formbook | 92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70

General

Target

92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe
Size

595KB
MD5

ee2875f921602d7f7f26f0b788f1b3f7
SHA1

3690ccea99c4399ef2990ca3dc3d79eb29666794
SHA256

92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70
SHA512

85c813d764baba7a8a9f246cfa26208a886c64c1df8cca3863e8898342382a4dd7a0734b34fc904fb6637f1dec215da92a714d01c1fb430a811933dfd99275e5
SSDEEP

12288:6YV6MorX7qzuC3QHO9FQVHPF51jgcEQ433ZwrXUuunukKlkA:pBXu9HGaVHOwrXUuepDA

Score

10^/10

formbook ephb discovery rat spyware stealer trojan upx

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ephb

Decoy

chertsey-estates.com

zeushomeservices.com

2ax4z.com

leihuluofkauai.com

sunshinespd.com

lifeexplorer.today

holywellspringwater.com

clip-on-veneers.today

jaspershousekeeping.com

tcyd123.top

aimpets.com

n11ni5.cfd

oplmanager.dev

parisolympicgamesguide.com

askwhtevr.com

usino.online

pa6yy8h.xyz

tabomediaa.com

iwill3d.com

piqhome.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2384-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2384-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2320-23-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-0-0x0000000000870000-0x00000000009C7000-memory.dmp	upx
behavioral1/memory/2452-14-0x0000000000870000-0x00000000009C7000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2452-14-0x0000000000870000-0x00000000009C7000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 2384 set thread context of 1188	2384	svchost.exe	21
PID 2320 set thread context of 1188	2320	wlanext.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2384	svchost.exe
2384	svchost.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe
2320	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2320	wlanext.exe
2320	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	svchost.exe
Token: SeDebugPrivilege	2320	wlanext.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 2452 wrote to memory of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 2452 wrote to memory of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 2452 wrote to memory of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 2452 wrote to memory of 2384	2452	92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe	30
PID 1188 wrote to memory of 2320	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2320	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2320	1188	Explorer.EXE	31
PID 1188 wrote to memory of 2320	1188	Explorer.EXE	31
PID 2320 wrote to memory of 2784	2320	wlanext.exe	32
PID 2320 wrote to memory of 2784	2320	wlanext.exe	32
PID 2320 wrote to memory of 2784	2320	wlanext.exe	32
PID 2320 wrote to memory of 2784	2320	wlanext.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe
  "C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\92b1f2ee516e87aff3e8ef41ae051276a9cb1002ccd788a15e527df458631a70.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-19-0x0000000004EE0000-0x0000000004FB9000-memory.dmp

Filesize
868KB

Download
memory/1188-26-0x0000000004EE0000-0x0000000004FB9000-memory.dmp

Filesize
868KB

Download
memory/1188-24-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2320-23-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2320-22-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/2320-20-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/2384-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-18-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/2384-15-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2384-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2452-0-0x0000000000870000-0x00000000009C7000-memory.dmp

Filesize
1.3MB

Download
memory/2452-14-0x0000000000870000-0x00000000009C7000-memory.dmp

Filesize
1.3MB

Download
memory/2452-11-0x0000000000770000-0x0000000000774000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing