formbook | ff5d67d2cfdae5296cda453f2f78fcacd79169bb9dbbe94a2007d9dcb382d2ef

General

Target

ZIMUXIA8376.exe
Size

765KB
MD5

4d7e0095c7770a52783f6dfc479bafa0
SHA1

3f49034d7415ecdeaf887afff1a95199ba2043ff
SHA256

ff5d67d2cfdae5296cda453f2f78fcacd79169bb9dbbe94a2007d9dcb382d2ef
SHA512

2570fa14760448878d9205d832ba52c82558f1776cfc2cb00c8ecc45dd8f6a2953b49ac6c8f02b65cc110c19f11be7eccaaf0dfc9e29f83c6093d2769b5f10a1
SSDEEP

12288:8CqnHvjNIrpf9rN/mc/Ciu2OAgXH/q6tVKfvfOkx6Mnf1SVfeEyuOlQnPssJAMDl:8/PjKr5BNDYEUH/q6tVqvGwtsVmEXksp

Score

10^/10

formbook jn17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jn17

Decoy

hynasty.com

africacementreview.com

5280micropantry.com

qcyu2.us

jl777-web.com

hcwsports.com

update-number-au.com

ymymvip.top

postds.buzz

dogwifnobrim.com

usapubpong.com

shopscoopido.com

medical-equipment.company

onyagu.com

tldrparent.com

jvpeople.com

seangalbraithphotography.com

ptt-gov.art

mutcosmeticsec.com

metameme.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2620-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2620-22-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2532-24-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2432 cmd.exe

pid	process
2432	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ZIMUXIA8376.exeZIMUXIA8376.exewininit.exe

description	pid	process	target process
PID 1684 set thread context of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 2620 set thread context of 1356	2620	ZIMUXIA8376.exe	Explorer.EXE
PID 2620 set thread context of 1356	2620	ZIMUXIA8376.exe	Explorer.EXE
PID 2532 set thread context of 1356	2532	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2512 schtasks.exe

pid	process
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ZIMUXIA8376.exeZIMUXIA8376.exepowershell.exewininit.exe

pid	process
1684	ZIMUXIA8376.exe
2620	ZIMUXIA8376.exe
2620	ZIMUXIA8376.exe
2112	powershell.exe
2620	ZIMUXIA8376.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe
2532	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

ZIMUXIA8376.exewininit.exe

pid process

2620 ZIMUXIA8376.exe
2620 ZIMUXIA8376.exe
2620 ZIMUXIA8376.exe
2620 ZIMUXIA8376.exe
2532 wininit.exe
2532 wininit.exe

pid	process
2620	ZIMUXIA8376.exe
2620	ZIMUXIA8376.exe
2620	ZIMUXIA8376.exe
2620	ZIMUXIA8376.exe
2532	wininit.exe
2532	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ZIMUXIA8376.exeZIMUXIA8376.exepowershell.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1684	ZIMUXIA8376.exe
Token: SeDebugPrivilege	2620	ZIMUXIA8376.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2532	wininit.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ZIMUXIA8376.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1684 wrote to memory of 2112	1684	ZIMUXIA8376.exe	powershell.exe
PID 1684 wrote to memory of 2112	1684	ZIMUXIA8376.exe	powershell.exe
PID 1684 wrote to memory of 2112	1684	ZIMUXIA8376.exe	powershell.exe
PID 1684 wrote to memory of 2112	1684	ZIMUXIA8376.exe	powershell.exe
PID 1684 wrote to memory of 2512	1684	ZIMUXIA8376.exe	schtasks.exe
PID 1684 wrote to memory of 2512	1684	ZIMUXIA8376.exe	schtasks.exe
PID 1684 wrote to memory of 2512	1684	ZIMUXIA8376.exe	schtasks.exe
PID 1684 wrote to memory of 2512	1684	ZIMUXIA8376.exe	schtasks.exe
PID 1684 wrote to memory of 2700	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2700	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2700	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2700	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1684 wrote to memory of 2620	1684	ZIMUXIA8376.exe	ZIMUXIA8376.exe
PID 1356 wrote to memory of 2532	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 2532	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 2532	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 2532	1356	Explorer.EXE	wininit.exe
PID 2532 wrote to memory of 2432	2532	wininit.exe	cmd.exe
PID 2532 wrote to memory of 2432	2532	wininit.exe	cmd.exe
PID 2532 wrote to memory of 2432	2532	wininit.exe	cmd.exe
PID 2532 wrote to memory of 2432	2532	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe
"C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aBHfONTpHr.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBHfONTpHr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37D2.tmp"
3⤵
- Creates scheduled task(s)
PID:2512

C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe
"C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe"
3⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe
"C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ZIMUXIA8376.exe"
3⤵
- Deletes itself
PID:2432

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp37D2.tmp
Filesize
1KB

MD5
197e6ca36667e642202317d2c76d5533

SHA1
1f9f9d0b4e3d251c3a69d5c9307ec7088f9ce6e0

SHA256
c11a0e6cbb061024243ef704e8bed460794e195e171266d3080d94334bdd128d

SHA512
2408aab758d46b62c0a150b24aeb07c7521a800aaaa1febd9635ead6eb18bbab3d21f048f3a487926d142e514b89679e8b812e2207bd72b5e3db8420164a0492

Download Submit
memory/1356-21-0x0000000003090000-0x0000000003190000-memory.dmp

Filesize
1024KB

Download
memory/1684-4-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/1684-1-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-0-0x00000000013E0000-0x00000000014A4000-memory.dmp

Filesize
784KB

Download
memory/1684-5-0x0000000004A00000-0x0000000004A76000-memory.dmp

Filesize
472KB

Download
memory/1684-2-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/1684-3-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/1684-19-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2532-23-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/2532-24-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2620-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2620-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads