formbook | 469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4

General

Target

tmp.exe
Size

327KB
MD5

a0f1b339ef38c5d545a7357492b8a327
SHA1

fc4da48839297bac23538e32354b72fc68d464ba
SHA256

469162ec601c979d1e51ad44ea01fa8a4520d650773e7280918128b43691f2e4
SHA512

7143ea53ac918c1affe6bf55f7bd8214e70b02f4bd0bd966eb1ab765822806800ed7d44bdaa49d07c560925393db7aa7fadf954e1381ed201beecfbc85af0a53
SSDEEP

6144:vEb2RYmNJaftegaqDDsjZ5dbr+tzKCc2omW5B8tCaJBg7F/k9:im/aF/54jZb3Ez9crB8Cak7xk9

Score

10^/10

formbook sk19 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk19

Decoy

21diasdegratitud.com

kx1993.com

chasergt.com

837news.com

naturagent.co.uk

gatorinsurtech.com

iyaboolashilesblog.africa

jamtanganmurah.online

gguminsa.com

lilliesdrop.com

lenvera.com

link48.co.uk

azinos777.fun

lgcdct.cfd

bg-gobtc.com

livecarrer.uk

cbq4u.com

imalreadygone.com

wabeng.africa

jxmheiyouyuetot.tokyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4540-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4540-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4216-147-0x0000000000430000-0x000000000045F000-memory.dmp	formbook
behavioral2/memory/4216-151-0x0000000000430000-0x000000000045F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exe

pid process

4908 jpzcdrxg.exe
4540 jpzcdrxg.exe

pid	process
4908	jpzcdrxg.exe
4540	jpzcdrxg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exeexplorer.exe

description	pid	process	target process
PID 4908 set thread context of 4540	4908	jpzcdrxg.exe	jpzcdrxg.exe
PID 4540 set thread context of 764	4540	jpzcdrxg.exe	Explorer.EXE
PID 4216 set thread context of 764	4216	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

jpzcdrxg.exeexplorer.exe

pid	process
4540	jpzcdrxg.exe
4540	jpzcdrxg.exe
4540	jpzcdrxg.exe
4540	jpzcdrxg.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe
4216	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

764 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jpzcdrxg.exejpzcdrxg.exeexplorer.exe

pid process

4908 jpzcdrxg.exe
4540 jpzcdrxg.exe
4540 jpzcdrxg.exe
4540 jpzcdrxg.exe
4216 explorer.exe
4216 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jpzcdrxg.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 4540 jpzcdrxg.exe
Token: SeDebugPrivilege 4216 explorer.exe

pid	process
764	Explorer.EXE

pid	process
4908	jpzcdrxg.exe
4540	jpzcdrxg.exe
4540	jpzcdrxg.exe
4540	jpzcdrxg.exe
4216	explorer.exe
4216	explorer.exe

description	pid	process
Token: SeDebugPrivilege	4540	jpzcdrxg.exe
Token: SeDebugPrivilege	4216	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exejpzcdrxg.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 4916 wrote to memory of 4908	4916	tmp.exe	jpzcdrxg.exe
PID 4916 wrote to memory of 4908	4916	tmp.exe	jpzcdrxg.exe
PID 4916 wrote to memory of 4908	4916	tmp.exe	jpzcdrxg.exe
PID 4908 wrote to memory of 4540	4908	jpzcdrxg.exe	jpzcdrxg.exe
PID 4908 wrote to memory of 4540	4908	jpzcdrxg.exe	jpzcdrxg.exe
PID 4908 wrote to memory of 4540	4908	jpzcdrxg.exe	jpzcdrxg.exe
PID 4908 wrote to memory of 4540	4908	jpzcdrxg.exe	jpzcdrxg.exe
PID 764 wrote to memory of 4216	764	Explorer.EXE	explorer.exe
PID 764 wrote to memory of 4216	764	Explorer.EXE	explorer.exe
PID 764 wrote to memory of 4216	764	Explorer.EXE	explorer.exe
PID 4216 wrote to memory of 4360	4216	explorer.exe	cmd.exe
PID 4216 wrote to memory of 4360	4216	explorer.exe	cmd.exe
PID 4216 wrote to memory of 4360	4216	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe" C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
"C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe"
3⤵
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpzcdrxg.exe
Filesize
52KB

MD5
455b0b9d1397eab06c4a232fdcc3f813

SHA1
e99f02e4cb434600aeaef3999b3dbff174904a09

SHA256
81ee7e109870e8c868fdadccd2b40efb1168554e5f71d81a8e5b11cc4da280d8

SHA512
1dffb9b043905597d86efd37f5b5d5f919b8fc3c9721e831a4d77b669df38b59711d0dec1d7099d29ee401cb414606d3834083660404320f623817717f83df1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldonqvgf.ghf
Filesize
185KB

MD5
8b52a651f744dd3badb5ee90f64b40d4

SHA1
80de75313e0b10f0c74b95262d3dafe0596f8765

SHA256
f6fe36f391d2781b0a2c2818e479ce9b5e60fc435b3c0044ccb7ef2ce581647a

SHA512
dbc7addb1732e5682edea8b5f2d44f70475acd9acf4ce1b7083dee6d854820f9b3d2ddd10594ef5217788317d38c0f642386163607d79732dfc88c3c4ee41b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qefijwcnujg.i
Filesize
5KB

MD5
fcb16ae74a574e2f3a5e9dde4f70df6d

SHA1
efb566ec323c78d4cd0177bf56e1fbdb4b7912a5

SHA256
f75f54e284ea5aef3312148e374818ab364a340e5f5718b8fb4b84824bfe6573

SHA512
1cfdd68efb98e2b7f5b0325ee90134ea98e912908a17c824b386f7fbf42d6d9d820a185108b5a573acfdbd82b79c8c96087aa27dae75b183db8ff9c5266fb510

Download Submit
memory/764-142-0x0000000008320000-0x0000000008443000-memory.dmp

Filesize
1.1MB

Download
memory/764-152-0x0000000002D70000-0x0000000002E23000-memory.dmp

Filesize
716KB

Download
memory/764-150-0x0000000002D70000-0x0000000002E23000-memory.dmp

Filesize
716KB

Download
memory/4216-147-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/4216-143-0x0000000000000000-mapping.dmp

Download
memory/4216-146-0x0000000000830000-0x0000000000C63000-memory.dmp

Filesize
4.2MB

Download
memory/4216-148-0x00000000029C0000-0x0000000002D0A000-memory.dmp

Filesize
3.3MB

Download
memory/4216-149-0x0000000002650000-0x00000000026E3000-memory.dmp

Filesize
588KB

Download
memory/4216-151-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/4360-145-0x0000000000000000-mapping.dmp

Download
memory/4540-141-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/4540-140-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download
memory/4540-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-137-0x0000000000000000-mapping.dmp

Download
memory/4908-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads