formbook | 0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b

General

Target

0c39e0b72a86f6f3b7ce6518ac63d600N.exe
Size

1.1MB
MD5

0c39e0b72a86f6f3b7ce6518ac63d600
SHA1

3b508a4bbed426e6da1eb4bf13cafc1a0638c8cd
SHA256

0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b
SHA512

01e7bf53e848b7b7a6c478f2fde684694efb509b371128dce4d1ba5737302025a289ec1e863dbb63a94db8d08cae8cafd315714847fd6b3e3dabd3d8918c4e1f
SSDEEP

24576:OqDEvCTbMWu7rQYlBQcBiT6rprG8a9Qz7cafsElU:OTvC/MTQYxsWR7a9u74

Score

10^/10

formbook dz16 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz16

Decoy

gravechill.com

goniu-6520.cyou

qbwlszmf.xyz

computingthecosmos.com

m327841.com

socradex.com

outsidewallornaments.com

emadkasndfg.top

khaleejmed.online

awaz.shop

sunkar.capital

unlimited-merch.com

deboenterprise.net

darma88win.shop

593785.com

flyingcakecompany.com

toyorgga.shop

vyrqjrwh.xyz

window-replacement-26046.bond

marucoin.live

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2328-30-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2328-33-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2328-37-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1512-45-0x00000000009C0000-0x00000000009EF000-memory.dmp	formbook

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
244	name.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000022a83-14.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 244 set thread context of 2328	244	name.exe	90
PID 2328 set thread context of 3432	2328	svchost.exe	56
PID 2328 set thread context of 3432	2328	svchost.exe	56
PID 1512 set thread context of 3432	1512	netsh.exe	56

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c39e0b72a86f6f3b7ce6518ac63d600N.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe
1512	netsh.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
244	name.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
2328	svchost.exe
1512	netsh.exe
1512	netsh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	svchost.exe
Token: SeDebugPrivilege	1512	netsh.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
244	name.exe
244	name.exe
3432	Explorer.EXE
3432	Explorer.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe
244	name.exe
244	name.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 244	2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	88
PID 2844 wrote to memory of 244	2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	88
PID 2844 wrote to memory of 244	2844	0c39e0b72a86f6f3b7ce6518ac63d600N.exe	88
PID 244 wrote to memory of 2328	244	name.exe	90
PID 244 wrote to memory of 2328	244	name.exe	90
PID 244 wrote to memory of 2328	244	name.exe	90
PID 244 wrote to memory of 2328	244	name.exe	90
PID 3432 wrote to memory of 1512	3432	Explorer.EXE	96
PID 3432 wrote to memory of 1512	3432	Explorer.EXE	96
PID 3432 wrote to memory of 1512	3432	Explorer.EXE	96
PID 1512 wrote to memory of 2736	1512	netsh.exe	99
PID 1512 wrote to memory of 2736	1512	netsh.exe	99
PID 1512 wrote to memory of 2736	1512	netsh.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe
  "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\0c39e0b72a86f6f3b7ce6518ac63d600N.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2328
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
28KB

MD5
6663429ff35b48e08618bd08ae5c2f6a

SHA1
8021404436a51765d3f7f7496d68af1c3298ad68

SHA256
54373bed695488afae3397f2381a9fe2889d15806d91c437baa19b96333c8e18

SHA512
aacf8fb204b26a37201587253469552edd50b3e8223d9323c2a907ecae7ba16c25221d7ca5821592010601bbd9d795ded44e61937c52317f591d8aeec3221bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\slashing

Filesize
185KB

MD5
ce977e72aae5f0be63ea5b1b70ab193c

SHA1
d5f2eb0609cef06364814204453ecff4cc63b312

SHA256
447a0e30787f78a660207f0fe3f6b12e23332380660ab03cbd42aafd7f2587cb

SHA512
7f6c2454b10007eac4422b0492a2f0d9fd432354b113ae4bd16bddd6e893fa68c93fa44159b98b7f910eb5b964122a6b65416852cd68ed680fa4b9286f243c21

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
0c39e0b72a86f6f3b7ce6518ac63d600

SHA1
3b508a4bbed426e6da1eb4bf13cafc1a0638c8cd

SHA256
0a987a6654848f2f63a61c24995f9b930024af52816338bac970dcfa12ab9c0b

SHA512
01e7bf53e848b7b7a6c478f2fde684694efb509b371128dce4d1ba5737302025a289ec1e863dbb63a94db8d08cae8cafd315714847fd6b3e3dabd3d8918c4e1f

Download Submit
memory/1512-41-0x0000000001290000-0x00000000012AE000-memory.dmp

Filesize
120KB

Download
memory/1512-43-0x0000000001290000-0x00000000012AE000-memory.dmp

Filesize
120KB

Download
memory/1512-45-0x00000000009C0000-0x00000000009EF000-memory.dmp

Filesize
188KB

Download
memory/2328-34-0x0000000001830000-0x0000000001844000-memory.dmp

Filesize
80KB

Download
memory/2328-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-31-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/2328-38-0x0000000003160000-0x0000000003174000-memory.dmp

Filesize
80KB

Download
memory/2328-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-11-0x0000000002980000-0x0000000002984000-memory.dmp

Filesize
16KB

Download
memory/3432-39-0x00000000089E0000-0x0000000008AE7000-memory.dmp

Filesize
1.0MB

Download
memory/3432-40-0x0000000008800000-0x00000000088B4000-memory.dmp

Filesize
720KB

Download
memory/3432-44-0x00000000089E0000-0x0000000008AE7000-memory.dmp

Filesize
1.0MB

Download
memory/3432-35-0x0000000008800000-0x00000000088B4000-memory.dmp

Filesize
720KB

Download
memory/3432-48-0x0000000008E70000-0x0000000008FA2000-memory.dmp

Filesize
1.2MB

Download
memory/3432-49-0x0000000008E70000-0x0000000008FA2000-memory.dmp

Filesize
1.2MB

Download
memory/3432-51-0x0000000008E70000-0x0000000008FA2000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing