formbook | 99a840d4975556606c5c996a4b939ab0351a7a1839109433d0d8c4c5ac2be75e

General

Target

PO__63537353636___IME JPEG.exe
Size

247KB
MD5

ea63eb54dfdd8f74262614563048a01b
SHA1

7ea1cc47710b4c399fac4cb9152b42fed5ec7f59
SHA256

3ffe776b0fc18193afce55f3502e1c895f7a10d3b01604f9953a1beb72be97fc
SHA512

acd89deb5f8d3299c5801f67149bb5bb70a6388c9939d1bb1fb4bd3aeda5704afc9b85db7b2d993f59e14340ea74339f7d806f1ae885db3745aef2a5a9c4b5a2
SSDEEP

6144:DQuqHcCDhh++6Cn6lun/ur4oCXQk4OvbqRK7P0+Ar7:kBHcCDhY1CGu/E4oCXQmzqRa0+s7

Score

10^/10

formbook u2s7 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u2s7

Decoy

mixso.site

rlagnin.com

imini.top

grapejulius.com

pkcomputer.online

surepolka.com

petahansen.com

rodriguezlawncare.net

oscartheelearning.ninja

gcubaang.top

learnserver.site

weddinginthehamptons.com

doctorverma.online

epicsx.com

signmole.shop

storetrade.store

htlenderschampionship.com

tigerexch-official.net

momentum6labs.com

safetyconsultants.sydney

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2760-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2760-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2668-21-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2760 set thread context of 1248	2760	Regsvcs.exe	21
PID 2668 set thread context of 1248	2668	wscript.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO__63537353636___IME JPEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2760	Regsvcs.exe
2760	Regsvcs.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2760	Regsvcs.exe
2760	Regsvcs.exe
2760	Regsvcs.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe
2668	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	Regsvcs.exe
Token: SeDebugPrivilege	2668	wscript.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 2844 wrote to memory of 2760	2844	PO__63537353636___IME JPEG.exe	30
PID 1248 wrote to memory of 2668	1248	Explorer.EXE	31
PID 1248 wrote to memory of 2668	1248	Explorer.EXE	31
PID 1248 wrote to memory of 2668	1248	Explorer.EXE	31
PID 1248 wrote to memory of 2668	1248	Explorer.EXE	31
PID 2668 wrote to memory of 1616	2668	wscript.exe	32
PID 2668 wrote to memory of 1616	2668	wscript.exe	32
PID 2668 wrote to memory of 1616	2668	wscript.exe	32
PID 2668 wrote to memory of 1616	2668	wscript.exe	32
PID 2668 wrote to memory of 1616	2668	wscript.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\PO__63537353636___IME JPEG.exe
  "C:\Users\Admin\AppData\Local\Temp\PO__63537353636___IME JPEG.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-16-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1248-25-0x0000000004D80000-0x0000000004E5B000-memory.dmp

Filesize
876KB

Download
memory/1248-17-0x0000000004D80000-0x0000000004E5B000-memory.dmp

Filesize
876KB

Download
memory/2668-21-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2668-18-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2668-20-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2760-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-15-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2760-12-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/2760-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2760-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2844-4-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-3-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2844-2-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2844-11-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-1-0x0000000001050000-0x0000000001092000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing