formbook | 0851e6ab84603b734deef821617fd5d52859f09b1677e6ee72a8325c63601f27

General

Target

soa.exe
Size

451KB
MD5

db7035b451f169a670b56a3a023b18e8
SHA1

d586fb0dbdfb1a37cf8097c3f11f4db745e9faa9
SHA256

aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
SHA512

fc6f4c6321747aa92301f8ac3d01cae40ad5d51df1cf294e179bd866537de0f5cef7f1b17616efbc2194679b7d7eff8b807d9d1ef9dc12331c497cbb4f89d707
SSDEEP

6144:rr5h1r6lmPMk8X25ahxL4XUhaGFo69nwTge6qG5yjNeQFgv8dKgvW:rrH1GIUk83xLfHSTg5qGIjNeDCKg

Score

10^/10

formbook bg6 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bg6

Decoy

uvs57.info

perfectpointapparel.com

sportsthrem.com

debowerdesigns.com

wzjs99.com

chothuexenangxecauninhbinh.com

blackkeymanagement.com

verdesonline.com

hezehzxx0530.com

alientechcenterlondon.com

body-suit.com

pcfip.com

perocreations.com

mingary.life

goldengoddessglamour.com

reparmaxpro.com

xn--fiqv1al2p20d348d.com

yourhomehealthcarellc.net

weddingproper.com

felicityhorseclub.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3940-6-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/3940-11-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1596 set thread context of 3940	1596	soa.exe	100
PID 3940 set thread context of 3516	3940	RegSvcs.exe	56
PID 4856 set thread context of 3516	4856	control.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1596	soa.exe
1596	soa.exe
1596	soa.exe
3940	RegSvcs.exe
3940	RegSvcs.exe
3940	RegSvcs.exe
3940	RegSvcs.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe
4856	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3940	RegSvcs.exe
3940	RegSvcs.exe
3940	RegSvcs.exe
4856	control.exe
4856	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	soa.exe
Token: SeDebugPrivilege	3940	RegSvcs.exe
Token: SeDebugPrivilege	4856	control.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2176	1596	soa.exe	99
PID 1596 wrote to memory of 2176	1596	soa.exe	99
PID 1596 wrote to memory of 2176	1596	soa.exe	99
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 1596 wrote to memory of 3940	1596	soa.exe	100
PID 3516 wrote to memory of 4856	3516	Explorer.EXE	101
PID 3516 wrote to memory of 4856	3516	Explorer.EXE	101
PID 3516 wrote to memory of 4856	3516	Explorer.EXE	101
PID 4856 wrote to memory of 4560	4856	control.exe	102
PID 4856 wrote to memory of 4560	4856	control.exe	102
PID 4856 wrote to memory of 4560	4856	control.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\soa.exe
  "C:\Users\Admin\AppData\Local\Temp\soa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1596-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1596-3-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/1596-4-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1596-5-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1596-8-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/1596-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/3516-16-0x00000000022A0000-0x00000000023C8000-memory.dmp

Filesize
1.2MB

Download
memory/3516-23-0x0000000007960000-0x0000000007ACC000-memory.dmp

Filesize
1.4MB

Download
memory/3516-21-0x0000000007960000-0x0000000007ACC000-memory.dmp

Filesize
1.4MB

Download
memory/3516-20-0x0000000007960000-0x0000000007ACC000-memory.dmp

Filesize
1.4MB

Download
memory/3516-13-0x00000000022A0000-0x00000000023C8000-memory.dmp

Filesize
1.2MB

Download
memory/3940-9-0x0000000001520000-0x000000000186A000-memory.dmp

Filesize
3.3MB

Download
memory/3940-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3940-12-0x00000000013E0000-0x00000000013F4000-memory.dmp

Filesize
80KB

Download
memory/3940-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4856-14-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/4856-15-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing