formbook | eeea861b682bed10d258c2287131d406994d8ee0aa3976fe613f69c9dffe2969

General

Target

98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe
Size

770KB
MD5

cf6c56346d93fc10443e9261c797746f
SHA1

1702b84ce180e96d166834cdbd83ed71a8f16aea
SHA256

98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c
SHA512

228f275ea0c886ae74ecea22eca47535998c4d69284348db110f699a368d971ad7a16f8aa3b1fdfea98866082d8bfdf8fe144bc4ebea26d32a42d062d6fe30dd
SSDEEP

12288:U5Vko2KEJCq7MD0WnFTXQ0ixKIQK+uBLcnC76n1lT2L5m3bVpHlEkOi5:7JJH7+FnVCQL+LW5LT21m37HlEnG

Score

10^/10

formbook p0t9 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p0t9

Decoy

marketplacewins.com

boymeetsmilf.com

ruhuplus.com

adultescortnft.com

app683.icu

viade.store

businesscardadvertiser.com

5649tk.com

daoguo456.com

digitalservice.pro

muabannothienuy.com

geneseeampwyoming.com

olliejay00.com

pristineintegrity.info

jimdeyux0kopgnhsldig.club

eadsscale.club

iwelim.space

s29x.club

brysonhajee.com

trainership.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1692-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1692-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2908-21-0x0000000000180000-0x00000000001AF000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1692 set thread context of 3436	1692	vbc.exe	56
PID 2908 set thread context of 3436	2908	WWAHost.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WWAHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe
2908	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1692	vbc.exe
1692	vbc.exe
1692	vbc.exe
2908	WWAHost.exe
2908	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	vbc.exe
Token: SeDebugPrivilege	2908	WWAHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 1868 wrote to memory of 1692	1868	98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe	93
PID 3436 wrote to memory of 2908	3436	Explorer.EXE	94
PID 3436 wrote to memory of 2908	3436	Explorer.EXE	94
PID 3436 wrote to memory of 2908	3436	Explorer.EXE	94
PID 2908 wrote to memory of 816	2908	WWAHost.exe	95
PID 2908 wrote to memory of 816	2908	WWAHost.exe	95
PID 2908 wrote to memory of 816	2908	WWAHost.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe
  "C:\Users\Admin\AppData\Local\Temp\98a0baed911fcca09a50dd4dc17f6f65edf26cc6d834681b1d2a270bfbf3f45c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1692-16-0x0000000001570000-0x0000000001584000-memory.dmp

Filesize
80KB

Download
memory/1692-13-0x00000000015A0000-0x00000000018EA000-memory.dmp

Filesize
3.3MB

Download
memory/1868-5-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1868-2-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1868-6-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1868-7-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/1868-8-0x0000000005A60000-0x0000000005B14000-memory.dmp

Filesize
720KB

Download
memory/1868-9-0x00000000057D0000-0x0000000005804000-memory.dmp

Filesize
208KB

Download
memory/1868-4-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/1868-12-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/1868-3-0x00000000051D0000-0x00000000051DE000-memory.dmp

Filesize
56KB

Download
memory/1868-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/1868-1-0x0000000000660000-0x0000000000726000-memory.dmp

Filesize
792KB

Download
memory/2908-18-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/2908-20-0x0000000000420000-0x00000000004FC000-memory.dmp

Filesize
880KB

Download
memory/2908-21-0x0000000000180000-0x00000000001AF000-memory.dmp

Filesize
188KB

Download
memory/3436-17-0x0000000002C20000-0x0000000002D73000-memory.dmp

Filesize
1.3MB

Download
memory/3436-22-0x0000000002C20000-0x0000000002D73000-memory.dmp

Filesize
1.3MB

Download
memory/3436-26-0x0000000007F90000-0x0000000008045000-memory.dmp

Filesize
724KB

Download
memory/3436-27-0x0000000007F90000-0x0000000008045000-memory.dmp

Filesize
724KB

Download
memory/3436-29-0x0000000007F90000-0x0000000008045000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing