formbook | 08b37186bf5900314ff26172bfc0f2ff35a2f61ec2bd1be1e2c7031af9bf5358

General

Target

742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
Size

1.1MB
MD5

c078c87514cfd7cae5d932325fad4625
SHA1

40ff7130fe87f96a133f41aea4eb9ff75be6a5dd
SHA256

742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8
SHA512

355f0badda14c4fa19fddf3419dc7994fb08c45f3657cdf7a7e208005c6c26b2f01f0df85031148e01031a32e6ae1ca1b76658e7b69b293670293bc2757c2e15
SSDEEP

24576:gMTzqeqLpLGq1hhh2czxF8Uo8J6Iti5lcIIoIhI:1TzqDDr24oUt6Iti5lcIIoIhI

Score

10^/10

formbook su4h discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

su4h

Decoy

dopestartalentsearch.com

xeneln.info

jan-stollenwerk.com

footjet.com

globfun.com

drygoodsnola.com

cartayamedpsy.net

morganamelia.com

renoportapotty.com

cybertrucksclub.com

sl367.com

bandwagonpresents.com

npaczambia.com

infocom.management

gm0451.com

coloring-page.info

jibkokmaket.com

stickynoteplot.com

remonmikan.com

mcalweeimports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2276-11-0x0000000000400000-0x0000000000459000-memory.dmp	formbook
behavioral1/memory/2276-8-0x0000000000400000-0x0000000000459000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2276	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instnm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2124 wrote to memory of 2276	2124	742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe	28
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29
PID 2276 wrote to memory of 1612	2276	instnm.exe	29

C:\Users\Admin\AppData\Local\Temp\742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe
"C:\Users\Admin\AppData\Local\Temp\742dddbb8dfa6ac7125c8f7de7197163c111ee6d8f1ff4ff0382db223c8461a8.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\instnm.exe
  "C:\Windows\SysWOW64\instnm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 252
    3⤵
    - Program crash
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-0-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000000D10000-0x0000000000E24000-memory.dmp

Filesize
1.1MB

Download
memory/2124-2-0x0000000004B30000-0x0000000004BF0000-memory.dmp

Filesize
768KB

Download
memory/2124-3-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2124-4-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2124-12-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-8-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-7-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-5-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing