formbook | 6c83fede394d98dd7ba29fe12cb89f08a02bd02ba6ede4143d519c49b6bbcb4d

General

Target

rocee321.exe
Size

273KB
MD5

5e04208fbe7296133994be363e157b6d
SHA1

d9c719cf10c531af546fe50647102597c3ef15c9
SHA256

6c83fede394d98dd7ba29fe12cb89f08a02bd02ba6ede4143d519c49b6bbcb4d
SHA512

ea139595b6b7d203f663e5f60fdd425848d8ecfdcc875b993bbd678e342b39154f2a11ad0e90a6bdee20b51b365e16df5d81c90ea6930eb157750986a3e1ae78
SSDEEP

6144:/Ya6gBRkcUwkvQX124Jfa8++Ouaxuyu8STSuzH7lItS90/r:/Y2XgwkYX124JfadfuaDu8SGuzbqcsr

Score

10^/10

formbook re29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

re29

Decoy

barnstorm-music.com

gazzettadellapuglia.com

baratieistore.space

cdrjdkj.com

carlissablog.com

langlalang.com

2886365.com

aq993.cyou

jwjwjwjw.com

car-deals-80304.com

dikevolesas.info

buycialistablets.online

theplantgranny.net

detoxshopbr.store

imans.biz

fightingcock.co.uk

loveforfurbabies.com

eastcoastbeveragegroup.com

alaaeldinsoft.com

microshel.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/976-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/976-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/764-81-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/764-83-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
336	ftajnl.exe
976	ftajnl.exe

Loads dropped DLL 2 IoCs

pid	Process
1820	rocee321.exe
336	ftajnl.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 976	336	ftajnl.exe	29
PID 976 set thread context of 1204	976	ftajnl.exe	15
PID 976 set thread context of 1204	976	ftajnl.exe	15
PID 764 set thread context of 1204	764	cmmon32.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
976	ftajnl.exe
976	ftajnl.exe
976	ftajnl.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe
764	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
336	ftajnl.exe
976	ftajnl.exe
976	ftajnl.exe
976	ftajnl.exe
976	ftajnl.exe
764	cmmon32.exe
764	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	ftajnl.exe
Token: SeDebugPrivilege	764	cmmon32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 336	1820	rocee321.exe	28
PID 1820 wrote to memory of 336	1820	rocee321.exe	28
PID 1820 wrote to memory of 336	1820	rocee321.exe	28
PID 1820 wrote to memory of 336	1820	rocee321.exe	28
PID 336 wrote to memory of 976	336	ftajnl.exe	29
PID 336 wrote to memory of 976	336	ftajnl.exe	29
PID 336 wrote to memory of 976	336	ftajnl.exe	29
PID 336 wrote to memory of 976	336	ftajnl.exe	29
PID 336 wrote to memory of 976	336	ftajnl.exe	29
PID 1204 wrote to memory of 764	1204	Explorer.EXE	30
PID 1204 wrote to memory of 764	1204	Explorer.EXE	30
PID 1204 wrote to memory of 764	1204	Explorer.EXE	30
PID 1204 wrote to memory of 764	1204	Explorer.EXE	30
PID 764 wrote to memory of 1560	764	cmmon32.exe	31
PID 764 wrote to memory of 1560	764	cmmon32.exe	31
PID 764 wrote to memory of 1560	764	cmmon32.exe	31
PID 764 wrote to memory of 1560	764	cmmon32.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\rocee321.exe
  "C:\Users\Admin\AppData\Local\Temp\rocee321.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\ftajnl.exe
    "C:\Users\Admin\AppData\Local\Temp\ftajnl.exe" C:\Users\Admin\AppData\Local\Temp\ggjzclz.io
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Users\Admin\AppData\Local\Temp\ftajnl.exe
      "C:\Users\Admin\AppData\Local\Temp\ftajnl.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:976
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ftajnl.exe"
    3⤵
    PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ftajnl.exe

Filesize
84KB

MD5
71f46375b7692c07dc1ade0f68d8cbbc

SHA1
141a7e3943972cebb65fcf5c6fd1a80987ee4dcf

SHA256
9ca93dc242f83304539dbfd4874d20a5d3c3d478cff3707b8693af3ad10c137c

SHA512
91afba614de6feae54adeeeeece7726088fae278066eb28465bfa9624fadc9e385eccacb62e6a2df803c19a889c7dbe5baf9b24b9c47cd6b3fbf7c067693e605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftajnl.exe

Filesize
84KB

MD5
71f46375b7692c07dc1ade0f68d8cbbc

SHA1
141a7e3943972cebb65fcf5c6fd1a80987ee4dcf

SHA256
9ca93dc242f83304539dbfd4874d20a5d3c3d478cff3707b8693af3ad10c137c

SHA512
91afba614de6feae54adeeeeece7726088fae278066eb28465bfa9624fadc9e385eccacb62e6a2df803c19a889c7dbe5baf9b24b9c47cd6b3fbf7c067693e605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftajnl.exe

Filesize
84KB

MD5
71f46375b7692c07dc1ade0f68d8cbbc

SHA1
141a7e3943972cebb65fcf5c6fd1a80987ee4dcf

SHA256
9ca93dc242f83304539dbfd4874d20a5d3c3d478cff3707b8693af3ad10c137c

SHA512
91afba614de6feae54adeeeeece7726088fae278066eb28465bfa9624fadc9e385eccacb62e6a2df803c19a889c7dbe5baf9b24b9c47cd6b3fbf7c067693e605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggjzclz.io

Filesize
5KB

MD5
edabb42b1519bc21381af69e9fa9e3f2

SHA1
51e248e8c61106aa2e4223800d4b69eb26e706a0

SHA256
01244cec83c0431bbfeab63dce02f2281dac37e7c36a9c199b8eec4715aeb0c7

SHA512
a2d3f5b1a49895a3b7072977e08a82d577d5e43abaae4230271e7d8ca6ab87a6f43073e1fede73d044ef40e8eb69c696ecdce3ccd88e2726952b9043583a3d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpvbd.s

Filesize
205KB

MD5
980393bde3decb5bbcffa61547a9cca7

SHA1
17037b4e5029b4d66acccc2d1313d496125152eb

SHA256
61d5bba1e1b018541a563e3af9e5b28df388e3c56b26cbe92f5bbc3b6637d1ea

SHA512
596ee59846515ec53227fbbceaa66fc89db36548d8d438165178ebb0caab3ce44c885a339314fe1b73cdbe3d2396d77dfea711eabd334cd1d77690304ed94a8f

Download Submit
\Users\Admin\AppData\Local\Temp\ftajnl.exe

Filesize
84KB

MD5
71f46375b7692c07dc1ade0f68d8cbbc

SHA1
141a7e3943972cebb65fcf5c6fd1a80987ee4dcf

SHA256
9ca93dc242f83304539dbfd4874d20a5d3c3d478cff3707b8693af3ad10c137c

SHA512
91afba614de6feae54adeeeeece7726088fae278066eb28465bfa9624fadc9e385eccacb62e6a2df803c19a889c7dbe5baf9b24b9c47cd6b3fbf7c067693e605

Download Submit
\Users\Admin\AppData\Local\Temp\ftajnl.exe

Filesize
84KB

MD5
71f46375b7692c07dc1ade0f68d8cbbc

SHA1
141a7e3943972cebb65fcf5c6fd1a80987ee4dcf

SHA256
9ca93dc242f83304539dbfd4874d20a5d3c3d478cff3707b8693af3ad10c137c

SHA512
91afba614de6feae54adeeeeece7726088fae278066eb28465bfa9624fadc9e385eccacb62e6a2df803c19a889c7dbe5baf9b24b9c47cd6b3fbf7c067693e605

Download Submit
memory/764-77-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/764-85-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download
memory/764-83-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/764-82-0x0000000001EB0000-0x00000000021B3000-memory.dmp

Filesize
3.0MB

Download
memory/764-81-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/764-80-0x0000000000140000-0x000000000014D000-memory.dmp

Filesize
52KB

Download
memory/976-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-74-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/976-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-71-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/976-70-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/1204-75-0x00000000060D0000-0x000000000620D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-72-0x0000000004490000-0x00000000045BB000-memory.dmp

Filesize
1.2MB

Download
memory/1204-86-0x0000000007360000-0x000000000748D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-87-0x0000000007360000-0x000000000748D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-90-0x0000000007360000-0x000000000748D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing