formbook | 75cad3b006c75ab9361842884a4937580a3e3cbcbb8e583843e55f934a4ea6d8

Analysis

max time kernel
173s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2023, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
Size

241KB
MD5

02eefca081505168a313a927977e02e5
SHA1

4ff60a4b15d4ed1cc3733676a25b929962d64d4b
SHA256

d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5
SHA512

0f8a33342682c1e8a4c3b096c91e26cf9b18d48a28e0eaae2af450e637b3e6a00a075a6fd315ef7737e88a132005877e7af5959240452642ddadefee65ac537e
SSDEEP

6144:NYa6Juz8BMG9jCpNLw3ODiHVmyfvYUeEu0UIE:NYf5RiNymryfvYUi0UT

Score

10^/10

formbook gt48 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gt48

Decoy

flusskiesel.studio

txweiqi.com

bestsnowboardingincolorado.com

aceroyrodio.com

antoniafredrik.se

iskugo.club

lifehightech.com

emotionalsupporthedgehogs.com

911527.com

familyblinn.online

family-doctor-90847.com

importadosjl.shop

arobaz-solutions.com

ibobetgogo.com

trippincreative.com

funnyjokeday.com

doktorhizmeti.xyz

contentteam.co.uk

iyaarirealestate.com

atomikoldschools.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/5040-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5040-150-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3916-153-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook
behavioral2/memory/3916-155-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
4016	jclbq.exe
5040	jclbq.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 5040	4016	jclbq.exe	85
PID 5040 set thread context of 3184	5040	jclbq.exe	41
PID 3916 set thread context of 3184	3916	cmd.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
5040	jclbq.exe
5040	jclbq.exe
5040	jclbq.exe
5040	jclbq.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe
3916	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3184	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4016	jclbq.exe
5040	jclbq.exe
5040	jclbq.exe
5040	jclbq.exe
3916	cmd.exe
3916	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	jclbq.exe
Token: SeDebugPrivilege	3916	cmd.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4016	1852	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	83
PID 1852 wrote to memory of 4016	1852	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	83
PID 1852 wrote to memory of 4016	1852	d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe	83
PID 4016 wrote to memory of 5040	4016	jclbq.exe	85
PID 4016 wrote to memory of 5040	4016	jclbq.exe	85
PID 4016 wrote to memory of 5040	4016	jclbq.exe	85
PID 4016 wrote to memory of 5040	4016	jclbq.exe	85
PID 3184 wrote to memory of 3916	3184	Explorer.EXE	86
PID 3184 wrote to memory of 3916	3184	Explorer.EXE	86
PID 3184 wrote to memory of 3916	3184	Explorer.EXE	86
PID 3916 wrote to memory of 3932	3916	cmd.exe	87
PID 3916 wrote to memory of 3932	3916	cmd.exe	87
PID 3916 wrote to memory of 3932	3916	cmd.exe	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe
  "C:\Users\Admin\AppData\Local\Temp\d8d8a2af9b26764004323afcb393879266daaf40afd026894b311424b50d8ff5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\jclbq.exe
    "C:\Users\Admin\AppData\Local\Temp\jclbq.exe" C:\Users\Admin\AppData\Local\Temp\ejjzna.c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\jclbq.exe
      "C:\Users\Admin\AppData\Local\Temp\jclbq.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\jclbq.exe"
    3⤵
    PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ejjzna.c

Filesize
5KB

MD5
56c8c7c799f71bdc89f7b5461aff5018

SHA1
7d43fc76f38bf06c329d76e5e1d7c55f5274c30e

SHA256
347ce10f202d8b74459e9f20bca828374f7b6e2ff8f02b09d1b6661f12468c1f

SHA512
d3e93413bb4e9d3ec0298e49316464ea403799061a770d736c92124c70f4de5cda778116fe52fd3cae001a9c60e366419da42bc34d8cfedae182f00cef82e420

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jclbq.exe

Filesize
6KB

MD5
1020517dbcbe5fa0f2293cf76783b960

SHA1
144aeb681338abb7e6f0aab2631bf36353beaf36

SHA256
6b17509d84603c59e6c7cb1159159bb5671628b5d723ea3861f5f539ed314fa4

SHA512
692015fee1d560dff70ffbda4994090550e4cf04136fd95f46ef27d3c18015ac8bb2beee9b862d44441ed7f479743385a38cd1c37891c775dbf7873a43372c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jihmsoovaz.vy

Filesize
205KB

MD5
cf37a36f916cd28fe01a4171bdd9cb45

SHA1
74cb49a570a1e3f774d269966018eb7d9faaa52c

SHA256
d3163724fa7b29418fb87d302d25c04a8ba1084df9f592bdfefc65e4e183d462

SHA512
7f30b3d059190fd114528f7d28002c6472a5c2731e3ee7a09f2d3dc2646b493e28ac02365588f09eccfdaaa1b0a549917449643ca2221c579ef7345d849774e6

Download Submit
memory/3184-156-0x0000000002AC0000-0x0000000002B74000-memory.dmp

Filesize
720KB

Download
memory/3184-159-0x0000000008100000-0x00000000081D4000-memory.dmp

Filesize
848KB

Download
memory/3184-162-0x0000000008100000-0x00000000081D4000-memory.dmp

Filesize
848KB

Download
memory/3184-148-0x0000000002AC0000-0x0000000002B74000-memory.dmp

Filesize
720KB

Download
memory/3184-160-0x0000000008100000-0x00000000081D4000-memory.dmp

Filesize
848KB

Download
memory/3916-153-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/3916-152-0x00000000000A0000-0x00000000000FA000-memory.dmp

Filesize
360KB

Download
memory/3916-154-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download
memory/3916-155-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download
memory/3916-158-0x00000000013D0000-0x0000000001463000-memory.dmp

Filesize
588KB

Download
memory/3916-149-0x00000000000A0000-0x00000000000FA000-memory.dmp

Filesize
360KB

Download
memory/5040-145-0x0000000000C60000-0x0000000000FAA000-memory.dmp

Filesize
3.3MB

Download
memory/5040-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5040-147-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download