formbook | 48178caa9d162c7d9e80f7f5c0781b2c6caab7cdc975361a3a6ed510d4683b47

General

Target

jets009576.exe
Size

269KB
MD5

1424f51c647f3f91ff8bd772ed81ad11
SHA1

b9a60b20215d65bbf95e0ddbc1747a263e6ee0ff
SHA256

bb0bf0449c531f9f84fadd5ab4df59906a9fda97d25677eedfc85d82f1470561
SHA512

232c9f132e94d5acd12e75e3c747817cd4fa78a20cd06810840f30ceaceb9e7352c9f1e110a7f63fa88eb708ce1161e4938a8baaeada0a47cd5f24064eaadddf
SSDEEP

6144:MEa0Nlg0SbqaRdlL3wTblUpk7BYDSx0gWw2zOVfo30qAy6cuu:XR/YlOUoKm2gWRqVfo30lxu

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/268-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2016-74-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

14 2016 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

kkhsoyi.exekkhsoyi.exe

pid process

936 kkhsoyi.exe
268 kkhsoyi.exe
Loads dropped DLL 3 IoCs

Processes:

jets009576.exekkhsoyi.exe

pid process

1276 jets009576.exe
1276 jets009576.exe
936 kkhsoyi.exe

flow	pid	process
14	2016	wscript.exe

pid	process
936	kkhsoyi.exe
268	kkhsoyi.exe

pid	process
1276	jets009576.exe
1276	jets009576.exe
936	kkhsoyi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kkhsoyi.exekkhsoyi.exewscript.exe

description	pid	process	target process
PID 936 set thread context of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 268 set thread context of 1284	268	kkhsoyi.exe	Explorer.EXE
PID 2016 set thread context of 1284	2016	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

kkhsoyi.exewscript.exe

pid	process
268	kkhsoyi.exe
268	kkhsoyi.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe
2016	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

kkhsoyi.exekkhsoyi.exewscript.exe

pid process

936 kkhsoyi.exe
268 kkhsoyi.exe
268 kkhsoyi.exe
268 kkhsoyi.exe
2016 wscript.exe
2016 wscript.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

kkhsoyi.exewscript.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 268 kkhsoyi.exe
Token: SeDebugPrivilege 2016 wscript.exe
Token: SeShutdownPrivilege 1284 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE

pid	process
936	kkhsoyi.exe
268	kkhsoyi.exe
268	kkhsoyi.exe
268	kkhsoyi.exe
2016	wscript.exe
2016	wscript.exe

description	pid	process
Token: SeDebugPrivilege	268	kkhsoyi.exe
Token: SeDebugPrivilege	2016	wscript.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

jets009576.exekkhsoyi.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1276 wrote to memory of 936	1276	jets009576.exe	kkhsoyi.exe
PID 1276 wrote to memory of 936	1276	jets009576.exe	kkhsoyi.exe
PID 1276 wrote to memory of 936	1276	jets009576.exe	kkhsoyi.exe
PID 1276 wrote to memory of 936	1276	jets009576.exe	kkhsoyi.exe
PID 936 wrote to memory of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 936 wrote to memory of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 936 wrote to memory of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 936 wrote to memory of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 936 wrote to memory of 268	936	kkhsoyi.exe	kkhsoyi.exe
PID 1284 wrote to memory of 2016	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 2016	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 2016	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 2016	1284	Explorer.EXE	wscript.exe
PID 2016 wrote to memory of 728	2016	wscript.exe	cmd.exe
PID 2016 wrote to memory of 728	2016	wscript.exe	cmd.exe
PID 2016 wrote to memory of 728	2016	wscript.exe	cmd.exe
PID 2016 wrote to memory of 728	2016	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\jets009576.exe
"C:\Users\Admin\AppData\Local\Temp\jets009576.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
"C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe" C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
"C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe" C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2020

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe"
3⤵
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eadfbwk.gk
Filesize
185KB

MD5
dd48bd0ecfeacd5befba48028763f4a0

SHA1
cd92347b18d63a9f8e44816750f516a51e8be1d0

SHA256
cd5653b1e33e7eab7d5480fbab9dd461e5dc66d6235d72d98da4b4e379a57961

SHA512
f43140cc434fe1ef72258ad0ab3537a1f5f7f16eb81894555f76254b22d24ba9846b382acc150d68431e619e487b66ed65388e65132d9781cc45abd58a50ccf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
Filesize
5KB

MD5
12898958dd4bc8be15f6b25baf8b0747

SHA1
5820cf52e68be0a9ff57988786317acbdac91fb8

SHA256
a3b394a315dc31a6b8603378744e1065bda2b28b3b87e41b8a0c772232d6f502

SHA512
2a4b3cf2a1a9bbbe803f4ad82fb84ad9eb1e4fb1a904e279d1554422ea93ecbe8a944d5bf85eb8281589927676ccd1beaff62f31b3524fd6b3f910a66437aab6

Download Submit
\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
memory/268-67-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/268-64-0x000000000041F120-mapping.dmp

Download
memory/268-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/268-68-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/268-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/728-75-0x0000000000000000-mapping.dmp

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1284-69-0x00000000045E0000-0x0000000004726000-memory.dmp

Filesize
1.3MB

Download
memory/1284-78-0x0000000006C70000-0x0000000006D9F000-memory.dmp

Filesize
1.2MB

Download
memory/1284-77-0x0000000006C70000-0x0000000006D9F000-memory.dmp

Filesize
1.2MB

Download
memory/2016-70-0x0000000000000000-mapping.dmp

Download
memory/2016-74-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2016-73-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/2016-76-0x0000000002630000-0x00000000026C3000-memory.dmp

Filesize
588KB

Download
memory/2016-72-0x0000000000AF0000-0x0000000000B16000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads