formbook | 0851e6ab84603b734deef821617fd5d52859f09b1677e6ee72a8325c63601f27

General

Target

soa.exe
Size

451KB
MD5

db7035b451f169a670b56a3a023b18e8
SHA1

d586fb0dbdfb1a37cf8097c3f11f4db745e9faa9
SHA256

aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
SHA512

fc6f4c6321747aa92301f8ac3d01cae40ad5d51df1cf294e179bd866537de0f5cef7f1b17616efbc2194679b7d7eff8b807d9d1ef9dc12331c497cbb4f89d707
SSDEEP

6144:rr5h1r6lmPMk8X25ahxL4XUhaGFo69nwTge6qG5yjNeQFgv8dKgvW:rrH1GIUk83xLfHSTg5qGIjNeDCKg

Score

10^/10

formbook bg6 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bg6

Decoy

uvs57.info

perfectpointapparel.com

sportsthrem.com

debowerdesigns.com

wzjs99.com

chothuexenangxecauninhbinh.com

blackkeymanagement.com

verdesonline.com

hezehzxx0530.com

alientechcenterlondon.com

body-suit.com

pcfip.com

perocreations.com

mingary.life

goldengoddessglamour.com

reparmaxpro.com

xn--fiqv1al2p20d348d.com

yourhomehealthcarellc.net

weddingproper.com

felicityhorseclub.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2712-10-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2712-14-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2712-18-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2712	1984	soa.exe	31
PID 2712 set thread context of 1204	2712	RegSvcs.exe	21
PID 2712 set thread context of 1204	2712	RegSvcs.exe	21
PID 2472 set thread context of 1204	2472	chkdsk.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2712	RegSvcs.exe
2712	RegSvcs.exe
2712	RegSvcs.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe
2472	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2712	RegSvcs.exe
2712	RegSvcs.exe
2712	RegSvcs.exe
2712	RegSvcs.exe
2472	chkdsk.exe
2472	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	RegSvcs.exe
Token: SeDebugPrivilege	2472	chkdsk.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 1984 wrote to memory of 2712	1984	soa.exe	31
PID 2712 wrote to memory of 2472	2712	RegSvcs.exe	32
PID 2712 wrote to memory of 2472	2712	RegSvcs.exe	32
PID 2712 wrote to memory of 2472	2712	RegSvcs.exe	32
PID 2712 wrote to memory of 2472	2712	RegSvcs.exe	32
PID 2472 wrote to memory of 3036	2472	chkdsk.exe	33
PID 2472 wrote to memory of 3036	2472	chkdsk.exe	33
PID 2472 wrote to memory of 3036	2472	chkdsk.exe	33
PID 2472 wrote to memory of 3036	2472	chkdsk.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\soa.exe
  "C:\Users\Admin\AppData\Local\Temp\soa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-16-0x0000000007510000-0x0000000007699000-memory.dmp

Filesize
1.5MB

Download
memory/1204-24-0x00000000053A0000-0x0000000005483000-memory.dmp

Filesize
908KB

Download
memory/1204-21-0x00000000053A0000-0x0000000005483000-memory.dmp

Filesize
908KB

Download
memory/1204-20-0x0000000007510000-0x0000000007699000-memory.dmp

Filesize
1.5MB

Download
memory/1984-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-0-0x0000000074F11000-0x0000000074F12000-memory.dmp

Filesize
4KB

Download
memory/1984-3-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-4-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-2-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-11-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2472-23-0x0000000000D60000-0x0000000000D67000-memory.dmp

Filesize
28KB

Download
memory/2472-22-0x0000000000D60000-0x0000000000D67000-memory.dmp

Filesize
28KB

Download
memory/2712-5-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2712-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2712-15-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/2712-12-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2712-19-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2712-18-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2712-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-10-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2712-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing