formbook | e764f6e7bdb61df66914dcf9787d1bd6b738f1bd1f13320d57f44362c2ef676e

General

Target

bwfjco.exe
Size

6KB
MD5

9c52ec38c352cd19ae28913fe206a5b3
SHA1

a79300b49a4f1cce8db98515f79759a51bae664b
SHA256

5cb816f8eec3869aba2eec928f0a2c212b55658ae4d0f58ccfe5dbee87ba47de
SHA512

efa5c0060a217a2a8d5a811d0895dfe52ec4cc7213218d7abd09f1a3a621b828015df4c7adcd26ca71f776610ad9a46a710114297a5a76411cd22850675e0a1b
SSDEEP

48:aPUCS0YbdorCpU3PXXPuh5Ptv+qCpUh0MovqHwI4IkPzI/iavc7odlM7BXWjiRuz:RJbdo9P4RoM2VfcK7BHx

Score

10^/10

formbook 8h9m discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

8h9m

Decoy

1mlTmspKx2v1tBk=

yIc4QeHIRDCOR+Jw1Ok=

H8t9mJXm6cGdYU06SRJfL3sSLA==

lAXKHDi6++LIhlEwKs+bWhMZ+L66nQ==

E6WKvzgn56BxKQHIJyzgBAF/rqd3991G

POOMBhRnJuTJ

jamOvN0WjnY=

SkSWCK+QG2v1tBk=

UO/pC56OWQfVlG83j5ePL3sSLA==

zZE+TtGyQ/VHCmpNpqjvtO+qOv0gK/xY

Qf2nzo6CKw0wULtN3u8=

aQXZ7xd65+B5qcGN5es=

pVcLOF283IPToRfbFwmBk+/HYa/XgWg=

/q6WucVnJuTJ

1q6TtFFOBOLzXuZ80eM=

deGLxFs25Mot+4FNkDRsYM4=

OSMfWPXclKD9TD0In3Yh0w==

a//mBgh1bElZOCPn7JQcaAXZ7q/XgWg=

jTcUGqB9bkvyvQ/7

B3hUcn7MyK7CtqeFrxQV3Q==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	bwfjco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	bwfjco.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	wininit.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 2952	2148	bwfjco.exe	32
PID 2148 set thread context of 3048	2148	bwfjco.exe	33
PID 2952 set thread context of 1224	2952	bwfjco.exe	21
PID 3048 set thread context of 1224	3048	bwfjco.exe	21
PID 2072 set thread context of 1224	2072	wininit.exe	21

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwfjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2952	bwfjco.exe
2952	bwfjco.exe
2952	bwfjco.exe
2952	bwfjco.exe
3048	bwfjco.exe
3048	bwfjco.exe
3048	bwfjco.exe
3048	bwfjco.exe
2072	wininit.exe
2228	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2952	bwfjco.exe
3048	bwfjco.exe
2952	bwfjco.exe
2952	bwfjco.exe
3048	bwfjco.exe
3048	bwfjco.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe
2072	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	bwfjco.exe
Token: SeDebugPrivilege	3048	bwfjco.exe
Token: SeDebugPrivilege	2072	wininit.exe
Token: SeDebugPrivilege	2228	wininit.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2952	2148	bwfjco.exe	32
PID 2148 wrote to memory of 2952	2148	bwfjco.exe	32
PID 2148 wrote to memory of 2952	2148	bwfjco.exe	32
PID 2148 wrote to memory of 2952	2148	bwfjco.exe	32
PID 2148 wrote to memory of 2952	2148	bwfjco.exe	32
PID 2148 wrote to memory of 3048	2148	bwfjco.exe	33
PID 2148 wrote to memory of 3048	2148	bwfjco.exe	33
PID 2148 wrote to memory of 3048	2148	bwfjco.exe	33
PID 2148 wrote to memory of 3048	2148	bwfjco.exe	33
PID 2148 wrote to memory of 3048	2148	bwfjco.exe	33
PID 1224 wrote to memory of 2228	1224	Explorer.EXE	34
PID 1224 wrote to memory of 2228	1224	Explorer.EXE	34
PID 1224 wrote to memory of 2228	1224	Explorer.EXE	34
PID 1224 wrote to memory of 2228	1224	Explorer.EXE	34
PID 1224 wrote to memory of 2072	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2072	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2072	1224	Explorer.EXE	35
PID 1224 wrote to memory of 2072	1224	Explorer.EXE	35
PID 2072 wrote to memory of 1824	2072	wininit.exe	37
PID 2072 wrote to memory of 1824	2072	wininit.exe	37
PID 2072 wrote to memory of 1824	2072	wininit.exe	37
PID 2072 wrote to memory of 1824	2072	wininit.exe	37
PID 2072 wrote to memory of 1824	2072	wininit.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
  "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
    "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
    "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lpxpl.zip

Filesize
440KB

MD5
5d874a46532117f82095481976117fa1

SHA1
0a33fdef5084db25e24451dbde80238b487fbe78

SHA256
d6ccab1423559c6cf50202bc81a4576f969aa9c275eaaeb9a2ac2c827cd60447

SHA512
f0624277f3b4839c836291e1d1eb03cda875ba192243427afa967819b213f0cdade02f22e20b786b4680e4faaef20c045ad0a456d5f85fc04d3ab2e081ff4c61

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
841KB

MD5
5fc6cd5d5ca1489d2a3c361717359a95

SHA1
5c630e232cd5761e7a611e41515be4afa3e7a141

SHA256
85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

SHA512
5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

Download Submit
memory/1224-26-0x0000000007850000-0x00000000079D8000-memory.dmp

Filesize
1.5MB

Download
memory/1224-6-0x0000000006620000-0x000000000677F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-28-0x0000000007850000-0x00000000079D8000-memory.dmp

Filesize
1.5MB

Download
memory/1224-25-0x0000000007850000-0x00000000079D8000-memory.dmp

Filesize
1.5MB

Download
memory/1224-9-0x0000000006E60000-0x0000000006FD2000-memory.dmp

Filesize
1.4MB

Download
memory/1224-20-0x0000000006620000-0x000000000677F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-71-0x0000000061E00000-0x0000000061EBF000-memory.dmp

Filesize
764KB

Download
memory/2072-13-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/2072-12-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/2072-19-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/2148-0-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/2228-16-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/2228-15-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/2952-11-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2952-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-2-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3048-7-0x0000000000423000-0x0000000000424000-memory.dmp

Filesize
4KB

Download
memory/3048-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing