formbook | c1642e852cbd05c9b81a47da6364c33cfab34c88eb5487d5e9b39568439a09ca

Analysis

max time kernel
93s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
Size

873KB
MD5

b982805529ddd169f025e4f5897ffbb4
SHA1

c9bede65491464226dc4bd769a8a926d9a0fa178
SHA256

6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69
SHA512

b656fbe4bee42acc24d094bfa052c9e0b72741dcf9a03fb6161bd21f2f06bb15121f370774530ccee7aff6850fe279d431654610b40226aa2e851b9d2eeda1d7
SSDEEP

12288:L5MTdaVo0smtiK5oyZJnBfPjLR0lUExUEycWuJ2kIO7F9QK:ng+FoelPjtCx9Pfc/O7FOK

Score

10^/10

formbook t052 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t052

Decoy

droogskateboards.com

royalspowersolution.com

lifebestmoves.com

rimpasac.com

crndhwv.icu

younggunrecords.com

rtdentalstaffing.com

2ktea.com

aiheim.com

cyberledger360.com

chrgo.com

1-alnafrica.com

reignbowssparkle.com

theexecutivestudio.com

stevebana.xyz

adenisikmerkezi.com

ralfboehm.com

chiyuedianzi.com

mjgqw.com

isiswilkinson.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2056-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
2056	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
2056	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91
PID 2548 wrote to memory of 2056	2548	6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe	91

C:\Users\Admin\AppData\Local\Temp\6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
"C:\Users\Admin\AppData\Local\Temp\6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe
  "C:\Users\Admin\AppData\Local\Temp\6f4d39877281023ce9f36605ca14cc9a2bd3583fc65f8ac148753795b980cc69.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2056-15-0x0000000001320000-0x000000000166A000-memory.dmp

Filesize
3.3MB

Download
memory/2548-6-0x0000000005B50000-0x0000000005B72000-memory.dmp

Filesize
136KB

Download
memory/2548-3-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/2548-4-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2548-5-0x00000000059A0000-0x00000000059AA000-memory.dmp

Filesize
40KB

Download
memory/2548-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/2548-7-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/2548-8-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2548-9-0x00000000073C0000-0x000000000745C000-memory.dmp

Filesize
624KB

Download
memory/2548-10-0x0000000007530000-0x00000000075A2000-memory.dmp

Filesize
456KB

Download
memory/2548-11-0x00000000075A0000-0x00000000075DE000-memory.dmp

Filesize
248KB

Download
memory/2548-2-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/2548-14-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2548-1-0x0000000000E10000-0x0000000000EF0000-memory.dmp

Filesize
896KB

Download