formbook | 469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4

General

Target

a0f1b339ef38c5d545a7357492b8a327.exe
Size

327KB
MD5

a0f1b339ef38c5d545a7357492b8a327
SHA1

fc4da48839297bac23538e32354b72fc68d464ba
SHA256

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
SHA512

7143ea53ac918c1affe6bf55f7bd8214e70b02f4bd0bd966eb1ab765822806800ed7d44bdaa49d07c560925393db7aa7fadf954e1381ed201beecfbc85af0a53
SSDEEP

6144:vEb2RYmNJaftegaqDDsjZ5dbr+tzKCc2omW5B8tCaJBg7F/k9:im/aF/54jZb3Ez9crB8Cak7xk9

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/948-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1732-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1732-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exe

pid process

820 jpzcdrxg.exe
948 jpzcdrxg.exe
Loads dropped DLL 2 IoCs

Processes:

a0f1b339ef38c5d545a7357492b8a327.exejpzcdrxg.exe

pid process

1364 a0f1b339ef38c5d545a7357492b8a327.exe
820 jpzcdrxg.exe

pid	process
820	jpzcdrxg.exe
948	jpzcdrxg.exe

pid	process
1364	a0f1b339ef38c5d545a7357492b8a327.exe
820	jpzcdrxg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exeNAPSTAT.EXE

description	pid	process	target process
PID 820 set thread context of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 948 set thread context of 1240	948	jpzcdrxg.exe	Explorer.EXE
PID 1732 set thread context of 1240	1732	NAPSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

jpzcdrxg.exeNAPSTAT.EXE

pid	process
948	jpzcdrxg.exe
948	jpzcdrxg.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exeNAPSTAT.EXE

pid process

820 jpzcdrxg.exe
948 jpzcdrxg.exe
948 jpzcdrxg.exe
948 jpzcdrxg.exe
1732 NAPSTAT.EXE
1732 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jpzcdrxg.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 948 jpzcdrxg.exe
Token: SeDebugPrivilege 1732 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1240 Explorer.EXE
1240 Explorer.EXE

pid	process
1240	Explorer.EXE

pid	process
820	jpzcdrxg.exe
948	jpzcdrxg.exe
948	jpzcdrxg.exe
948	jpzcdrxg.exe
1732	NAPSTAT.EXE
1732	NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	948	jpzcdrxg.exe
Token: SeDebugPrivilege	1732	NAPSTAT.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

pid	process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

a0f1b339ef38c5d545a7357492b8a327.exejpzcdrxg.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1364 wrote to memory of 820	1364	a0f1b339ef38c5d545a7357492b8a327.exe	jpzcdrxg.exe
PID 1364 wrote to memory of 820	1364	a0f1b339ef38c5d545a7357492b8a327.exe	jpzcdrxg.exe
PID 1364 wrote to memory of 820	1364	a0f1b339ef38c5d545a7357492b8a327.exe	jpzcdrxg.exe
PID 1364 wrote to memory of 820	1364	a0f1b339ef38c5d545a7357492b8a327.exe	jpzcdrxg.exe
PID 820 wrote to memory of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 820 wrote to memory of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 820 wrote to memory of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 820 wrote to memory of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 820 wrote to memory of 948	820	jpzcdrxg.exe	jpzcdrxg.exe
PID 1240 wrote to memory of 1732	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1732	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1732	1240	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1732	1240	Explorer.EXE	NAPSTAT.EXE
PID 1732 wrote to memory of 1760	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1760	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1760	1732	NAPSTAT.EXE	cmd.exe
PID 1732 wrote to memory of 1760	1732	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\a0f1b339ef38c5d545a7357492b8a327.exe
"C:\Users\Admin\AppData\Local\Temp\a0f1b339ef38c5d545a7357492b8a327.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe" C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
3⤵
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe

Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe

Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe

Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldonqvgf.ghf

Filesize
185KB

MD5
8b52a651f744dd3badb5ee90f64b40d4

SHA1
80de75313e0b10f0c74b95262d3dafe0596f8765

SHA256
f6fe36f391d2781b0a2c2818e479ce9b5e60fc435b3c0044ccb7ef2ce581647a

SHA512
dbc7addb1732e5682edea8b5f2d44f70475acd9acf4ce1b7083dee6d854820f9b3d2ddd10594ef5217788317d38c0f642386163607d79732dfc88c3c4ee41b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i

Filesize
5KB

MD5
fcb16ae74a574e2f3a5e9dde4f70df6d

SHA1
efb566ec323c78d4cd0177bf56e1fbdb4b7912a5

SHA256
f75f54e284ea5aef3312148e374818ab364a340e5f5718b8fb4b84824bfe6573

SHA512
1cfdd68efb98e2b7f5b0325ee90134ea98e912908a17c824b386f7fbf42d6d9d820a185108b5a573acfdbd82b79c8c96087aa27dae75b183db8ff9c5266fb510

Download Submit
\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe

Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe

Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
memory/820-56-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-66-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/948-67-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/948-63-0x000000000041F100-mapping.dmp

Download
memory/1240-75-0x0000000006440000-0x000000000655E000-memory.dmp

Filesize
1.1MB

Download
memory/1240-68-0x0000000004C80000-0x0000000004D89000-memory.dmp

Filesize
1.0MB

Download
memory/1240-77-0x0000000006440000-0x000000000655E000-memory.dmp

Filesize
1.1MB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1732-70-0x0000000000530000-0x0000000000576000-memory.dmp

Filesize
280KB

Download
memory/1732-72-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/1732-74-0x0000000001D50000-0x0000000001DE3000-memory.dmp

Filesize
588KB

Download
memory/1732-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1732-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1732-69-0x0000000000000000-mapping.dmp

Download
memory/1760-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads