formbook | 23a6492e8b9c3bae9bd344774c902a680b957c1a5b11dc2adf624c54d75dceb3

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jetsoff8906.exe
Size

1.1MB
MD5

69eddb992ebe64f55d5da7a653c1e1d7
SHA1

91429f21a3a7e97b77421b615233be645d096987
SHA256

02bdbd4777fc54081f239ce8936bb56d899ec58fe61437875f09227a55a74920
SHA512

d68e0280c175e08c0c64701fc32cd44eb8cc9584a1c5adbf379ea10139361844608465b9685398dea604fc1bcd0ec040e7d886bc94c0a888f6e0f81e7c57a657
SSDEEP

24576:UAOcZXcxP6BS0sRWuogs+VocwuP3h3jKaGAuvZG31RMaas/x4p:CHasRWuogTVocwuPhNQA3XM91

Score

10^/10

formbook je14 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/400-51-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/400-54-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4132-59-0x00000000005D0000-0x00000000005FF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	jetsoff8906.exe

Executes dropped EXE 1 IoCs

pid	Process
4528	msvbrvkxv.pif

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 400	4528	msvbrvkxv.pif	86
PID 400 set thread context of 3524	400	RegSvcs.exe	56
PID 4132 set thread context of 3524	4132	control.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jetsoff8906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msvbrvkxv.pif

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
400	RegSvcs.exe
400	RegSvcs.exe
400	RegSvcs.exe
400	RegSvcs.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe
4132	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
400	RegSvcs.exe
400	RegSvcs.exe
400	RegSvcs.exe
4132	control.exe
4132	control.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	RegSvcs.exe
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeShutdownPrivilege	3524	Explorer.EXE
Token: SeCreatePagefilePrivilege	3524	Explorer.EXE
Token: SeDebugPrivilege	4132	control.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 4528	1456	jetsoff8906.exe	83
PID 1456 wrote to memory of 4528	1456	jetsoff8906.exe	83
PID 1456 wrote to memory of 4528	1456	jetsoff8906.exe	83
PID 4528 wrote to memory of 1164	4528	msvbrvkxv.pif	85
PID 4528 wrote to memory of 1164	4528	msvbrvkxv.pif	85
PID 4528 wrote to memory of 1164	4528	msvbrvkxv.pif	85
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 4528 wrote to memory of 400	4528	msvbrvkxv.pif	86
PID 3524 wrote to memory of 4132	3524	Explorer.EXE	87
PID 3524 wrote to memory of 4132	3524	Explorer.EXE	87
PID 3524 wrote to memory of 4132	3524	Explorer.EXE	87
PID 4132 wrote to memory of 672	4132	control.exe	89
PID 4132 wrote to memory of 672	4132	control.exe	89
PID 4132 wrote to memory of 672	4132	control.exe	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe
  "C:\Users\Admin\AppData\Local\Temp\jetsoff8906.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif
    "C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif" idrqqwdp.dre
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:400
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\10_95\dvcpwg.bhv

Filesize
370KB

MD5
6ab5bf0e5c0cf24e9d123e98d81702c8

SHA1
8171fb5ca8d9de2fdab72bc17404a8435dc643a5

SHA256
d7c849c15e086045d3a96c88543fe04eef789383edccbf4ff3f93945a9207743

SHA512
5ed0e2b38aec216156f5c360ccd15b64ddad127f321103b8be295ca6fe98853fba4045e20a45257a9d9086258e57b16fffc94275e9d2febd3dd34324f07aab46

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\msvbrvkxv.pif

Filesize
794KB

MD5
18e404787e9c044105f5c4bec4600bd8

SHA1
9f1015bd7f33a6f3c1cc12c0971f51b1adee1939

SHA256
e15984dc8ea9627d370c40178676490129427e2dc23499f68c9c65c4386fea12

SHA512
c6a1faae524968351b4841665bfe1c5255f7e6c115b7a81a4b6c65626f23f7f15e4bb856914fce15225c33a2e2b6166b3f1f87698895fe0ce4cb084b630c2a5f

Download Submit
C:\Users\Admin\AppData\Roaming\10_95\xbrual.exe

Filesize
35KB

MD5
03416254f04f806585a48a75788ad7ba

SHA1
c869d64aac8abaf8e7e86550cf5c013e838dd2d3

SHA256
08736c3265e3dd2fc11e0c263fdd89072df720b742f145e273f3eb734d41fcfb

SHA512
56ffbc0262925332f195e88102138b8e5b3fa5df943fe61b1ef7a2d0cbc51bf3ea500d89b30f9f1daaf3dc850d547dada81013f4b311a9269511f2b33fd4e645

Download Submit
memory/400-55-0x00000000010D0000-0x00000000010E4000-memory.dmp

Filesize
80KB

Download
memory/400-52-0x0000000001440000-0x000000000178A000-memory.dmp

Filesize
3.3MB

Download
memory/400-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-56-0x0000000004350000-0x00000000044AA000-memory.dmp

Filesize
1.4MB

Download
memory/3524-60-0x0000000004350000-0x00000000044AA000-memory.dmp

Filesize
1.4MB

Download
memory/3524-64-0x0000000008B70000-0x0000000008CEF000-memory.dmp

Filesize
1.5MB

Download
memory/4132-58-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/4132-57-0x00000000004A0000-0x00000000004C7000-memory.dmp

Filesize
156KB

Download
memory/4132-59-0x00000000005D0000-0x00000000005FF000-memory.dmp

Filesize
188KB

Download