formbook | 7d0de180145ec000723ff46be7d2ce70671264588e5b82eb021d8db673829f2e

General

Target

jetss46635.exe
Size

261KB
MD5

62cc148705cfa7c981bdb823de72bb93
SHA1

1b47fd2f7535f55d44abaea0ce85d685841c6ef4
SHA256

f79c3a8f98d47aab53d03bce09d51bc17c25b9cb051a69f040b0ada6fc6abb88
SHA512

0c86c17dcbd338db984b3765e489510e90b71cae33746da75c2310c4722f35e878d01e94834d444e3a28e3012a2631dacfed55e69561edba44212711622475c3
SSDEEP

6144:MEa0NXK2m0R1Ic0wsf08mIm2+vARvuR5UKMUgfkmoLv24T:XXXRL0Pf0TIm2+IliGcLvV

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3940-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3940-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4976-148-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook
behavioral2/memory/4976-154-0x0000000000C00000-0x0000000000C2F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

pnowxpr.exepnowxpr.exe

pid process

1572 pnowxpr.exe
3940 pnowxpr.exe

pid	process
1572	pnowxpr.exe
3940	pnowxpr.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

pnowxpr.exepnowxpr.exemsiexec.exe

description	pid	process	target process
PID 1572 set thread context of 3940	1572	pnowxpr.exe	pnowxpr.exe
PID 3940 set thread context of 1076	3940	pnowxpr.exe	Explorer.EXE
PID 3940 set thread context of 1076	3940	pnowxpr.exe	Explorer.EXE
PID 4976 set thread context of 1076	4976	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

pnowxpr.exemsiexec.exe

pid	process
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe
4976	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1076 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

pnowxpr.exepnowxpr.exemsiexec.exe

pid process

1572 pnowxpr.exe
3940 pnowxpr.exe
3940 pnowxpr.exe
3940 pnowxpr.exe
3940 pnowxpr.exe
4976 msiexec.exe
4976 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pnowxpr.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3940 pnowxpr.exe
Token: SeDebugPrivilege 4976 msiexec.exe

pid	process
1076	Explorer.EXE

pid	process
1572	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
3940	pnowxpr.exe
4976	msiexec.exe
4976	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	3940	pnowxpr.exe
Token: SeDebugPrivilege	4976	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jetss46635.exepnowxpr.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4816 wrote to memory of 1572	4816	jetss46635.exe	pnowxpr.exe
PID 4816 wrote to memory of 1572	4816	jetss46635.exe	pnowxpr.exe
PID 4816 wrote to memory of 1572	4816	jetss46635.exe	pnowxpr.exe
PID 1572 wrote to memory of 3940	1572	pnowxpr.exe	pnowxpr.exe
PID 1572 wrote to memory of 3940	1572	pnowxpr.exe	pnowxpr.exe
PID 1572 wrote to memory of 3940	1572	pnowxpr.exe	pnowxpr.exe
PID 1572 wrote to memory of 3940	1572	pnowxpr.exe	pnowxpr.exe
PID 1076 wrote to memory of 4976	1076	Explorer.EXE	msiexec.exe
PID 1076 wrote to memory of 4976	1076	Explorer.EXE	msiexec.exe
PID 1076 wrote to memory of 4976	1076	Explorer.EXE	msiexec.exe
PID 4976 wrote to memory of 1928	4976	msiexec.exe	cmd.exe
PID 4976 wrote to memory of 1928	4976	msiexec.exe	cmd.exe
PID 4976 wrote to memory of 1928	4976	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\jetss46635.exe
"C:\Users\Admin\AppData\Local\Temp\jetss46635.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
"C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
"C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe"
3⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aewdt.d
Filesize
5KB

MD5
dd27f576cb0ceb724998aa7f63897fbc

SHA1
be3e2c774e6b75520fb413cefa01e4bde2dde92d

SHA256
8a42cacf9193740b218a9855c72cf3a3c12daee3410958ef934d09ee3b49df7a

SHA512
8035fedd42beca60c010fa69eaec2ae1c6691f1a1fa90cd07fbdfb05ebc7ce648e80c1cff11e6dd1c006f971d782054974718eabac3369584005d1fe84292006

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnowxpr.exe
Filesize
73KB

MD5
c3d1520595c08a392fe0df9a14a9e611

SHA1
b0f8176f6b68a572b5b4f9212ab51597afb17cfd

SHA256
400c153d2ce5ec6408769a9b12b87a1f138d0fe69166d080913d865d605608ab

SHA512
5d473a9a473ea61c67b1d9b1e00509168ff2b7245df8679323ffd6f9032e726e5963afbc523da663ed5d39c8d49e841211a0c49534c70afbb589023f34ac10dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxykqdfeho.kl
Filesize
185KB

MD5
ad084fb23e4d42b35a182e01abcbc654

SHA1
e06b7ec6a5cc037a6aec7c22351fb1752c6e5477

SHA256
3350c35339de981bf8eae8bd39e0ea907976042b342bd76cbef5e8f6eb74af21

SHA512
de3600c48a73c28bfdb581fc30e2d3e35ab321fba5067ffceb7f1c60f48e790a3958ba228e2d61942e50acd7c93f4a5b4c815c02881753c7b7a9a5e0d4b92ee8

Download Submit
memory/1076-144-0x00000000091B0000-0x0000000009334000-memory.dmp

Filesize
1.5MB

Download
memory/1076-155-0x00000000087B0000-0x0000000008913000-memory.dmp

Filesize
1.4MB

Download
memory/1076-153-0x00000000087B0000-0x0000000008913000-memory.dmp

Filesize
1.4MB

Download
memory/1076-151-0x00000000085D0000-0x0000000008730000-memory.dmp

Filesize
1.4MB

Download
memory/1076-142-0x00000000085D0000-0x0000000008730000-memory.dmp

Filesize
1.4MB

Download
memory/1572-132-0x0000000000000000-mapping.dmp

Download
memory/1928-149-0x0000000000000000-mapping.dmp

Download
memory/3940-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-137-0x0000000000000000-mapping.dmp

Download
memory/3940-143-0x00000000014D0000-0x00000000014E4000-memory.dmp

Filesize
80KB

Download
memory/3940-141-0x0000000001450000-0x0000000001464000-memory.dmp

Filesize
80KB

Download
memory/3940-140-0x00000000019E0000-0x0000000001D2A000-memory.dmp

Filesize
3.3MB

Download
memory/3940-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-145-0x0000000000000000-mapping.dmp

Download
memory/4976-147-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/4976-148-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download
memory/4976-150-0x0000000002AF0000-0x0000000002E3A000-memory.dmp

Filesize
3.3MB

Download
memory/4976-152-0x0000000002930000-0x00000000029C3000-memory.dmp

Filesize
588KB

Download
memory/4976-154-0x0000000000C00000-0x0000000000C2F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads