formbook | fa2438aaa59415efd6159ece227f7f57a1f83568f6af6faa4d2e0827e8eb0dab

General

Target

Payment 18102022 pdf.exe
Size

703KB
MD5

eb566da5f09a5de0eaf16a15298a3334
SHA1

e31fba8a86fa6075628889c28c1eb0a8a30072c6
SHA256

8e2a59e64796ca70e6b84a15d632ebc5bff7427901b4b1f5ce854505fba40421
SHA512

2f086333a1365a5dd82d526810a7ad05afc36a8b9cb5b8bd8078bb8a2e5c738e1e9ef778f0ff60c505e8acf70455bd7e5a26a52affff4d0a3261fbc613bc24ae
SSDEEP

12288:4bmpiBDXym+cyqM8OQEpw/nVwKorUs1Ag9CACJ3aZKDOcNA5av+BjgAC7RX:4bmpOum+cy+O3EnxorUsXQAKZNA46jgF

Score

10^/10

formbook vr04 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr04

Decoy

collegefootballrecruiting.site

charlleysmith.top

go178.xyz

livingintemeculacalifornia.com

polufilm.store

hupfcc.cfd

evoluntest.pics

nunyacandle.com

ciel-de-guss.net

contactparadise.com

parraswap.com

ireret.store

tnvre.site

teatopia.net

friendlyfarmcart.com

juchitronics.com

sensal-jewerly.com

extrashopping.shop

ruby.credit

ruibest.club

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2688-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2652	xrknt.exe
2912	xrknt.exe

Loads dropped DLL 8 IoCs

pid	Process
2636	Payment 18102022 pdf.exe
2652	xrknt.exe
2652	xrknt.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 2688	2652	xrknt.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2784	2652	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment 18102022 pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrknt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2652	xrknt.exe
2652	xrknt.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2652	xrknt.exe
2652	xrknt.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2652	2636	Payment 18102022 pdf.exe	31
PID 2636 wrote to memory of 2652	2636	Payment 18102022 pdf.exe	31
PID 2636 wrote to memory of 2652	2636	Payment 18102022 pdf.exe	31
PID 2636 wrote to memory of 2652	2636	Payment 18102022 pdf.exe	31
PID 2652 wrote to memory of 2912	2652	xrknt.exe	32
PID 2652 wrote to memory of 2912	2652	xrknt.exe	32
PID 2652 wrote to memory of 2912	2652	xrknt.exe	32
PID 2652 wrote to memory of 2912	2652	xrknt.exe	32
PID 2652 wrote to memory of 2688	2652	xrknt.exe	33
PID 2652 wrote to memory of 2688	2652	xrknt.exe	33
PID 2652 wrote to memory of 2688	2652	xrknt.exe	33
PID 2652 wrote to memory of 2688	2652	xrknt.exe	33
PID 2652 wrote to memory of 2688	2652	xrknt.exe	33
PID 2652 wrote to memory of 2784	2652	xrknt.exe	34
PID 2652 wrote to memory of 2784	2652	xrknt.exe	34
PID 2652 wrote to memory of 2784	2652	xrknt.exe	34
PID 2652 wrote to memory of 2784	2652	xrknt.exe	34

C:\Users\Admin\AppData\Local\Temp\Payment 18102022 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment 18102022 pdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\xrknt.exe
  "C:\Users\Admin\AppData\Local\Temp\xrknt.exe" "C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\xrknt.exe
    "C:\Users\Admin\AppData\Local\Temp\xrknt.exe" "C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3"
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\xrknt.exe
    "C:\Users\Admin\AppData\Local\Temp\xrknt.exe" "C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 312
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flsfotnhhg.au3

Filesize
5KB

MD5
dc303ae1e97f6b53051e3d0001a3f607

SHA1
e1a4eb96d39dbc0e16092a98b730f17eeccf0ebf

SHA256
3602082b3b4bcfb1a35a293677772cbdb390976ffdeca481d497a38eaeb27181

SHA512
6d221b5aacfc12d5122a748b95445647cf39d48566dc9e7895fbe60d59c18e26673d9c5b11aeebcbd104ab0d1d2785c3aa113cda06b6ec0f9e58124e44e10a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdqgism.ry

Filesize
185KB

MD5
3c0d1c359b5d0d5fce27c9a0fe1ac5e7

SHA1
12e361391c709216bde1d3c3371e50a038812084

SHA256
4d4fd178b85c749daa1a4a684e15ef4ccce5b05dd5b3e635ab5a0c546fae4577

SHA512
b9d07be3c7ae30988d18c801b4ccedee892e6283d14bc04f26df968be43086ee36f8ceb204457820028ead6d5949cc8f03405b28c6161050c0b9cfe7814d96f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqgaoyqe.y

Filesize
37KB

MD5
aacc6b463e571b0f06a9b399088aa973

SHA1
828d202192363100136184a54708515ce5f8387a

SHA256
987fa33440205e9b6ffd5fd0a1ea3e70f32d8da79a2b6ade903ebf7861d5125b

SHA512
b9f9bdcef3caacf7d77c95e579aaff22bd256358020fd7598be097f81a57c8c118920dae78ed705a0c25969c21c1cfa138c1435270d39b87868925929c9bfbde

Download Submit
\Users\Admin\AppData\Local\Temp\xrknt.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/2652-10-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/2688-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing