

Filesize
3.3MB

Download
memory/3144-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-143-0x0000000000000000-mapping.dmp

Download
memory/4116-147-0x0000000001030000-0x000000000105F000-memory.dmp

Filesize
188KB

Download
memory/4116-146-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/4116-148-0x0000000002F50000-0x000000000329A000-memory.dmp

Filesize
3.3MB

Download
memory/4116-149-0x0000000002D90000-0x0000000002E23000-memory.dmp

Filesize
588KB

Download
memory/4116-151-0x0000000001030000-0x000000000105F000-memory.dmp

Filesize
188KB

Download
memory/5024-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads