formbook | 03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6

General

Target

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
Size

658KB
MD5

c969389f57b8748516c408694e11189e
SHA1

7ec5fbfe88a6a8d54c647bcc73ac315b513fca92
SHA256

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6
SHA512

7826cf7c6dc9f556b885fcee682c70cfca2da36f4596838bee85427447d6b129e84d9d43e3a31935525bd21a3b1a5b16c17da0155b96ef7e4774099bfbef06db
SSDEEP

12288:Ucir1S2IoOAc6/5rZGmy4unKZno/iDDjPPqmgucrl4M5iYXybz8xaMhLdrn8qdMW:1nK9o67ZguinMbIxaMhJD8yMEE0

Score

10^/10

formbook fh84 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fh84

Decoy

mtzyn.top

zfn-no-hsts.win

j10g.xyz

arehouse-inventory-60572.bond

nlineprodutooffer.shop

ar-deals-77764.bond

e3m2.xyz

cquisitive.group

unkusol.xyz

01307.xyz

uratedcelebrations.net

nfiniworkshop-thai.online

s-cmc.net

idney360.info

ipolar-treatment-us-311-ze.zone

entenstituleridernegi.biz

olombiaoutlet.shop

uradab.rest

qega.shop

73519.vip

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4252-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

description	pid	Process	procid_target
PID 5096 set thread context of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

pid	Process
5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
4252	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
4252	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

description	pid	Process
Token: SeDebugPrivilege	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe

description	pid	Process	procid_target
PID 5096 wrote to memory of 2124	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	89
PID 5096 wrote to memory of 2124	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	89
PID 5096 wrote to memory of 2124	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	89
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90
PID 5096 wrote to memory of 4252	5096	03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe	90

C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
"C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
  "C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe
  "C:\Users\Admin\AppData\Local\Temp\03369b54bd959d9f0f02b5ce734d502ddcddfee109fed5345c84ae0f365bebf6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4252-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-14-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/5096-6-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/5096-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/5096-4-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/5096-5-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/5096-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/5096-7-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/5096-8-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/5096-9-0x0000000007880000-0x00000000078F6000-memory.dmp

Filesize
472KB

Download
memory/5096-10-0x000000000A010000-0x000000000A0AC000-memory.dmp

Filesize
624KB

Download
memory/5096-2-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/5096-13-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/5096-1-0x0000000000280000-0x000000000032A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads