formbook | d446f9a6247df566e4e381594b8eaeeb844321fb16fcaf49bbac860fa4301a77

General

Target

0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
Size

564KB
MD5

633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1

f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256

0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
SHA512

ebdfa42be8d8f1a64900ba48748c8f86d9b74defbf85b3dda94d1df4d7c695d81769e165252fc0cfb2b5ffe347d84eb2f4f74e8d3e3d3ed3fa6466426f4eec28
SSDEEP

12288:zToPWBv/cpGrU3yJYqi+4mMz4pbIQ4+N54CHLottc:zTbBv5rUGdf4m/pMQ4m5nrJ

Score

10^/10

formbook sk29 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk29

Decoy

invycons.com

txirla.com

skygrade.site

mydubai.website

giftr.online

fotothink.com

receitaspanelacaseira.online

theroost.dev

hy-allure.com

homefilmcompany.online

qest-mall.net

palochkiotrollov.online

aibset-terms.com

clecrffp.work

entel04.online

conveyancercentralcoast.com

evaij.info

meitue.shop

rothchild.top

detecter-un-logiciel-espion.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2596-33-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2228-36-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2816	bstkiooen.exe

Loads dropped DLL 7 IoCs

pid	Process
2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
2816	bstkiooen.exe
2596	bstkiooen.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 2596	2816	bstkiooen.exe	31
PID 2596 set thread context of 1228	2596	bstkiooen.exe	21
PID 2228 set thread context of 1228	2228	systray.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bstkiooen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2596	bstkiooen.exe
2596	bstkiooen.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe
2228	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2596	bstkiooen.exe
2596	bstkiooen.exe
2596	bstkiooen.exe
2228	systray.exe
2228	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	bstkiooen.exe
Token: SeDebugPrivilege	2228	systray.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2816	2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	30
PID 2652 wrote to memory of 2816	2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	30
PID 2652 wrote to memory of 2816	2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	30
PID 2652 wrote to memory of 2816	2652	0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe	30
PID 2816 wrote to memory of 2596	2816	bstkiooen.exe	31
PID 2816 wrote to memory of 2596	2816	bstkiooen.exe	31
PID 2816 wrote to memory of 2596	2816	bstkiooen.exe	31
PID 2816 wrote to memory of 2596	2816	bstkiooen.exe	31
PID 2816 wrote to memory of 2596	2816	bstkiooen.exe	31
PID 1228 wrote to memory of 2228	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2228	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2228	1228	Explorer.EXE	32
PID 1228 wrote to memory of 2228	1228	Explorer.EXE	32
PID 2228 wrote to memory of 2564	2228	systray.exe	33
PID 2228 wrote to memory of 2564	2228	systray.exe	33
PID 2228 wrote to memory of 2564	2228	systray.exe	33
PID 2228 wrote to memory of 2564	2228	systray.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe
  "C:\Users\Admin\AppData\Local\Temp\0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe
    "C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe
      "C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bstkiooen.exe

Filesize
6KB

MD5
a2af309781df2f75dc0b57ae63b0f3a9

SHA1
f4137068334e1856471f4701c96afaa0470c7d4c

SHA256
328f2a0d53ed5c36513f278f32a0d6166a2dc0993ed4f52185198d6200595e1c

SHA512
5f7bd4c508e1f9f0b391ebc6b42f6f734b846a76d6903db3e75b7b671d02bef2baecb40bcbb37a41394aeccb8d2591c2f5492aa74e458ff814b184d9668f259b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbmpmcwm.tfz

Filesize
185KB

MD5
b02c99ecfdb7d8793254bc8e9c003869

SHA1
e38ca7ff9c88e36d19aa0198820b97f6a11de201

SHA256
2f8eb57267950a4bc6e8dd8b2d7def8afc40b8db3c5ef49adc68fb144f7e8e41

SHA512
d12cd9fbabdcc1a5c601d6c0326b34f65ffc63be84ca94bc6dc70f0e70ec7c3b46122136d6f2a7e82bcb3e27d4bb89d9332ddd35026873fd4029d3405f73b09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgmxh.brz

Filesize
4KB

MD5
73d355a9e88d7a82f69e612949eb4965

SHA1
b6041f58669a65e43fbe8dcba0dbd061e48812bc

SHA256
115814a83166723ce7080d92af30822dbd7dc2d5d26edec9145b056b7226e166

SHA512
5498ad05a858051705e6e37a884f8897623bb2a415515c951e76d1ef12554994a6de0cd17b045dd740d9d92055ba1b6a725129f36740261d9de9ee9bb29577af

Download Submit
memory/1228-32-0x0000000004E80000-0x0000000004FE5000-memory.dmp

Filesize
1.4MB

Download
memory/1228-37-0x0000000004E80000-0x0000000004FE5000-memory.dmp

Filesize
1.4MB

Download
memory/1228-42-0x0000000008440000-0x00000000085A6000-memory.dmp

Filesize
1.4MB

Download
memory/2228-35-0x0000000000310000-0x0000000000315000-memory.dmp

Filesize
20KB

Download
memory/2228-34-0x0000000000310000-0x0000000000315000-memory.dmp

Filesize
20KB

Download
memory/2228-36-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2596-31-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/2596-30-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/2596-29-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/2596-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-24-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing