formbook | 46ccd7e9a3a8e24617a1a4b86de35b63b78e7f3b2472e9f920dc0fc691835dcd

General

Target

608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe
Size

1014KB
MD5

7d420aa49e35f1af9427ebb0ba555027
SHA1

c052fae4e080073d322aaaf185a35767d2c35c2f
SHA256

608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee
SHA512

b7f3c69c7ab137407d578fa41df21fdb3578ee6ea9f044f2a9555775059f6171f594d9ce229acd15d3625f813a9f85d521f84aa12b4a1671a3cf0f470ccce3c9
SSDEEP

12288:IlIKqEaiIj/C51Wy+p9rokT3SQmu/fz3c5aSIOknAyanFtAxEcm8:4IDdjO1Wp9rokT3PHzMN9CAnPAxFm8

Score

10^/10

formbook g25e discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g25e

Decoy

2491254125.xyz

hookd.gay

uxmelange.com

startupvision3.com

evanwoosley-reed.com

uspalupdser.info

lx0599.com

grupoiaez.com

londonpapershop.com

cremas.store

risespec.com

olivierverdoyant.com

creatednow.com

epicureanhometreats.com

iqijp.com

vcraftboutique.com

furnaristudios.com

dealsgolf.com

djwoojs.com

boatslave.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2568-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	2568	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2668 wrote to memory of 2568	2668	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	31
PID 2568 wrote to memory of 1080	2568	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	32
PID 2568 wrote to memory of 1080	2568	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	32
PID 2568 wrote to memory of 1080	2568	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	32
PID 2568 wrote to memory of 1080	2568	608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe	32

C:\Users\Admin\AppData\Local\Temp\608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe
"C:\Users\Admin\AppData\Local\Temp\608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe
  "C:\Users\Admin\AppData\Local\Temp\608355d27f442ae5c435b22fa9c5757fe324ad753eb48755cbd92b8aa1e161ee.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 36
    3⤵
    - Program crash
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2568-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-3-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/2668-5-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-6-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2668-7-0x0000000007ED0000-0x0000000007F7E000-memory.dmp

Filesize
696KB

Download
memory/2668-8-0x0000000005D90000-0x0000000005E06000-memory.dmp

Filesize
472KB

Download
memory/2668-4-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2668-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2668-2-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-1-0x0000000000AB0000-0x0000000000BB4000-memory.dmp

Filesize
1.0MB

Download
memory/2668-15-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing