formbook | 60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408

General

Target

JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
Size

241KB
MD5

483fc82bc1f416dadd7db16ba5440c6a
SHA1

2b180d03d36aacda5e1791a2d89c2c44ce170f6b
SHA256

60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408
SHA512

93943c4b9a85547f879aae02bcde08ab6f9ad8958e0a350452ac5053254729b0216e68c8869a5ceeb8ae0f9ca495a6095157efa1a3a52510a6632a482a95dc43
SSDEEP

6144:HNeZmycM5oTdt4hdza6a2pAy9HPAPZPcgRIZi:HNll0kw3HYP9cy9

Score

10^/10

formbook gb10 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gb10

Decoy

kaoriyamimi.com

chuandaoren.com

cayuv.xyz

tylorswiftappointment.xyz

jrj9.com

totowin88.plus

laakas.com

designbyfarhad.com

welfaristifocalizzati2022.com

bahisdencasino.com

hvmedianow.com

attoblocks.com

traumafolgenpraevention.com

copikta.online

jpdataconsulting.com

whichdatabase.com

marsolucionesdigitales.online

cljxexl.xyz

circlemen.com

chernobylwodka.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/3032-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3032-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3032-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2864-28-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
3000	lvymw.exe
3032	lvymw.exe

Loads dropped DLL 3 IoCs

pid	Process
2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
3000	lvymw.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 3032	3000	lvymw.exe	30
PID 3032 set thread context of 1364	3032	lvymw.exe	21
PID 3032 set thread context of 1364	3032	lvymw.exe	21
PID 2864 set thread context of 1364	2864	msdt.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvymw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3032	lvymw.exe
3032	lvymw.exe
3032	lvymw.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe
2864	msdt.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3032	lvymw.exe
3032	lvymw.exe
3032	lvymw.exe
3032	lvymw.exe
2864	msdt.exe
2864	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	lvymw.exe
Token: SeDebugPrivilege	2864	msdt.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3000	2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	29
PID 2172 wrote to memory of 3000	2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	29
PID 2172 wrote to memory of 3000	2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	29
PID 2172 wrote to memory of 3000	2172	JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe	29
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 3000 wrote to memory of 3032	3000	lvymw.exe	30
PID 1364 wrote to memory of 2864	1364	Explorer.EXE	31
PID 1364 wrote to memory of 2864	1364	Explorer.EXE	31
PID 1364 wrote to memory of 2864	1364	Explorer.EXE	31
PID 1364 wrote to memory of 2864	1364	Explorer.EXE	31
PID 2864 wrote to memory of 2744	2864	msdt.exe	32
PID 2864 wrote to memory of 2744	2864	msdt.exe	32
PID 2864 wrote to memory of 2744	2864	msdt.exe	32
PID 2864 wrote to memory of 2744	2864	msdt.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60a69bb9a571454ac99e7a222be3a67c2473fa0cfd5c151f17356f8e48d77408.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\lvymw.exe
    C:\Users\Admin\AppData\Local\Temp\lvymw.exe C:\Users\Admin\AppData\Local\Temp\mslswzz
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\lvymw.exe
      C:\Users\Admin\AppData\Local\Temp\lvymw.exe C:\Users\Admin\AppData\Local\Temp\mslswzz
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\lvymw.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mslswzz

Filesize
5KB

MD5
d90908cd63ad318fc4d73c833a43ab59

SHA1
3953f3c253814bb39f671278ec6cafcb4d9520ed

SHA256
3b9ed624f94eb33f913de44fcd377d1f9ea793efd0c3cc529217c3ce0da3d6ca

SHA512
fb83441cb54cfd73c20e87d80921b03a8f2a9c2ef3b22cacfe7522a9bd56cae9879cfb19e625dc8ff26e95763e04de33cb4b53243c81355e9d282689e0cf85a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1sh9jvwumaf4

Filesize
184KB

MD5
595197dd5ce763cd24751c75b44be8a1

SHA1
4529317e2afc2788617c60c40adcd42e550452e1

SHA256
36dbb14dffd84498a2e624ff58f93d0519c004d24b88a67d4656b2f7367d78e7

SHA512
907d75da916f8cb7886426622e407e6bbf93d27eb2a84d0cb2490ba208e8dcfb67c23dadb382ca87b8d1127bfbb93a916fb4cdb0f4d08397c4d54d14d0ec3309

Download Submit
\Users\Admin\AppData\Local\Temp\lvymw.exe

Filesize
64KB

MD5
ddc8d50e346229f2c76c329e53a48068

SHA1
a91202033dd59452603fa0fdbd2b50b1917e48a1

SHA256
23c25521d704cbc1c35aa84cc0d4f9cc7fef48eb118a55a4a4002265836eae2f

SHA512
4dad956526f033f558fa41760b70e989ad0d242941c776a7ea69a916b195cb8e7737b2c36c9662cfc54c51d99eadff09872daf129d0a92c3c38cbe71365a7349

Download Submit
memory/1364-19-0x00000000075A0000-0x00000000076C7000-memory.dmp

Filesize
1.2MB

Download
memory/1364-23-0x00000000076D0000-0x0000000007841000-memory.dmp

Filesize
1.4MB

Download
memory/1364-22-0x00000000075A0000-0x00000000076C7000-memory.dmp

Filesize
1.2MB

Download
memory/1364-29-0x00000000076D0000-0x0000000007841000-memory.dmp

Filesize
1.4MB

Download
memory/2864-26-0x00000000006D0000-0x00000000007C4000-memory.dmp

Filesize
976KB

Download
memory/2864-27-0x00000000006D0000-0x00000000007C4000-memory.dmp

Filesize
976KB

Download
memory/2864-28-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/3000-14-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/3032-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing