formbook | a5a473bc3d643ce300b72af75ae8f7a0d47ee983f1160707606ef9e818bb1a2f

General

Target

LF2024022.exe
Size

629KB
MD5

027ac6bf381a0b5d842c137e2240624c
SHA1

6cb5e6d9d7eb76993064c8b36465fcd47fc14d11
SHA256

a5a473bc3d643ce300b72af75ae8f7a0d47ee983f1160707606ef9e818bb1a2f
SHA512

404b3cf245b4b8634844fa9428a101b1cb86e6d8c76b9042800d62434bb227715b39d109e926da8adc8216e036f3649a596b106f582402b93b92483cd945f4a4
SSDEEP

12288:uNgLeFR6rXlv312Z3vBr+nIUcos1N7PCwSw6Z:VXJ312ZvBgIUcF7PN

Score

10^/10

formbook jn17 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jn17

Decoy

hynasty.com

africacementreview.com

5280micropantry.com

qcyu2.us

jl777-web.com

hcwsports.com

update-number-au.com

ymymvip.top

postds.buzz

dogwifnobrim.com

usapubpong.com

shopscoopido.com

medical-equipment.company

onyagu.com

tldrparent.com

jvpeople.com

seangalbraithphotography.com

ptt-gov.art

mutcosmeticsec.com

metameme.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2732-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2196-22-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2456 cmd.exe

pid	process
2456	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

LF2024022.exeLF2024022.exeNETSTAT.EXE

description	pid	process	target process
PID 1712 set thread context of 2732	1712	LF2024022.exe	LF2024022.exe
PID 2732 set thread context of 1256	2732	LF2024022.exe	Explorer.EXE
PID 2196 set thread context of 1256	2196	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

2196 NETSTAT.EXE

pid	process
2636	schtasks.exe

pid	process
2196	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

LF2024022.exepowershell.exeNETSTAT.EXE

pid	process
2732	LF2024022.exe
2732	LF2024022.exe
2956	powershell.exe
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE
2196	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

LF2024022.exeNETSTAT.EXE

pid process

2732 LF2024022.exe
2732 LF2024022.exe
2732 LF2024022.exe
2196 NETSTAT.EXE
2196 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LF2024022.exepowershell.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2732 LF2024022.exe
Token: SeDebugPrivilege 2956 powershell.exe
Token: SeDebugPrivilege 2196 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2732	LF2024022.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2196	NETSTAT.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

LF2024022.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1712 wrote to memory of 2956	1712	LF2024022.exe	powershell.exe
PID 1712 wrote to memory of 2956	1712	LF2024022.exe	powershell.exe
PID 1712 wrote to memory of 2956	1712	LF2024022.exe	powershell.exe
PID 1712 wrote to memory of 2956	1712	LF2024022.exe	powershell.exe
PID 1712 wrote to memory of 2636	1712	LF2024022.exe	schtasks.exe
PID 1712 wrote to memory of 2636	1712	LF2024022.exe	schtasks.exe
PID 1712 wrote to memory of 2636	1712	LF2024022.exe	schtasks.exe
PID 1712 wrote to memory of 2636	1712	LF2024022.exe	schtasks.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1712 wrote to memory of 2732	1712	LF2024022.exe	LF2024022.exe
PID 1256 wrote to memory of 2196	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2196	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2196	1256	Explorer.EXE	NETSTAT.EXE
PID 1256 wrote to memory of 2196	1256	Explorer.EXE	NETSTAT.EXE
PID 2196 wrote to memory of 2456	2196	NETSTAT.EXE	cmd.exe
PID 2196 wrote to memory of 2456	2196	NETSTAT.EXE	cmd.exe
PID 2196 wrote to memory of 2456	2196	NETSTAT.EXE	cmd.exe
PID 2196 wrote to memory of 2456	2196	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\LF2024022.exe
"C:\Users\Admin\AppData\Local\Temp\LF2024022.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NZdJojwPG.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NZdJojwPG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4450.tmp"
3⤵
- Creates scheduled task(s)
PID:2636

C:\Users\Admin\AppData\Local\Temp\LF2024022.exe
"C:\Users\Admin\AppData\Local\Temp\LF2024022.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LF2024022.exe"
3⤵
- Deletes itself
PID:2456

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4450.tmp
Filesize
1KB

MD5
acc6a320f52d19057021a0bfec6a8d75

SHA1
efa332516bca53b1219278526d4ad1648cb22703

SHA256
a9c7aa83b1781af026a0fc4769ec86de0848ad82e7094d067329759718253b33

SHA512
0853f8a1121c203e7a6e3a5a74d0f3851f2f017eed62ca8c339b398198ed1045258714b18e35a67eb0b9d55af716859f1da7e971ec85431d6ff5014af1f4e402

Download Submit
memory/1712-3-0x00000000005F0000-0x0000000000610000-memory.dmp

Filesize
128KB

Download
memory/1712-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/1712-0-0x0000000000060000-0x0000000000102000-memory.dmp

Filesize
648KB

Download
memory/1712-4-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/1712-5-0x0000000001D60000-0x0000000001DD6000-memory.dmp

Filesize
472KB

Download
memory/1712-1-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/1712-20-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-21-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/2196-22-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2732-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads