formbook | 48178caa9d162c7d9e80f7f5c0781b2c6caab7cdc975361a3a6ed510d4683b47

General

Target

jets009576.exe
Size

269KB
MD5

1424f51c647f3f91ff8bd772ed81ad11
SHA1

b9a60b20215d65bbf95e0ddbc1747a263e6ee0ff
SHA256

bb0bf0449c531f9f84fadd5ab4df59906a9fda97d25677eedfc85d82f1470561
SHA512

232c9f132e94d5acd12e75e3c747817cd4fa78a20cd06810840f30ceaceb9e7352c9f1e110a7f63fa88eb708ce1161e4938a8baaeada0a47cd5f24064eaadddf
SSDEEP

6144:MEa0Nlg0SbqaRdlL3wTblUpk7BYDSx0gWw2zOVfo30qAy6cuu:XR/YlOUoKm2gWRqVfo30lxu

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4872-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/860-145-0x0000000000F60000-0x0000000000F8F000-memory.dmp	formbook
behavioral2/memory/860-149-0x0000000000F60000-0x0000000000F8F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

kkhsoyi.exekkhsoyi.exe

pid process

4188 kkhsoyi.exe
4872 kkhsoyi.exe

pid	process
4188	kkhsoyi.exe
4872	kkhsoyi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kkhsoyi.exekkhsoyi.execmd.exe

description	pid	process	target process
PID 4188 set thread context of 4872	4188	kkhsoyi.exe	kkhsoyi.exe
PID 4872 set thread context of 2644	4872	kkhsoyi.exe	Explorer.EXE
PID 860 set thread context of 2644	860	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

kkhsoyi.execmd.exe

pid	process
4872	kkhsoyi.exe
4872	kkhsoyi.exe
4872	kkhsoyi.exe
4872	kkhsoyi.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe
860	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2644 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

kkhsoyi.exekkhsoyi.execmd.exe

pid process

4188 kkhsoyi.exe
4872 kkhsoyi.exe
4872 kkhsoyi.exe
4872 kkhsoyi.exe
860 cmd.exe
860 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kkhsoyi.execmd.exe

description pid process

Token: SeDebugPrivilege 4872 kkhsoyi.exe
Token: SeDebugPrivilege 860 cmd.exe

pid	process
2644	Explorer.EXE

pid	process
4188	kkhsoyi.exe
4872	kkhsoyi.exe
4872	kkhsoyi.exe
4872	kkhsoyi.exe
860	cmd.exe
860	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4872	kkhsoyi.exe
Token: SeDebugPrivilege	860	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

jets009576.exekkhsoyi.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4728 wrote to memory of 4188	4728	jets009576.exe	kkhsoyi.exe
PID 4728 wrote to memory of 4188	4728	jets009576.exe	kkhsoyi.exe
PID 4728 wrote to memory of 4188	4728	jets009576.exe	kkhsoyi.exe
PID 4188 wrote to memory of 4872	4188	kkhsoyi.exe	kkhsoyi.exe
PID 4188 wrote to memory of 4872	4188	kkhsoyi.exe	kkhsoyi.exe
PID 4188 wrote to memory of 4872	4188	kkhsoyi.exe	kkhsoyi.exe
PID 4188 wrote to memory of 4872	4188	kkhsoyi.exe	kkhsoyi.exe
PID 2644 wrote to memory of 860	2644	Explorer.EXE	cmd.exe
PID 2644 wrote to memory of 860	2644	Explorer.EXE	cmd.exe
PID 2644 wrote to memory of 860	2644	Explorer.EXE	cmd.exe
PID 860 wrote to memory of 1484	860	cmd.exe	cmd.exe
PID 860 wrote to memory of 1484	860	cmd.exe	cmd.exe
PID 860 wrote to memory of 1484	860	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\jets009576.exe
"C:\Users\Admin\AppData\Local\Temp\jets009576.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
"C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe" C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
"C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe" C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe"
3⤵
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eadfbwk.gk
Filesize
185KB

MD5
dd48bd0ecfeacd5befba48028763f4a0

SHA1
cd92347b18d63a9f8e44816750f516a51e8be1d0

SHA256
cd5653b1e33e7eab7d5480fbab9dd461e5dc66d6235d72d98da4b4e379a57961

SHA512
f43140cc434fe1ef72258ad0ab3537a1f5f7f16eb81894555f76254b22d24ba9846b382acc150d68431e619e487b66ed65388e65132d9781cc45abd58a50ccf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkhsoyi.exe
Filesize
91KB

MD5
effbccc4ec2158d29be91732019f9d7f

SHA1
e2a980993edb6c8285cf08f75d5d831c3c21ca9c

SHA256
b259fadc06a128cdbf2888dbf0b0296d88a891e16fe8e84db9f11d500851d3d4

SHA512
faf985f00210f195f37c68d692d028369bc7bb4e96270738ead4638ff57a750587f86d679b116a61bc45a9432b87ac3090575fb24f9d644c00e8c9124929eaa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvokmrtmfiv.qm
Filesize
5KB

MD5
12898958dd4bc8be15f6b25baf8b0747

SHA1
5820cf52e68be0a9ff57988786317acbdac91fb8

SHA256
a3b394a315dc31a6b8603378744e1065bda2b28b3b87e41b8a0c772232d6f502

SHA512
2a4b3cf2a1a9bbbe803f4ad82fb84ad9eb1e4fb1a904e279d1554422ea93ecbe8a944d5bf85eb8281589927676ccd1beaff62f31b3524fd6b3f910a66437aab6

Download Submit
memory/860-144-0x0000000000E00000-0x0000000000E5A000-memory.dmp

Filesize
360KB

Download
memory/860-150-0x0000000001890000-0x0000000001923000-memory.dmp

Filesize
588KB

Download
memory/860-149-0x0000000000F60000-0x0000000000F8F000-memory.dmp

Filesize
188KB

Download
memory/860-147-0x0000000001AF0000-0x0000000001E3A000-memory.dmp

Filesize
3.3MB

Download
memory/860-145-0x0000000000F60000-0x0000000000F8F000-memory.dmp

Filesize
188KB

Download
memory/860-143-0x0000000000000000-mapping.dmp

Download
memory/1484-146-0x0000000000000000-mapping.dmp

Download
memory/2644-142-0x00000000089F0000-0x0000000008B7B000-memory.dmp

Filesize
1.5MB

Download
memory/2644-148-0x00000000089F0000-0x0000000008B7B000-memory.dmp

Filesize
1.5MB

Download
memory/2644-151-0x0000000004C40000-0x0000000004CFF000-memory.dmp

Filesize
764KB

Download
memory/2644-152-0x0000000004C40000-0x0000000004CFF000-memory.dmp

Filesize
764KB

Download
memory/4188-132-0x0000000000000000-mapping.dmp

Download
memory/4872-141-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/4872-140-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/4872-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads