formbook | 8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73

General

Target

8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe
Size

1.1MB
MD5

1b597c240cd23fda73024ed811e4a906
SHA1

f773bdd6e924b65284d8a9ef67f61615a9764a8e
SHA256

8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73
SHA512

d1f00b959befd0c8f91587311d715508c45fb279e661f4ffacb5e3e5f0f19e4151f6baa35ff49fc5d7afe5bb0b09d96346da5d7b0324ee85edb4885ce07f07dc
SSDEEP

24576:Etb20pkaCqT5TBWgNQ7aXe1SQkPXr8mzcLk6A:tVg5tQ7aXe1bkPXAmzcY5

Score

10^/10

formbook f29s discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f29s

Decoy

rostnixon.net

exxxwordz.xyz

ndradesanches.shop

eneral-vceef.xyz

isanbowl.top

aresrasherregard.cfd

dzas-yeah.xyz

0083.miami

hongziyin01.top

jdhfmq.live

alembottling.net

vtyo-phone.xyz

kaqb-decade.xyz

odel-lsmfz.xyz

aradise.tech

uan123-rtp43.xyz

pusptracking.xyz

uqhi42.xyz

mihy-professor.xyz

mnz-your.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2660-26-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-22-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-30-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3032-36-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 1 IoCs

Processes:

Dunlop.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dunlop.vbs Dunlop.exe
Executes dropped EXE 1 IoCs

Processes:

Dunlop.exe

pid process

2756 Dunlop.exe
Loads dropped DLL 1 IoCs

Processes:

8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe

pid process

2124 8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dunlop.vbs	Dunlop.exe

pid	process
2756	Dunlop.exe

pid	process
2124	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Thebesian\Dunlop.exe	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Dunlop.exesvchost.exenetsh.exe

description	pid	process	target process
PID 2756 set thread context of 2660	2756	Dunlop.exe	svchost.exe
PID 2660 set thread context of 1188	2660	svchost.exe	Explorer.EXE
PID 2660 set thread context of 1188	2660	svchost.exe	Explorer.EXE
PID 3032 set thread context of 1188	3032	netsh.exe	Explorer.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exeDunlop.exenetsh.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dunlop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

svchost.exenetsh.exe

pid	process
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe
3032	netsh.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Dunlop.exesvchost.exenetsh.exe

pid process

2756 Dunlop.exe
2660 svchost.exe
2660 svchost.exe
2660 svchost.exe
2660 svchost.exe
3032 netsh.exe
3032 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exenetsh.exe

description pid process

Token: SeDebugPrivilege 2660 svchost.exe
Token: SeDebugPrivilege 3032 netsh.exe

pid	process
2756	Dunlop.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
2660	svchost.exe
3032	netsh.exe
3032	netsh.exe

description	pid	process
Token: SeDebugPrivilege	2660	svchost.exe
Token: SeDebugPrivilege	3032	netsh.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exeDunlop.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2124 wrote to memory of 2756	2124	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe	Dunlop.exe
PID 2124 wrote to memory of 2756	2124	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe	Dunlop.exe
PID 2124 wrote to memory of 2756	2124	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe	Dunlop.exe
PID 2124 wrote to memory of 2756	2124	8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe	Dunlop.exe
PID 2756 wrote to memory of 2660	2756	Dunlop.exe	svchost.exe
PID 2756 wrote to memory of 2660	2756	Dunlop.exe	svchost.exe
PID 2756 wrote to memory of 2660	2756	Dunlop.exe	svchost.exe
PID 2756 wrote to memory of 2660	2756	Dunlop.exe	svchost.exe
PID 2756 wrote to memory of 2660	2756	Dunlop.exe	svchost.exe
PID 1188 wrote to memory of 3032	1188	Explorer.EXE	netsh.exe
PID 1188 wrote to memory of 3032	1188	Explorer.EXE	netsh.exe
PID 1188 wrote to memory of 3032	1188	Explorer.EXE	netsh.exe
PID 1188 wrote to memory of 3032	1188	Explorer.EXE	netsh.exe
PID 3032 wrote to memory of 2764	3032	netsh.exe	cmd.exe
PID 3032 wrote to memory of 2764	3032	netsh.exe	cmd.exe
PID 3032 wrote to memory of 2764	3032	netsh.exe	cmd.exe
PID 3032 wrote to memory of 2764	3032	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe
  "C:\Users\Admin\AppData\Local\Temp\8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Thebesian\Dunlop.exe
    "C:\Users\Admin\AppData\Local\Temp\8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2660
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nonagglutinant

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Thebesian\Dunlop.exe

Filesize
1.1MB

MD5
1b597c240cd23fda73024ed811e4a906

SHA1
f773bdd6e924b65284d8a9ef67f61615a9764a8e

SHA256
8a91c4bf99a674909e6993d52e061547517056d36f9b8e828a9148eb412ffa73

SHA512
d1f00b959befd0c8f91587311d715508c45fb279e661f4ffacb5e3e5f0f19e4151f6baa35ff49fc5d7afe5bb0b09d96346da5d7b0324ee85edb4885ce07f07dc

Download Submit
memory/1188-27-0x0000000003AC0000-0x0000000003BC0000-memory.dmp

Filesize
1024KB

Download
memory/1188-37-0x00000000050C0000-0x000000000521F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-33-0x00000000050C0000-0x000000000521F000-memory.dmp

Filesize
1.4MB

Download
memory/1188-28-0x0000000004FB0000-0x00000000050B5000-memory.dmp

Filesize
1.0MB

Download
memory/1188-32-0x0000000004FB0000-0x00000000050B5000-memory.dmp

Filesize
1.0MB

Download
memory/2124-6-0x00000000005E0000-0x00000000009E0000-memory.dmp

Filesize
4.0MB

Download
memory/2660-24-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2660-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-25-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2660-31-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/2660-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2660-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-20-0x0000000000B10000-0x0000000000F10000-memory.dmp

Filesize
4.0MB

Download
memory/3032-35-0x0000000001600000-0x000000000161B000-memory.dmp

Filesize
108KB

Download
memory/3032-34-0x0000000001600000-0x000000000161B000-memory.dmp

Filesize
108KB

Download
memory/3032-36-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads