formbook | 464365a04b73faf53f77ff0a3c4556108e362edf46282f2c36e6718cf8186aec

General

Target

f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe
Size

457KB
MD5

54ef2f2acdf62dfb40fc32aab1f46307
SHA1

3f3640685b7af5b52a13d49cfd1cf5364114e317
SHA256

f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d
SHA512

3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03
SSDEEP

6144:MqTi59VJdaD70ylbBTpVg8DPmgQhSdj/4KngWIq6jRk+j:MGin670yTTpVg8CgcSKKngWIjX

Score

10^/10

formbook h37 credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h37

Decoy

misfitsbarandgrill.com

pijpsletjes.com

practiman.com

trailersgeek.online

greathappiness.faith

solderisland.com

kk5299.com

nani21.com

sharpactinvest.com

meteocockpit.com

provisionswpgroup.com

theplaze.net

westaustralian.ninja

freetrafficupgradingall.win

paraisocalafate.com

nelps.com

buywatch.win

sgfmim.site

mexicotradicional.com

moving411.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1116-15-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	app.exe
1116	app.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\app.exe -boot"	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6L9L_R8PFNQ = "C:\\Program Files (x86)\\Xhbqd\\audiodg4h4tnv.exe"	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 1116	2152	app.exe	107
PID 1116 set thread context of 3552	1116	app.exe	56
PID 232 set thread context of 3552	232	svchost.exe	56

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Xhbqd\audiodg4h4tnv.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1116	app.exe
1116	app.exe
1116	app.exe
1116	app.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe
232	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1116	app.exe
1116	app.exe
1116	app.exe
232	svchost.exe
232	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe
Token: SeDebugPrivilege	2152	app.exe
Token: SeDebugPrivilege	1116	app.exe
Token: SeDebugPrivilege	232	svchost.exe
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE
Token: SeShutdownPrivilege	3552	Explorer.EXE
Token: SeCreatePagefilePrivilege	3552	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3552	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2452	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	97
PID 1900 wrote to memory of 2452	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	97
PID 1900 wrote to memory of 2452	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	97
PID 1900 wrote to memory of 2400	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	102
PID 1900 wrote to memory of 2400	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	102
PID 1900 wrote to memory of 2400	1900	f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe	102
PID 3616 wrote to memory of 2152	3616	explorer.exe	104
PID 3616 wrote to memory of 2152	3616	explorer.exe	104
PID 3616 wrote to memory of 2152	3616	explorer.exe	104
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 2152 wrote to memory of 1116	2152	app.exe	107
PID 3552 wrote to memory of 232	3552	Explorer.EXE	108
PID 3552 wrote to memory of 232	3552	Explorer.EXE	108
PID 3552 wrote to memory of 232	3552	Explorer.EXE	108
PID 232 wrote to memory of 4236	232	svchost.exe	113
PID 232 wrote to memory of 4236	232	svchost.exe	113
PID 232 wrote to memory of 4236	232	svchost.exe	113
PID 232 wrote to memory of 4320	232	svchost.exe	118
PID 232 wrote to memory of 4320	232	svchost.exe	118
PID 232 wrote to memory of 4320	232	svchost.exe	118

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe
  "C:\Users\Admin\AppData\Local\Temp\f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe

Filesize
457KB

MD5
54ef2f2acdf62dfb40fc32aab1f46307

SHA1
3f3640685b7af5b52a13d49cfd1cf5364114e317

SHA256
f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d

SHA512
3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03

Download Submit
memory/232-20-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/232-19-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/1116-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1900-4-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-6-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/1900-7-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-11-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-5-0x00000000053F0000-0x0000000005410000-memory.dmp

Filesize
128KB

Download
memory/1900-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/1900-3-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/1900-2-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/1900-1-0x00000000008F0000-0x0000000000968000-memory.dmp

Filesize
480KB

Download
memory/2152-14-0x0000000006400000-0x000000000649C000-memory.dmp

Filesize
624KB

Download
memory/3552-23-0x0000000002FA0000-0x000000000309D000-memory.dmp

Filesize
1012KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads