formbook | 28c8678d4316f1bf61b5b7fc48f87aed9d0c5fc19c7b1ebd9bd8f481ac861dc1

General

Target

oo.exe
Size

242KB
MD5

f905085a630d00b01d514b663af54325
SHA1

9355bfd5c0d1fe2636c24c12da6783d964a9562e
SHA256

7d5ffe72101db06ec8ef98e2a4d698cb4a7a2c430210bef73b837fe856a5cc34
SHA512

92dba6c93446543d4148d3f86eed4f1d5ae5e36f73fa99975e01c619e87f465575b44244f8a35dfcdfed45382ea8cc3355468dcfc5a5e7db496d45b16134f8f9
SSDEEP

6144:HNeZm6BQtVdcgqeXfoq7fkrJGNevy73Ke787JhYKnusW0i:HNl6BreAq7+GNevyzKe7gYL/H

Score

10^/10

formbook sh30 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sh30

Decoy

raptorwin.com

mmwavesolved.com

coachingwithcc.com

ssvminc.com

celdegobierno.info

wpaci.com

denison.top

fdsff.com

kelsapur.com

pontodeacucar.com

tgbamg.com

hkserver.xyz

muscatrfc.com

gylslgzn.com

roses-rouges.com

stanleymediaproductions.com

mintplatform.store

mentalallyhealth.com

lezfilm.com

lucarbo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2380-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2380-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2380-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2184-28-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1940	lycasyi.exe
2380	lycasyi.exe

Loads dropped DLL 3 IoCs

pid	Process
1700	oo.exe
1700	oo.exe
1940	lycasyi.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 2380	1940	lycasyi.exe	31
PID 2380 set thread context of 1204	2380	lycasyi.exe	21
PID 2380 set thread context of 1204	2380	lycasyi.exe	21
PID 2184 set thread context of 1204	2184	wlanext.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lycasyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlanext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oo.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2380	lycasyi.exe
2380	lycasyi.exe
2380	lycasyi.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe
2184	wlanext.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2380	lycasyi.exe
2380	lycasyi.exe
2380	lycasyi.exe
2380	lycasyi.exe
2184	wlanext.exe
2184	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	lycasyi.exe
Token: SeDebugPrivilege	2184	wlanext.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1940	1700	oo.exe	30
PID 1700 wrote to memory of 1940	1700	oo.exe	30
PID 1700 wrote to memory of 1940	1700	oo.exe	30
PID 1700 wrote to memory of 1940	1700	oo.exe	30
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1940 wrote to memory of 2380	1940	lycasyi.exe	31
PID 1204 wrote to memory of 2184	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2184	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2184	1204	Explorer.EXE	32
PID 1204 wrote to memory of 2184	1204	Explorer.EXE	32
PID 2184 wrote to memory of 2800	2184	wlanext.exe	33
PID 2184 wrote to memory of 2800	2184	wlanext.exe	33
PID 2184 wrote to memory of 2800	2184	wlanext.exe	33
PID 2184 wrote to memory of 2800	2184	wlanext.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\oo.exe
  "C:\Users\Admin\AppData\Local\Temp\oo.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\lycasyi.exe
    C:\Users\Admin\AppData\Local\Temp\lycasyi.exe C:\Users\Admin\AppData\Local\Temp\fekxmqbnse
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\lycasyi.exe
      C:\Users\Admin\AppData\Local\Temp\lycasyi.exe C:\Users\Admin\AppData\Local\Temp\fekxmqbnse
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2380
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\lycasyi.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7s600mdth0ub3a

Filesize
213KB

MD5
2e6f0c560ca92dbefe06e9b54074bd38

SHA1
9dab2420af1440ebb6a2ed803c2ddf49774584c6

SHA256
8e4583acd5e0bd86fdab288c3a5cfbdf3b734b71c9b80dbabe6b2f47eb2b645c

SHA512
e7798fc4b488051be400a6887b2e7d8b72c6f29917f44ea83cf90e83e587e3af44e6da98e69d8a97d6ddbe01857f443fbf543bceec8c482edeab0d9e7f5db40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fekxmqbnse

Filesize
5KB

MD5
69f7d3e1f535de654b4ff151a0f7e089

SHA1
ff384e1b0800e45f79809d2a78a2e78b2c5722b7

SHA256
09c5caefba71924f63566b2101a031572982cfe86ffbea47799a894635ab77e7

SHA512
8d8da962f58d03b14070c60f14e4e3e87ff542f266f670345f58b983d193d5426e6f9dc01db90f01dffb382fbac12650407697f9f6ec3d8cb10fc938ce368c03

Download Submit
\Users\Admin\AppData\Local\Temp\lycasyi.exe

Filesize
4KB

MD5
b4ae0759295f61f4a798dbac502dbb5d

SHA1
754740cc5275e1f45d9e83ba8eaf0de46950d2b2

SHA256
1e5e59864f9e0f0d90aafcd403b9b915b77883e57cbf5803116adfe292d81b2e

SHA512
41486569ced8dc07eaa0693a1b42f3f597c1d3791745a29de62de1ef765e59e5006b0c6796f5ee387a75ee66497fc490620db3c2ef4f4e55476f2db2db228bef

Download Submit
memory/1204-23-0x0000000005020000-0x0000000005101000-memory.dmp

Filesize
900KB

Download
memory/1204-19-0x0000000004D40000-0x0000000004E50000-memory.dmp

Filesize
1.1MB

Download
memory/1204-22-0x0000000004D40000-0x0000000004E50000-memory.dmp

Filesize
1.1MB

Download
memory/1204-29-0x0000000005020000-0x0000000005101000-memory.dmp

Filesize
900KB

Download
memory/1940-12-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2184-27-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2184-26-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2184-28-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2380-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing