formbook | 5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee

General

Target

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
Size

707KB
MD5

059cd028f0855871593e963697a27783
SHA1

7f7cc06bc0e50e62b08f05e73766d16cc8ce6996
SHA256

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee
SHA512

0ac33853bc0bab21c54fb9180c0e0ef0fbabb6db0bbe19b286667f93ba03f2a4e2ef9ca524c33da2fd9995ef1ea69ffff93e423abd340a69df59ac2a4d9417b3
SSDEEP

12288:FPIbw8eG5KB21407XO6mfhk3EfJbFZEHkRO6i8kzXqJFTPXWBJG5vaQAyP:qbw8eG56214WYHEHY18zXqToS

Score

10^/10

formbook mo9n discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4616-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

description	pid	process	target process
PID 640 set thread context of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

pid	process
4616	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
4616	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

description	pid	process	target process
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
PID 640 wrote to memory of 4616	640	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe	5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe

C:\Users\Admin\AppData\Local\Temp\5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
"C:\Users\Admin\AppData\Local\Temp\5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\5cc57d4f96ab5a09197abb5d73e10104e0343cabbe3073ed640299b6b9c7e6ee.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-8-0x0000000002D70000-0x0000000002D84000-memory.dmp

Filesize
80KB

Download
memory/640-4-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/640-0-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/640-3-0x0000000007E40000-0x00000000083E4000-memory.dmp

Filesize
5.6MB

Download
memory/640-9-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/640-5-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/640-6-0x0000000007AC0000-0x0000000007B16000-memory.dmp

Filesize
344KB

Download
memory/640-10-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/640-2-0x00000000077F0000-0x000000000788C000-memory.dmp

Filesize
624KB

Download
memory/640-1-0x00000000008C0000-0x0000000000978000-memory.dmp

Filesize
736KB

Download
memory/640-7-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/640-11-0x0000000008750000-0x00000000087D8000-memory.dmp

Filesize
544KB

Download
memory/640-12-0x0000000007E00000-0x0000000007E34000-memory.dmp

Filesize
208KB

Download
memory/640-15-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/4616-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-16-0x0000000001790000-0x0000000001ADA000-memory.dmp

Filesize
3.3MB

Download
memory/4616-17-0x0000000001790000-0x0000000001ADA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads