formbook | 1e44acb7d8788f3b415cb16b014134802fc4a75623fd267d379d961a7e3fa40b

General

Target

datasheet.exe
Size

892KB
MD5

156a8f3ff2daa772e183f33d03542088
SHA1

d5c5d9adc26f34f357bbbc04b76db5589154c096
SHA256

1517b72d950951e2a53e5881d9f72ef224128454d1bf4ad28afbbee341787e9c
SHA512

bf19dacebe4ca845683f2a0e63e03df6d93619ab8eecc7971b4554c48bbd03e0f4c796c635268261110be4d718dc8163a11c208e9d27bffacd29a8d8bf801f25
SSDEEP

12288:xLfmbbfGD5BroDcsIE++hSpk6L1S3Yp+vpVhd5FhM1wVTMsMz4AJ3sPerFfBL2qJ:xLfmbbfirrts4+ApkmAYp+vdFRtT8

Score

10^/10

formbook gbl discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbl

Decoy

dx268.com

textbot4you.com

critictable.com

fsclub.info

order-review.com

tkgenergy.com

contavip.info

fashionests.com

sieromart.com

miamimobiletesting.com

oxforhabits.com

yugoslavilk.online

inieenterprises.com

bythebucketfranchise.com

parcelified.com

signalcyclers.com

starryeyedproject.com

proteacherstore.com

horos.tech

bovadaracebook.sucks

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1684-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1684-15-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1684-20-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2096-26-0x00000000000C0000-0x00000000000EE000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2076 set thread context of 1684	2076	datasheet.exe	30
PID 1684 set thread context of 1204	1684	datasheet.exe	21
PID 1684 set thread context of 1204	1684	datasheet.exe	21
PID 2096 set thread context of 1204	2096	raserver.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	datasheet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raserver.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1684	datasheet.exe
1684	datasheet.exe
1684	datasheet.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1684	datasheet.exe
1684	datasheet.exe
1684	datasheet.exe
1684	datasheet.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe
2096	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	datasheet.exe
Token: SeDebugPrivilege	2096	raserver.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 2076 wrote to memory of 1684	2076	datasheet.exe	30
PID 1204 wrote to memory of 2096	1204	Explorer.EXE	31
PID 1204 wrote to memory of 2096	1204	Explorer.EXE	31
PID 1204 wrote to memory of 2096	1204	Explorer.EXE	31
PID 1204 wrote to memory of 2096	1204	Explorer.EXE	31
PID 2096 wrote to memory of 860	2096	raserver.exe	32
PID 2096 wrote to memory of 860	2096	raserver.exe	32
PID 2096 wrote to memory of 860	2096	raserver.exe	32
PID 2096 wrote to memory of 860	2096	raserver.exe	32
PID 2096 wrote to memory of 860	2096	raserver.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\datasheet.exe
  "C:\Users\Admin\AppData\Local\Temp\datasheet.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\datasheet.exe
    "C:\Users\Admin\AppData\Local\Temp\datasheet.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-17-0x0000000003F40000-0x0000000004140000-memory.dmp

Filesize
2.0MB

Download
memory/1204-30-0x0000000005180000-0x00000000052F9000-memory.dmp

Filesize
1.5MB

Download
memory/1204-23-0x0000000005180000-0x00000000052F9000-memory.dmp

Filesize
1.5MB

Download
memory/1204-18-0x0000000004DB0000-0x0000000004F42000-memory.dmp

Filesize
1.6MB

Download
memory/1684-21-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1684-16-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1684-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1684-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1684-13-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2076-5-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-12-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-4-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download
memory/2076-3-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/2076-6-0x0000000007830000-0x000000000789C000-memory.dmp

Filesize
432KB

Download
memory/2076-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download
memory/2076-2-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-1-0x0000000000D90000-0x0000000000E74000-memory.dmp

Filesize
912KB

Download
memory/2096-24-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2096-25-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2096-26-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing