formbook | 7d0de180145ec000723ff46be7d2ce70671264588e5b82eb021d8db673829f2e

General

Target

jetss46635.exe
Size

261KB
MD5

62cc148705cfa7c981bdb823de72bb93
SHA1

1b47fd2f7535f55d44abaea0ce85d685841c6ef4
SHA256

f79c3a8f98d47aab53d03bce09d51bc17c25b9cb051a69f040b0ada6fc6abb88
SHA512

0c86c17dcbd338db984b3765e489510e90b71cae33746da75c2310c4722f35e878d01e94834d444e3a28e3012a2631dacfed55e69561edba44212711622475c3
SSDEEP

6144:MEa0NXK2m0R1Ic0wsf08mIm2+vARvuR5UKMUgfkmoLv24T:XXXRL0Pf0TIm2+IliGcLvV

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1784-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1616-73-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/1616-77-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

pnowxpr.exepnowxpr.exe

pid process

1952 pnowxpr.exe
1784 pnowxpr.exe
Loads dropped DLL 2 IoCs

Processes:

jetss46635.exepnowxpr.exe

pid process

1800 jetss46635.exe
1952 pnowxpr.exe

pid	process
1952	pnowxpr.exe
1784	pnowxpr.exe

pid	process
1800	jetss46635.exe
1952	pnowxpr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

pnowxpr.exepnowxpr.execmstp.exe

description	pid	process	target process
PID 1952 set thread context of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1784 set thread context of 1256	1784	pnowxpr.exe	Explorer.EXE
PID 1616 set thread context of 1256	1616	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

pnowxpr.execmstp.exe

pid	process
1784	pnowxpr.exe
1784	pnowxpr.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe
1616	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

pnowxpr.exepnowxpr.execmstp.exe

pid process

1952 pnowxpr.exe
1784 pnowxpr.exe
1784 pnowxpr.exe
1784 pnowxpr.exe
1616 cmstp.exe
1616 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pnowxpr.execmstp.exe

description pid process

Token: SeDebugPrivilege 1784 pnowxpr.exe
Token: SeDebugPrivilege 1616 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1952	pnowxpr.exe
1784	pnowxpr.exe
1784	pnowxpr.exe
1784	pnowxpr.exe
1616	cmstp.exe
1616	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1784	pnowxpr.exe
Token: SeDebugPrivilege	1616	cmstp.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

jetss46635.exepnowxpr.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1800 wrote to memory of 1952	1800	jetss46635.exe	pnowxpr.exe
PID 1800 wrote to memory of 1952	1800	jetss46635.exe	pnowxpr.exe
PID 1800 wrote to memory of 1952	1800	jetss46635.exe	pnowxpr.exe
PID 1800 wrote to memory of 1952	1800	jetss46635.exe	pnowxpr.exe
PID 1952 wrote to memory of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1952 wrote to memory of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1952 wrote to memory of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1952 wrote to memory of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1952 wrote to memory of 1784	1952	pnowxpr.exe	pnowxpr.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1256 wrote to memory of 1616	1256	Explorer.EXE	cmstp.exe
PID 1616 wrote to memory of 1544	1616	cmstp.exe	cmd.exe
PID 1616 wrote to memory of 1544	1616	cmstp.exe	cmd.exe
PID 1616 wrote to memory of 1544	1616	cmstp.exe	cmd.exe
PID 1616 wrote to memory of 1544	1616	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\jetss46635.exe
"C:\Users\Admin\AppData\Local\Temp\jetss46635.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
"C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
"C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
3⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aewdt.d
Filesize
5KB

MD5
dd27f576cb0ceb724998aa7f63897fbc

SHA1
be3e2c774e6b75520fb413cefa01e4bde2dde92d

SHA256
8a42cacf9193740b218a9855c72cf3a3c12daee3410958ef934d09ee3b49df7a

SHA512
8035fedd42beca60c010fa69eaec2ae1c6691f1a1fa90cd07fbdfb05ebc7ce648e80c1cff11e6dd1c006f971d782054974718eabac3369584005d1fe84292006

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxykqdfeho.kl
Filesize
185KB

MD5
ad084fb23e4d42b35a182e01abcbc654

SHA1
e06b7ec6a5cc037a6aec7c22351fb1752c6e5477

SHA256
3350c35339de981bf8eae8bd39e0ea907976042b342bd76cbef5e8f6eb74af21

SHA512
de3600c48a73c28bfdb581fc30e2d3e35ab321fba5067ffceb7f1c60f48e790a3958ba228e2d61942e50acd7c93f4a5b4c815c02881753c7b7a9a5e0d4b92ee8

Download Submit
\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
memory/1256-67-0x00000000060A0000-0x00000000061A8000-memory.dmp

Filesize
1.0MB

Download
memory/1256-78-0x00000000049C0000-0x0000000004A98000-memory.dmp

Filesize
864KB

Download
memory/1256-76-0x00000000049C0000-0x0000000004A98000-memory.dmp

Filesize
864KB

Download
memory/1544-71-0x0000000000000000-mapping.dmp

Download
memory/1616-73-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1616-68-0x0000000000000000-mapping.dmp

Download
memory/1616-72-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/1616-74-0x0000000001F30000-0x0000000002233000-memory.dmp

Filesize
3.0MB

Download
memory/1616-75-0x00000000004F0000-0x0000000000583000-memory.dmp

Filesize
588KB

Download
memory/1616-77-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1784-66-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/1784-65-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/1784-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-62-0x000000000041F120-mapping.dmp

Download
memory/1800-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads