formbook | 6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f

General

Target

6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
Size

655KB
MD5

b44db06ec43870ea515a278599d36a1e
SHA1

00f455fc5f8010b38e47384d9e70d037c780aa98
SHA256

6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f
SHA512

1ae166f1c25564321950ab6ec477b0e147c7c9c4da0ce373e74300d18633fea6a3fb07232a6973432f60acdd53ba18e27572bfa659078379a815f474c9a78644
SSDEEP

12288:gTKA5EajbKmxg2vBQHXbIDDzMrWXyZRVHPkNYf4ZAjcGJxaTOdWJIUuxbh:gTKA5EGISQ3b+DzMrXnVPk2f4Ajh3iJa

Score

10^/10

formbook h0gd discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h0gd

Decoy

hispansud.com

sanslisin156.com

izmediajo.com

fukugyo-kuchicomi.net

zjzmkj.net

powerupinnovations.com

unigradecuracao.net

inspirasimagz.com

isaacnqwilliams.store

john316graphics.net

wcparadise.net

trejoblanco.com

100x100cultura.com

beedivinehomedecor.com

polant.xyz

ascrete.com

www23855.com

emmagx.com

rekotalent.biz

fersamultiservicios.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1896-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

description	pid	process	target process
PID 2440 set thread context of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2948 1896 WerFault.exe 6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

pid	pid_target	process	target process
2948	1896	WerFault.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe

description	pid	process	target process
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 2440 wrote to memory of 1896	2440	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
PID 1896 wrote to memory of 2948	1896	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	WerFault.exe
PID 1896 wrote to memory of 2948	1896	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	WerFault.exe
PID 1896 wrote to memory of 2948	1896	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	WerFault.exe
PID 1896 wrote to memory of 2948	1896	6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
"C:\Users\Admin\AppData\Local\Temp\6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe
  "C:\Users\Admin\AppData\Local\Temp\6be70aa8b9e4772894bb7a4e03551de79d442a0263d8b327eb8c22d00f2b3e9f.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 36
    3⤵
    - Program crash
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1896-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-0-0x0000000073E01000-0x0000000073E02000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-2-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-3-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-4-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2440-11-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads