formbook | 469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4

General

Target

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe
Size

327KB
MD5

a0f1b339ef38c5d545a7357492b8a327
SHA1

fc4da48839297bac23538e32354b72fc68d464ba
SHA256

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
SHA512

7143ea53ac918c1affe6bf55f7bd8214e70b02f4bd0bd966eb1ab765822806800ed7d44bdaa49d07c560925393db7aa7fadf954e1381ed201beecfbc85af0a53
SSDEEP

6144:vEb2RYmNJaftegaqDDsjZ5dbr+tzKCc2omW5B8tCaJBg7F/k9:im/aF/54jZb3Ez9crB8Cak7xk9

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/880-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/916-72-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/916-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exe

pid process

1160 jpzcdrxg.exe
880 jpzcdrxg.exe
Loads dropped DLL 2 IoCs

Processes:

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exejpzcdrxg.exe

pid process

1576 469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe
1160 jpzcdrxg.exe

pid	process
1160	jpzcdrxg.exe
880	jpzcdrxg.exe

pid	process
1576	469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe
1160	jpzcdrxg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exehelp.exe

description	pid	process	target process
PID 1160 set thread context of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 880 set thread context of 1276	880	jpzcdrxg.exe	Explorer.EXE
PID 916 set thread context of 1276	916	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

jpzcdrxg.exehelp.exe

pid	process
880	jpzcdrxg.exe
880	jpzcdrxg.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe
916	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exehelp.exe

pid process

1160 jpzcdrxg.exe
880 jpzcdrxg.exe
880 jpzcdrxg.exe
880 jpzcdrxg.exe
916 help.exe
916 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jpzcdrxg.exehelp.exe

description pid process

Token: SeDebugPrivilege 880 jpzcdrxg.exe
Token: SeDebugPrivilege 916 help.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1160	jpzcdrxg.exe
880	jpzcdrxg.exe
880	jpzcdrxg.exe
880	jpzcdrxg.exe
916	help.exe
916	help.exe

description	pid	process
Token: SeDebugPrivilege	880	jpzcdrxg.exe
Token: SeDebugPrivilege	916	help.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exejpzcdrxg.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1576 wrote to memory of 1160	1576	469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe	jpzcdrxg.exe
PID 1576 wrote to memory of 1160	1576	469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe	jpzcdrxg.exe
PID 1576 wrote to memory of 1160	1576	469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe	jpzcdrxg.exe
PID 1576 wrote to memory of 1160	1576	469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe	jpzcdrxg.exe
PID 1160 wrote to memory of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 1160 wrote to memory of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 1160 wrote to memory of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 1160 wrote to memory of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 1160 wrote to memory of 880	1160	jpzcdrxg.exe	jpzcdrxg.exe
PID 1276 wrote to memory of 916	1276	Explorer.EXE	help.exe
PID 1276 wrote to memory of 916	1276	Explorer.EXE	help.exe
PID 1276 wrote to memory of 916	1276	Explorer.EXE	help.exe
PID 1276 wrote to memory of 916	1276	Explorer.EXE	help.exe
PID 916 wrote to memory of 1452	916	help.exe	cmd.exe
PID 916 wrote to memory of 1452	916	help.exe	cmd.exe
PID 916 wrote to memory of 1452	916	help.exe	cmd.exe
PID 916 wrote to memory of 1452	916	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe
"C:\Users\Admin\AppData\Local\Temp\469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe" C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
3⤵
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldonqvgf.ghf
Filesize
185KB

MD5
8b52a651f744dd3badb5ee90f64b40d4

SHA1
80de75313e0b10f0c74b95262d3dafe0596f8765

SHA256
f6fe36f391d2781b0a2c2818e479ce9b5e60fc435b3c0044ccb7ef2ce581647a

SHA512
dbc7addb1732e5682edea8b5f2d44f70475acd9acf4ce1b7083dee6d854820f9b3d2ddd10594ef5217788317d38c0f642386163607d79732dfc88c3c4ee41b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i
Filesize
5KB

MD5
fcb16ae74a574e2f3a5e9dde4f70df6d

SHA1
efb566ec323c78d4cd0177bf56e1fbdb4b7912a5

SHA256
f75f54e284ea5aef3312148e374818ab364a340e5f5718b8fb4b84824bfe6573

SHA512
1cfdd68efb98e2b7f5b0325ee90134ea98e912908a17c824b386f7fbf42d6d9d820a185108b5a573acfdbd82b79c8c96087aa27dae75b183db8ff9c5266fb510

Download Submit
\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
memory/880-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-66-0x00000000006F0000-0x00000000009F3000-memory.dmp

Filesize
3.0MB

Download
memory/880-63-0x000000000041F100-mapping.dmp

Download
memory/880-67-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/916-69-0x0000000000000000-mapping.dmp

Download
memory/916-71-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/916-72-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/916-73-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/916-74-0x00000000005B0000-0x0000000000643000-memory.dmp

Filesize
588KB

Download
memory/916-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1160-56-0x0000000000000000-mapping.dmp

Download
memory/1276-68-0x0000000006720000-0x000000000688D000-memory.dmp

Filesize
1.4MB

Download
memory/1276-75-0x0000000006AD0000-0x0000000006BE2000-memory.dmp

Filesize
1.1MB

Download
memory/1276-77-0x0000000006AD0000-0x0000000006BE2000-memory.dmp

Filesize
1.1MB

Download
memory/1452-70-0x0000000000000000-mapping.dmp

Download
memory/1576-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads