formbook | 66f34068c533bc957b3ef71f9aefb0f17d7f42a2bf84ec2eda416ca8c9f5d53a

General

Target

jets66700.exe
Size

258KB
MD5

c10e0b9756b38239fed5025e119db829
SHA1

b7a2ddbfd18fe7f0ea7683e73d84a595e966ebb9
SHA256

3603af319837f00dacace08ff3add606ccfd6faf64a53606575aae6f1a4ba782
SHA512

8d4d4edf987383774e8ccf54f5d06a8d08f1a52ee40592aacd5d512bc7c445f1d61b0333582b1c3f25cee14ee97aa4625941a9bd7425741c95736168f082f06c
SSDEEP

6144:QBn1/KUwq3q6YqZZ9f/EBqpObOiFzkiUF9FaP5qgJDa:gNslSEbOizk/9Foqg0

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1124-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1124-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2736-147-0x00000000006C0000-0x00000000006EF000-memory.dmp	formbook
behavioral2/memory/2736-153-0x00000000006C0000-0x00000000006EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

frevguizqj.exefrevguizqj.exe

pid process

3340 frevguizqj.exe
1124 frevguizqj.exe

pid	process
3340	frevguizqj.exe
1124	frevguizqj.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

frevguizqj.exefrevguizqj.exeipconfig.exe

description	pid	process	target process
PID 3340 set thread context of 1124	3340	frevguizqj.exe	frevguizqj.exe
PID 1124 set thread context of 1132	1124	frevguizqj.exe	Explorer.EXE
PID 1124 set thread context of 1132	1124	frevguizqj.exe	Explorer.EXE
PID 2736 set thread context of 1132	2736	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2736 ipconfig.exe

pid	process
2736	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

frevguizqj.exeipconfig.exe

pid	process
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe
2736	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1132 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

frevguizqj.exefrevguizqj.exeipconfig.exe

pid process

3340 frevguizqj.exe
1124 frevguizqj.exe
1124 frevguizqj.exe
1124 frevguizqj.exe
1124 frevguizqj.exe
2736 ipconfig.exe
2736 ipconfig.exe

pid	process
1132	Explorer.EXE

pid	process
3340	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
1124	frevguizqj.exe
2736	ipconfig.exe
2736	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

frevguizqj.exeipconfig.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1124	frevguizqj.exe
Token: SeDebugPrivilege	2736	ipconfig.exe
Token: SeShutdownPrivilege	1132	Explorer.EXE
Token: SeCreatePagefilePrivilege	1132	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

jets66700.exefrevguizqj.exefrevguizqj.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 3648 wrote to memory of 3340	3648	jets66700.exe	frevguizqj.exe
PID 3648 wrote to memory of 3340	3648	jets66700.exe	frevguizqj.exe
PID 3648 wrote to memory of 3340	3648	jets66700.exe	frevguizqj.exe
PID 3340 wrote to memory of 1124	3340	frevguizqj.exe	frevguizqj.exe
PID 3340 wrote to memory of 1124	3340	frevguizqj.exe	frevguizqj.exe
PID 3340 wrote to memory of 1124	3340	frevguizqj.exe	frevguizqj.exe
PID 3340 wrote to memory of 1124	3340	frevguizqj.exe	frevguizqj.exe
PID 1124 wrote to memory of 2736	1124	frevguizqj.exe	ipconfig.exe
PID 1124 wrote to memory of 2736	1124	frevguizqj.exe	ipconfig.exe
PID 1124 wrote to memory of 2736	1124	frevguizqj.exe	ipconfig.exe
PID 1132 wrote to memory of 3936	1132	Explorer.EXE	help.exe
PID 1132 wrote to memory of 3936	1132	Explorer.EXE	help.exe
PID 1132 wrote to memory of 3936	1132	Explorer.EXE	help.exe
PID 1132 wrote to memory of 1324	1132	Explorer.EXE	msiexec.exe
PID 1132 wrote to memory of 1324	1132	Explorer.EXE	msiexec.exe
PID 1132 wrote to memory of 1324	1132	Explorer.EXE	msiexec.exe
PID 2736 wrote to memory of 4420	2736	ipconfig.exe	cmd.exe
PID 2736 wrote to memory of 4420	2736	ipconfig.exe	cmd.exe
PID 2736 wrote to memory of 4420	2736	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\jets66700.exe
"C:\Users\Admin\AppData\Local\Temp\jets66700.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
"C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe" C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
"C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
5⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe"
6⤵
PID:4420

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:1324

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjizfs.lz
Filesize
185KB

MD5
8bac75bd61c98adbaf416f929b6e8129

SHA1
8471f91aece334c2531d8dc639b75a7c9d781b9b

SHA256
b04d78f9a4c1042cbadf10f60f99e98bce9bb25e41f6d553c8645239cd5ed47e

SHA512
737a2300eec1cb18c7305d55f9091984f301994b83d601ffa2362e398b8034e25ef1a5999d91eb87a056492c023fe3df664a5ab19642ddac1f8ff88a5a3e0699

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\frevguizqj.exe
Filesize
99KB

MD5
f2ba5a77e740a805f7e7db9bd3fb426c

SHA1
92e47136fac6be5768b9a05f2ec79221fca22189

SHA256
8252fde630f2ded5bef111228be14aaf7b44888c31e7a10f6c0a9a2d63497f94

SHA512
fd770708c3d5bb33939f6ffed5ce45739d304e6052a199881262a76d1f5def059d1d471b18e877b54ef482737e5b62b3ea7eaa56dc23032b4a5ae2c26e113bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoiuh.jrl
Filesize
5KB

MD5
dd9c47dac95b2128bf0e1a02807b5814

SHA1
8766224d9845c3c5ce9405bb52ed734f357b6221

SHA256
ab078e8ed91a82953cb999f29e382ce8a29a0d03c6a0aa0da1bf54e60a4ab5f6

SHA512
ba1450493085d55a9f033060faf52c78e7020caed5fdf69ca684c7230788abd20e92488cb88bc0e3a35b5cdc9400734843afcc89ec737e02e90a3e3aa8e019f2

Download Submit
memory/1124-143-0x0000000001590000-0x00000000015A4000-memory.dmp

Filesize
80KB

Download
memory/1124-137-0x0000000000000000-mapping.dmp

Download
memory/1124-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-140-0x00000000015E0000-0x000000000192A000-memory.dmp

Filesize
3.3MB

Download
memory/1124-141-0x0000000001520000-0x0000000001534000-memory.dmp

Filesize
80KB

Download
memory/1124-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-142-0x0000000008290000-0x00000000083CC000-memory.dmp

Filesize
1.2MB

Download
memory/1132-149-0x0000000008620000-0x0000000008740000-memory.dmp

Filesize
1.1MB

Download
memory/1132-152-0x0000000008740000-0x000000000889D000-memory.dmp

Filesize
1.4MB

Download
memory/1132-154-0x0000000008740000-0x000000000889D000-memory.dmp

Filesize
1.4MB

Download
memory/2736-144-0x0000000000000000-mapping.dmp

Download
memory/2736-146-0x0000000000690000-0x000000000069B000-memory.dmp

Filesize
44KB

Download
memory/2736-147-0x00000000006C0000-0x00000000006EF000-memory.dmp

Filesize
188KB

Download
memory/2736-148-0x0000000000FE0000-0x000000000132A000-memory.dmp

Filesize
3.3MB

Download
memory/2736-151-0x0000000000E20000-0x0000000000EB3000-memory.dmp

Filesize
588KB

Download
memory/2736-153-0x00000000006C0000-0x00000000006EF000-memory.dmp

Filesize
188KB

Download
memory/3340-132-0x0000000000000000-mapping.dmp

Download
memory/4420-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads