formbook | 0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8

General

Target

New Sample.exe
Size

750KB
MD5

b3c5debaee5fc3162ebe21ff4348ba10
SHA1

11f4c3c6dbb5cbe09d150acfad464f00ef2fc5f8
SHA256

0494f0bd0225edd027f43a581e4504d0b73fadac437c809dce717c0d159cf1e8
SHA512

cd104a78378581b9e9d9fad9618fe212febf62097cb134cef8b4dbf980065c389e67218ac7c2f78a88aa6eea249a4d0db7651bb9b9db09c29afc248c2c6c94e9
SSDEEP

12288:6umEhatVMuUcAzRpYooXxSBj3mnkvoBAllR7YMpv3dFcUH:UEKTIpYt03HvomfR7YqtS

Score

10^/10

formbook ga06 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ga06

Decoy

y1rmgv9c.top

orlifebasma.online

ocxxcakkejka.online

ealthcaretrendstr.bond

quitemtudo.online

oeziad.net

afelajuzq.shop

andasia.net

4web.info

acingdreams.xyz

fcpc.sbs

pin238rtp.lol

olar-systems-panels-91358.bond

ovember222.vip

01639.xyz

xfundz.top

illsol.top

rerise.shop

eavenlavvi.net

rtificial-turf23.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2344-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2344-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2344-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2768-26-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2788	powershell.exe

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2344	2372	New Sample.exe	31
PID 2344 set thread context of 1124	2344	New Sample.exe	20
PID 2344 set thread context of 1124	2344	New Sample.exe	20
PID 2768 set thread context of 1124	2768	cmd.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2344	New Sample.exe
2344	New Sample.exe
2788	powershell.exe
2344	New Sample.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe
2768	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2344	New Sample.exe
2344	New Sample.exe
2344	New Sample.exe
2344	New Sample.exe
2768	cmd.exe
2768	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	New Sample.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2768	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2788	2372	New Sample.exe	30
PID 2372 wrote to memory of 2788	2372	New Sample.exe	30
PID 2372 wrote to memory of 2788	2372	New Sample.exe	30
PID 2372 wrote to memory of 2788	2372	New Sample.exe	30
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 2372 wrote to memory of 2344	2372	New Sample.exe	31
PID 1124 wrote to memory of 2768	1124	Explorer.EXE	34
PID 1124 wrote to memory of 2768	1124	Explorer.EXE	34
PID 1124 wrote to memory of 2768	1124	Explorer.EXE	34
PID 1124 wrote to memory of 2768	1124	Explorer.EXE	34
PID 2768 wrote to memory of 2644	2768	cmd.exe	35
PID 2768 wrote to memory of 2644	2768	cmd.exe	35
PID 2768 wrote to memory of 2644	2768	cmd.exe	35
PID 2768 wrote to memory of 2644	2768	cmd.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\New Sample.exe
  "C:\Users\Admin\AppData\Local\Temp\New Sample.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Sample.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\New Sample.exe
    "C:\Users\Admin\AppData\Local\Temp\New Sample.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\New Sample.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-17-0x0000000006320000-0x0000000006405000-memory.dmp

Filesize
916KB

Download
memory/2344-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-15-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/2344-16-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/2344-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-4-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2372-6-0x0000000004D90000-0x0000000004E06000-memory.dmp

Filesize
472KB

Download
memory/2372-5-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-19-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/2372-2-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-1-0x0000000001060000-0x0000000001122000-memory.dmp

Filesize
776KB

Download
memory/2768-25-0x000000004AB70000-0x000000004ABBC000-memory.dmp

Filesize
304KB

Download
memory/2768-26-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing