formbook | 321691557b39805530f57b29887ab32e5ddd81ad080ac4d91d964c978fbc6b04

General

Target

DHL Receipt276334VWE.exe
Size

253KB
MD5

b6f80ee925e9745fb5305429f1ce1a74
SHA1

c1d19e16638195fd2fdf8e4adabea6d1b25a8681
SHA256

321691557b39805530f57b29887ab32e5ddd81ad080ac4d91d964c978fbc6b04
SHA512

1ec6563bdd4d073008b796c5ae307d77012904faee0dbc0197d099018cf5a37f2e32370001018a61758d2269a506373457b9d0ccfc6a2a3e8891fae230e10f2b
SSDEEP

6144:/Ya6RZ7+pUU4mnLG7nwjhtwa9sIStaIR125jJvTMa2R:/YDZ7KUVmnLG7nwjZ2JaIR1UTbi

Score

10^/10

formbook j0c7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j0c7

Decoy

dvyuansu.com

flyersfirst.com

lbvasd.xyz

samodeling.com

lsty.net

agreels.com

gptvai.com

tyec.xyz

infercn.top

restinpeace.website

flaxtest.com

manaroo.com

altyazi-hub.xyz

devrijeweide.store

thebestfurnitureplace.com

combatsportsacademyus.com

segui276.pics

starseedalignment.com

fish-pay.com

letsbet.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1588-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1588-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/572-75-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/572-77-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
864	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	DHL Receipt276334VWE.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1220 set thread context of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1588 set thread context of 1240	1588	DHL Receipt276334VWE.exe	20
PID 572 set thread context of 1240	572	cmstp.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1588	DHL Receipt276334VWE.exe
1588	DHL Receipt276334VWE.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe
572	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1220	DHL Receipt276334VWE.exe
1588	DHL Receipt276334VWE.exe
1588	DHL Receipt276334VWE.exe
1588	DHL Receipt276334VWE.exe
572	cmstp.exe
572	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	DHL Receipt276334VWE.exe
Token: SeDebugPrivilege	572	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1240	Explorer.EXE
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1220 wrote to memory of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1220 wrote to memory of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1220 wrote to memory of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1220 wrote to memory of 1588	1220	DHL Receipt276334VWE.exe	28
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 1240 wrote to memory of 572	1240	Explorer.EXE	29
PID 572 wrote to memory of 864	572	cmstp.exe	30
PID 572 wrote to memory of 864	572	cmstp.exe	30
PID 572 wrote to memory of 864	572	cmstp.exe	30
PID 572 wrote to memory of 864	572	cmstp.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\DHL Receipt276334VWE.exe"
    3⤵
    - Deletes itself
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst773.tmp\xhkpkm.dll

Filesize
41KB

MD5
a7d4f2328803da6d4c3099267d5e6f6e

SHA1
da374b32542513ddf1085f59dbdcd98f7d25cbd7

SHA256
220f8168831410ae1876665fa2022c863dbe26918ecbcedc52a356c47919ebcf

SHA512
ed58001ba41ada9e6988b78963e685a071e2a2cd0ffda0a6d6f92452d0c610a84f2795dc47d1998bbaff1ab2271897010b214ada824db94cb4634222642392eb

Download Submit
\Users\Admin\AppData\Local\Temp\nst773.tmp\xhkpkm.dll

Filesize
41KB

MD5
a7d4f2328803da6d4c3099267d5e6f6e

SHA1
da374b32542513ddf1085f59dbdcd98f7d25cbd7

SHA256
220f8168831410ae1876665fa2022c863dbe26918ecbcedc52a356c47919ebcf

SHA512
ed58001ba41ada9e6988b78963e685a071e2a2cd0ffda0a6d6f92452d0c610a84f2795dc47d1998bbaff1ab2271897010b214ada824db94cb4634222642392eb

Download Submit
memory/572-72-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/572-79-0x0000000000660000-0x00000000006F4000-memory.dmp

Filesize
592KB

Download
memory/572-77-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/572-76-0x0000000002120000-0x0000000002423000-memory.dmp

Filesize
3.0MB

Download
memory/572-75-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/572-74-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/1220-62-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/1240-66-0x00000000000E0000-0x00000000001E0000-memory.dmp

Filesize
1024KB

Download
memory/1240-70-0x0000000004A50000-0x0000000004B3F000-memory.dmp

Filesize
956KB

Download
memory/1240-80-0x0000000004B40000-0x0000000004CCE000-memory.dmp

Filesize
1.6MB

Download
memory/1240-81-0x0000000004B40000-0x0000000004CCE000-memory.dmp

Filesize
1.6MB

Download
memory/1240-84-0x0000000004B40000-0x0000000004CCE000-memory.dmp

Filesize
1.6MB

Download
memory/1588-69-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/1588-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-67-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1588-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing