formbook | 7d09a3768f7dfb3e2aaacabc46d05e59fc4ae20ee20c3e0c61e371ad5e3c30a3

General

Target

xsdzemml.exe
Size

55KB
MD5

e2aa91fb3599cb7cbbd1cb3d5e4c3063
SHA1

f4278c4f6e1f3358b1ea4748aa2c9401488b6fb7
SHA256

2e61c28dea3a0dcde21b06fba573bac629a6cc2fb464bde2f332f3e8c3ba62df
SHA512

f5f91140dbeaf73a724bca50914a13bb4bd180c0a6b4ccc87f7abd34cea94bd0f16d2d601ec8e6fde5d414f24e8078622f2f203d135469213d524a0f4b632ce3
SSDEEP

1536:Jl/q6Jo2jwim79h5adPF329aJih1IjzGx5SsR1q2Ym0PPDYlHCX:nq6JBjmpjadPjih1IjzmFrYdwC

Score

10^/10

formbook sl12 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sl12

Decoy

monsore-records.com

discoverthis.world

ishop-brasil.com

foxeshaveholesintl.com

currenteitherknowledge.xyz

haaph.com

leggacyfarm.com

theaudiobookdb.net

ungerstahlbaubrehna.com

cliphindi.com

thht86.com

b4d5h0t.com

yashentcbsmall.com

ltcibenefits.com

allwaystravelservice.com

1gethear.com

elstery.com

buyervalet.com

snowyrangecpa.com

bshuan.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral3/memory/836-1-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/836-3-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 836	1972	xsdzemml.exe	30
PID 836 set thread context of 1128	836	xsdzemml.exe	20

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1784	2564	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xsdzemml.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
836	xsdzemml.exe
836	xsdzemml.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
836	xsdzemml.exe
836	xsdzemml.exe
836	xsdzemml.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	xsdzemml.exe
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE
Token: SeShutdownPrivilege	1128	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1972 wrote to memory of 836	1972	xsdzemml.exe	30
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 1128 wrote to memory of 2564	1128	Explorer.EXE	31
PID 2564 wrote to memory of 1784	2564	msiexec.exe	33
PID 2564 wrote to memory of 1784	2564	msiexec.exe	33
PID 2564 wrote to memory of 1784	2564	msiexec.exe	33
PID 2564 wrote to memory of 1784	2564	msiexec.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\xsdzemml.exe
  "C:\Users\Admin\AppData\Local\Temp\xsdzemml.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\xsdzemml.exe
    "C:\Users\Admin\AppData\Local\Temp\xsdzemml.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 268
    3⤵
    - Program crash
    PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-4-0x0000000005090000-0x00000000051BB000-memory.dmp

Filesize
1.2MB

Download
memory/1128-13-0x0000000005090000-0x00000000051BB000-memory.dmp

Filesize
1.2MB

Download
memory/1972-0-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/2564-7-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/2564-8-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/2564-10-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing