formbook | 94556864decf10552fa3c93ff21180f06edacc3f57168eb4e3d8c1ec872b7ef1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jetss6754309.exe
Size

213KB
MD5

ec45a9ff0d37e2c4c4b22f752faa737b
SHA1

9cb38d97822f17be47da16570a996bce4424aa9f
SHA256

d93367d117ae7f3d7a13e3958554500d54182cd51c6426448f1d248d732a0484
SHA512

2e7c7305a121ed39b630fdb58040ee94bb3eb1ab0558ed26b40109018272f71fc00b27358d0a16308405548af4051052661e0a5c44610c20c86546bb673cce5a
SSDEEP

6144:qweEpk2xjPucCaf8VXcj8JqooMJZgEUpW:bbx750t48JBZT0W

Score

10^/10

formbook je14 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2052-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2052-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2052-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2004-23-0x0000000000A80000-0x0000000000AAF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2412	quhthbz.exe
2052	quhthbz.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2052	2412	quhthbz.exe	84
PID 2052 set thread context of 3488	2052	quhthbz.exe	56
PID 2052 set thread context of 3488	2052	quhthbz.exe	56
PID 2004 set thread context of 3488	2004	cmstp.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3956	2412	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jetss6754309.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quhthbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe
2004	cmstp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2412	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2052	quhthbz.exe
2004	cmstp.exe
2004	cmstp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	quhthbz.exe
Token: SeShutdownPrivilege	3488	Explorer.EXE
Token: SeCreatePagefilePrivilege	3488	Explorer.EXE
Token: SeDebugPrivilege	2004	cmstp.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2412	2760	jetss6754309.exe	83
PID 2760 wrote to memory of 2412	2760	jetss6754309.exe	83
PID 2760 wrote to memory of 2412	2760	jetss6754309.exe	83
PID 2412 wrote to memory of 2052	2412	quhthbz.exe	84
PID 2412 wrote to memory of 2052	2412	quhthbz.exe	84
PID 2412 wrote to memory of 2052	2412	quhthbz.exe	84
PID 2412 wrote to memory of 2052	2412	quhthbz.exe	84
PID 3488 wrote to memory of 2004	3488	Explorer.EXE	90
PID 3488 wrote to memory of 2004	3488	Explorer.EXE	90
PID 3488 wrote to memory of 2004	3488	Explorer.EXE	90
PID 2004 wrote to memory of 4876	2004	cmstp.exe	96
PID 2004 wrote to memory of 4876	2004	cmstp.exe	96
PID 2004 wrote to memory of 4876	2004	cmstp.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\jetss6754309.exe
  "C:\Users\Admin\AppData\Local\Temp\jetss6754309.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\quhthbz.exe
    "C:\Users\Admin\AppData\Local\Temp\quhthbz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\quhthbz.exe
      "C:\Users\Admin\AppData\Local\Temp\quhthbz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 380
      4⤵
      Program crash
      PID:3956
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\quhthbz.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2412 -ip 2412
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cghajbxxmuf.bb

Filesize
5KB

MD5
be65071f96f4bdbb1a1f01765ec87dd8

SHA1
3ad086eae0ffee129aa85c46bfb5cdb479b356ed

SHA256
394388adc6721ca2dfbf0604deea4f39143bff3f010d8caccd4aa660cbaec3e2

SHA512
d510b2470a21ce3fa33bbab9ddec104719a10bca99b5f109986cd9f0d8cd5bf0da83ce5c593b5251e45d867ded6b33e6e825fdf785592e355721f557fbe91f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\coexzhjbtb.ys

Filesize
185KB

MD5
607a68bb33115909e9f3a460e3d230f1

SHA1
448d9998c68dcc8b021237feca42cd892b5898a2

SHA256
72351e40fe463a116b893029efd0b98d62dfcc80747f06b9c60bd238574f8bee

SHA512
484ff21df0a808f997d186dd77ed87b136a9c700025c5d4545ef992809ee26e3f470bda803fdc823d9612f0ddef91419780f4ce34fbd20afd110e10ccfb3e5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\quhthbz.exe

Filesize
5KB

MD5
76d62afbd866bb7c381a22dc2996bd05

SHA1
912911b232c8d942231d3935d0e45badb7006e75

SHA256
20aab90003cd0daf3e9f0cf54d2ab45ff981a72cfe2bdd73e962b9d5e3af7c43

SHA512
1ddc33c8e47886e1a7abf878011a0d8a4f33655a9a3ce5cfdc7c51a6aef46acda8bd22d9ea1b2572660e9d37dc3af9ce09c0cd11cd62d963c8bf0bc39dc876e6

Download Submit
memory/2004-21-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2004-23-0x0000000000A80000-0x0000000000AAF000-memory.dmp

Filesize
188KB

Download
memory/2004-22-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2052-12-0x0000000001330000-0x000000000167A000-memory.dmp

Filesize
3.3MB

Download
memory/2052-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-13-0x0000000000D50000-0x0000000000D64000-memory.dmp

Filesize
80KB

Download
memory/2052-18-0x0000000000ED0000-0x0000000000EE4000-memory.dmp

Filesize
80KB

Download
memory/2052-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-7-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/3488-20-0x00000000084B0000-0x0000000008657000-memory.dmp

Filesize
1.7MB

Download
memory/3488-19-0x0000000007FF0000-0x0000000008167000-memory.dmp

Filesize
1.5MB

Download
memory/3488-15-0x00000000084B0000-0x0000000008657000-memory.dmp

Filesize
1.7MB

Download
memory/3488-24-0x0000000007FF0000-0x0000000008167000-memory.dmp

Filesize
1.5MB

Download
memory/3488-27-0x0000000008660000-0x00000000087F3000-memory.dmp

Filesize
1.6MB

Download
memory/3488-29-0x0000000008660000-0x00000000087F3000-memory.dmp

Filesize
1.6MB

Download
memory/3488-30-0x0000000008660000-0x00000000087F3000-memory.dmp

Filesize
1.6MB

Download