formbook | 9af8ba0425b74b8d500823cb40779044426a7572ca0c5fb7da7f59cd823c8d42

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe
Size

1.2MB
MD5

0909c0f35eb5d8693d0a572aca2b8c74
SHA1

f68481fff291de0a55fa7b43f01e7905a027f56c
SHA256

f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817
SHA512

c79ef0d31921d37f1585c66bd351167a249b36da9b359ca98e865c47a852809b08514fcb2bc4f58f35685ff4cb6a65805aefb4361bedb3344821f80e039d562b
SSDEEP

24576:B/w4Tcww2frV8+iphCxvA6FzTXtJo0WpzuAl8BNeLc:B/wg3xV0hczFzDnsvbLc

Score

10^/10

formbook dw4g discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dw4g

Decoy

keundha.com

gss-india.com

neema.xyz

marscastvoyage.com

cafuti.com

empiredigitalworldnews.com

rumblebumbles.com

chevalpublications.com

rewindau.com

dskensho321.xyz

fywb-avff.com

locking-devices.com

getsomeincome.com

uva888.com

rrrf.space

timberlandobuwie.com

transferpanou.com

ikigaicornerstore.com

jervoisbrazil.com

savagereviews.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2256-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30
PID 2900 wrote to memory of 2256	2900	f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe	30

C:\Users\Admin\AppData\Local\Temp\f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe
"C:\Users\Admin\AppData\Local\Temp\f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe
  "C:\Users\Admin\AppData\Local\Temp\f301682053d5e2fd2982d90d37508983ac1bf5e630e66e553573709ce7e37817.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2256-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-14-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/2256-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2256-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-3-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2900-6-0x0000000006550000-0x0000000006602000-memory.dmp

Filesize
712KB

Download
memory/2900-7-0x0000000005410000-0x0000000005482000-memory.dmp

Filesize
456KB

Download
memory/2900-5-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2900-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2900-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-13-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-1-0x0000000000C30000-0x0000000000D68000-memory.dmp

Filesize
1.2MB

Download