formbook | 66f34068c533bc957b3ef71f9aefb0f17d7f42a2bf84ec2eda416ca8c9f5d53a

General

Target

jets66700.exe
Size

258KB
MD5

c10e0b9756b38239fed5025e119db829
SHA1

b7a2ddbfd18fe7f0ea7683e73d84a595e966ebb9
SHA256

3603af319837f00dacace08ff3add606ccfd6faf64a53606575aae6f1a4ba782
SHA512

8d4d4edf987383774e8ccf54f5d06a8d08f1a52ee40592aacd5d512bc7c445f1d61b0333582b1c3f25cee14ee97aa4625941a9bd7425741c95736168f082f06c
SSDEEP

6144:QBn1/KUwq3q6YqZZ9f/EBqpObOiFzkiUF9FaP5qgJDa:gNslSEbOizk/9Foqg0

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1732-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1992-72-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1992-76-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

frevguizqj.exefrevguizqj.exe

pid process

1900 frevguizqj.exe
1732 frevguizqj.exe
Loads dropped DLL 2 IoCs

Processes:

jets66700.exefrevguizqj.exe

pid process

948 jets66700.exe
1900 frevguizqj.exe

pid	process
1900	frevguizqj.exe
1732	frevguizqj.exe

pid	process
948	jets66700.exe
1900	frevguizqj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

frevguizqj.exefrevguizqj.execmstp.exe

description	pid	process	target process
PID 1900 set thread context of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1732 set thread context of 1268	1732	frevguizqj.exe	Explorer.EXE
PID 1992 set thread context of 1268	1992	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

frevguizqj.execmstp.exe

pid	process
1732	frevguizqj.exe
1732	frevguizqj.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe
1992	cmstp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

frevguizqj.exefrevguizqj.execmstp.exe

pid process

1900 frevguizqj.exe
1732 frevguizqj.exe
1732 frevguizqj.exe
1732 frevguizqj.exe
1992 cmstp.exe
1992 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

frevguizqj.execmstp.exe

description pid process

Token: SeDebugPrivilege 1732 frevguizqj.exe
Token: SeDebugPrivilege 1992 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1900	frevguizqj.exe
1732	frevguizqj.exe
1732	frevguizqj.exe
1732	frevguizqj.exe
1992	cmstp.exe
1992	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1732	frevguizqj.exe
Token: SeDebugPrivilege	1992	cmstp.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

jets66700.exefrevguizqj.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 948 wrote to memory of 1900	948	jets66700.exe	frevguizqj.exe
PID 948 wrote to memory of 1900	948	jets66700.exe	frevguizqj.exe
PID 948 wrote to memory of 1900	948	jets66700.exe	frevguizqj.exe
PID 948 wrote to memory of 1900	948	jets66700.exe	frevguizqj.exe
PID 1900 wrote to memory of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1900 wrote to memory of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1900 wrote to memory of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1900 wrote to memory of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1900 wrote to memory of 1732	1900	frevguizqj.exe	frevguizqj.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1268 wrote to memory of 1992	1268	Explorer.EXE	cmstp.exe
PID 1992 wrote to memory of 1104	1992	cmstp.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	cmstp.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	cmstp.exe	cmd.exe
PID 1992 wrote to memory of 1104	1992	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\jets66700.exe
"C:\Users\Admin\AppData\Local\Temp\jets66700.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
"C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe" C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
"C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
3⤵
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjizfs.lz
Filesize
185KB

MD5
8bac75bd61c98adbaf416f929b6e8129

SHA1
8471f91aece334c2531d8dc639b75a7c9d781b9b

SHA256
b04d78f9a4c1042cbadf10f60f99e98bce9bb25e41f6d553c8645239cd5ed47e

SHA512
737a2300eec1cb18c7305d55f9091984f301994b83d601ffa2362e398b8034e25ef1a5999d91eb87a056492c023fe3df664a5ab19642ddac1f8ff88a5a3e0699

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl
Filesize
5KB

MD5
dd9c47dac95b2128bf0e1a02807b5814

SHA1
8766224d9845c3c5ce9405bb52ed734f357b6221

SHA256
ab078e8ed91a82953cb999f29e382ce8a29a0d03c6a0aa0da1bf54e60a4ab5f6

SHA512
ba1450493085d55a9f033060faf52c78e7020caed5fdf69ca684c7230788abd20e92488cb88bc0e3a35b5cdc9400734843afcc89ec737e02e90a3e3aa8e019f2

Download Submit
\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1104-70-0x0000000000000000-mapping.dmp

Download
memory/1268-75-0x0000000004CA0000-0x0000000004D70000-memory.dmp

Filesize
832KB

Download
memory/1268-67-0x0000000006B90000-0x0000000006CC4000-memory.dmp

Filesize
1.2MB

Download
memory/1268-77-0x0000000004CA0000-0x0000000004D70000-memory.dmp

Filesize
832KB

Download
memory/1732-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-65-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1732-66-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1732-62-0x000000000041F120-mapping.dmp

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1992-72-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1992-73-0x0000000001E90000-0x0000000002193000-memory.dmp

Filesize
3.0MB

Download
memory/1992-74-0x0000000000850000-0x00000000008E3000-memory.dmp

Filesize
588KB

Download
memory/1992-71-0x0000000000130000-0x0000000000148000-memory.dmp

Filesize
96KB

Download
memory/1992-76-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1992-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads