formbook | 0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b

General

Target

0c39e0b72a86f6f3b7ce6518ac63d600N.exe
Size

1.1MB
MD5

0c39e0b72a86f6f3b7ce6518ac63d600
SHA1

3b508a4bbed426e6da1eb4bf13cafc1a0638c8cd
SHA256

0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b
SHA512

01e7bf53e848b7b7a6c478f2fde684694efb509b371128dce4d1ba5737302025a289ec1e863dbb63a94db8d08cae8cafd315714847fd6b3e3dabd3d8918c4e1f
SSDEEP

24576:OqDEvCTbMWu7rQYlBQcBiT6rprG8a9Qz7cafsElU:OTvC/MTQYxsWR7a9u74

Score

10^/10

formbook dz16 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz16

Decoy

gravechill.com

goniu-6520.cyou

qbwlszmf.xyz

computingthecosmos.com

m327841.com

socradex.com

outsidewallornaments.com

emadkasndfg.top

khaleejmed.online

awaz.shop

sunkar.capital

unlimited-merch.com

deboenterprise.net

darma88win.shop

593785.com

flyingcakecompany.com

toyorgga.shop

vyrqjrwh.xyz

window-replacement-26046.bond

marucoin.live

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2528-32-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2528-34-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2844-40-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000186bd-13.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 2528	2624	name.exe	31
PID 2528 set thread context of 1228	2528	svchost.exe	21
PID 2844 set thread context of 1228	2844	wscript.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2528	svchost.exe
2528	svchost.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe
2844	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2624	name.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2844	wscript.exe
2844	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	svchost.exe
Token: SeDebugPrivilege	2844	wscript.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2624	name.exe
2624	name.exe
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2624	name.exe
2624	name.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2624	2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	30
PID 2724 wrote to memory of 2624	2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	30
PID 2724 wrote to memory of 2624	2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	30
PID 2724 wrote to memory of 2624	2724	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	30
PID 2624 wrote to memory of 2528	2624	name.exe	31
PID 2624 wrote to memory of 2528	2624	name.exe	31
PID 2624 wrote to memory of 2528	2624	name.exe	31
PID 2624 wrote to memory of 2528	2624	name.exe	31
PID 2624 wrote to memory of 2528	2624	name.exe	31
PID 1228 wrote to memory of 2844	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2844	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2844	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2844	1228	Explorer.EXE	32
PID 2844 wrote to memory of 2604	2844	wscript.exe	33
PID 2844 wrote to memory of 2604	2844	wscript.exe	33
PID 2844 wrote to memory of 2604	2844	wscript.exe	33
PID 2844 wrote to memory of 2604	2844	wscript.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe
  "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2528
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
28KB

MD5
6663429ff35b48e08618bd08ae5c2f6a

SHA1
8021404436a51765d3f7f7496d68af1c3298ad68

SHA256
54373bed695488afae3397f2381a9fe2889d15806d91c437baa19b96333c8e18

SHA512
aacf8fb204b26a37201587253469552edd50b3e8223d9323c2a907ecae7ba16c25221d7ca5821592010601bbd9d795ded44e61937c52317f591d8aeec3221bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\slashing

Filesize
185KB

MD5
ce977e72aae5f0be63ea5b1b70ab193c

SHA1
d5f2eb0609cef06364814204453ecff4cc63b312

SHA256
447a0e30787f78a660207f0fe3f6b12e23332380660ab03cbd42aafd7f2587cb

SHA512
7f6c2454b10007eac4422b0492a2f0d9fd432354b113ae4bd16bddd6e893fa68c93fa44159b98b7f910eb5b964122a6b65416852cd68ed680fa4b9286f243c21

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
0c39e0b72a86f6f3b7ce6518ac63d600

SHA1
3b508a4bbed426e6da1eb4bf13cafc1a0638c8cd

SHA256
0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b

SHA512
01e7bf53e848b7b7a6c478f2fde684694efb509b371128dce4d1ba5737302025a289ec1e863dbb63a94db8d08cae8cafd315714847fd6b3e3dabd3d8918c4e1f

Download Submit
memory/1228-35-0x0000000006B50000-0x0000000006C81000-memory.dmp

Filesize
1.2MB

Download
memory/1228-41-0x0000000006B50000-0x0000000006C81000-memory.dmp

Filesize
1.2MB

Download
memory/1228-46-0x0000000006D30000-0x0000000006E2A000-memory.dmp

Filesize
1000KB

Download
memory/1228-47-0x0000000006D30000-0x0000000006E2A000-memory.dmp

Filesize
1000KB

Download
memory/1228-49-0x0000000006D30000-0x0000000006E2A000-memory.dmp

Filesize
1000KB

Download
memory/2528-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2528-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2844-39-0x0000000000640000-0x0000000000666000-memory.dmp

Filesize
152KB

Download
memory/2844-38-0x0000000000640000-0x0000000000666000-memory.dmp

Filesize
152KB

Download
memory/2844-40-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing