formbook | 0fc42384f1e39d784f466de02b83843495cea7e27e7f79f6f7195b88c48e9e3e

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 13:40 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe
Size

956KB
MD5

1d0f9fe2578b015eba100952a39ded18
SHA1

304e4a2963f5071360a400545cfca885f8e4bcf4
SHA256

5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d
SHA512

4625f6655c098b011759f3da8027959ea1987e7d50dfd5364e1a297c0a4b641794579d558c0702a60d729438edfc2ce197accd843564c03ed773ce29696ee3b0
SSDEEP

12288:VaBXDylqDV1ZWtMhzGZ0GEdtARScCbD4AjM/4Kpi3sXsBqRO6PZXcQ6dhFcgAo:VaBelYYAJPARScCbKQN83ROthzA

Score

10^/10

formbook fr35 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fr35

Decoy

kantumusic.com

bswpcll.com

retaketomaxx.store

wyrak.site

chrisdc.com

myepower.net

manuscripttomarket.com

arthvisory.com

licvrb.com

iwacufinance.com

subha.info

jdksy.xyz

cdlyu.com

kinisehat.com

solidrockmultimedia.com

goconcepten48.online

efox8.com

elegantnewlook.com

samalaw-sa.com

otcwl.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2068-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31
PID 1744 wrote to memory of 2068	1744	5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe	31

C:\Users\Admin\AppData\Local\Temp\5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe
"C:\Users\Admin\AppData\Local\Temp\5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe
  "C:\Users\Admin\AppData\Local\Temp\5b65b6044cab0bcb44717f5e5b9b6793c3870604099dbd4b58531e6ac63cb15d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-6-0x0000000008170000-0x000000000822A000-memory.dmp

Filesize
744KB

Download
memory/1744-13-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-2-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-3-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download
memory/1744-4-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-7-0x00000000006C0000-0x00000000006FC000-memory.dmp

Filesize
240KB

Download
memory/1744-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/1744-1-0x0000000000B00000-0x0000000000BF6000-memory.dmp

Filesize
984KB

Download
memory/2068-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2068-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-14-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download