formbook | 23a6492e8b9c3bae9bd344774c902a680b957c1a5b11dc2adf624c54d75dceb3

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jetsoff8906.exe
Size

1.1MB
MD5

69eddb992ebe64f55d5da7a653c1e1d7
SHA1

91429f21a3a7e97b77421b615233be645d096987
SHA256

02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920
SHA512

d68e0280c175e08c0c64701fc32cd44eb8cc9584a1c5adbf379ea10139361844608465b9685398dea604fc1bcd0ec040e7d886bc94c0a888f6e0f81e7c57a657
SSDEEP

24576:UAOcZXcxP6BS0sRWuogs+VocwuP3h3jKaGAuvZG31RMaas/x4p:CHasRWuogTVocwuPhNQA3XM91

Score

10^/10

formbook je14 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2892-64-0x0000000000400000-0x0000000000AB1000-memory.dmp	formbook
behavioral1/memory/2508-68-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2792	msvbrvkxv.pif

Loads dropped DLL 4 IoCs

pid	Process
2528	jetsoff8906.exe
2528	jetsoff8906.exe
2528	jetsoff8906.exe
2528	jetsoff8906.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 1336	2792	msvbrvkxv.pif	32
PID 2792 set thread context of 2892	2792	msvbrvkxv.pif	31
PID 2892 set thread context of 1212	2892	RegSvcs.exe	21
PID 2508 set thread context of 1212	2508	cmd.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jetsoff8906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msvbrvkxv.pif

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2892	RegSvcs.exe
2892	RegSvcs.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe
2508	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2892	RegSvcs.exe
2892	RegSvcs.exe
2892	RegSvcs.exe
2508	cmd.exe
2508	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	RegSvcs.exe
Token: SeDebugPrivilege	2508	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2528 wrote to memory of 2792	2528	jetsoff8906.exe	30
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 1336	2792	msvbrvkxv.pif	32
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 2792 wrote to memory of 2892	2792	msvbrvkxv.pif	31
PID 1212 wrote to memory of 2508	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2508	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2508	1212	Explorer.EXE	33
PID 1212 wrote to memory of 2508	1212	Explorer.EXE	33
PID 2508 wrote to memory of 1388	2508	cmd.exe	34
PID 2508 wrote to memory of 1388	2508	cmd.exe	34
PID 2508 wrote to memory of 1388	2508	cmd.exe	34
PID 2508 wrote to memory of 1388	2508	cmd.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe
  "C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
    "C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif" idrqqwdp.dre
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10_95\dvcpwg.bhv

Filesize
370KB

MD5
6ab5bf0e5c0cf24e9d123e98d81702c8

SHA1
8171fb5ca8d9de2fdab72bc17404a8435dc643a5

SHA256
d7c849c15e086045d3a96c88543fe04eef789383edccbf4ff3f93945a9207743

SHA512
5ed0e2b38aec216156f5c360ccd15b64ddad127f321103b8be295ca6fe98853fba4045e20a45257a9d9086258e57b16fffc94275e9d2febd3dd34324f07aab46

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif

Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\xbrual.exe

Filesize
35KB

MD5
03416254f04f806585a48a75788ad7ba

SHA1
c869d64aac8abaf8e7e86550cf5c013e838dd2d3

SHA256
08736c3265e3dd2fc11e0c263fdd89072df720b742f145e273f3eb734d41fcfb

SHA512
56ffbc0262925332f195e88102138b8e5b3fa5df943fe61b1ef7a2d0cbc51bf3ea500d89b30f9f1daaf3dc850d547dada81013f4b311a9269511f2b33fd4e645

Download Submit
memory/1212-66-0x0000000000350000-0x0000000000450000-memory.dmp

Filesize
1024KB

Download
memory/1212-72-0x00000000060E0000-0x00000000061B1000-memory.dmp

Filesize
836KB

Download
memory/1336-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2508-67-0x000000004AB70000-0x000000004ABBC000-memory.dmp

Filesize
304KB

Download
memory/2508-68-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2892-62-0x0000000000400000-0x0000000000AB1000-memory.dmp

Filesize
6.7MB

Download
memory/2892-64-0x0000000000400000-0x0000000000AB1000-memory.dmp

Filesize
6.7MB

Download