formbook | 9bd77f7b578698fa37d7fa9a75fc701b092f2055cab152d5d35fc13d62f34d45

General

Target

c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
Size

1.4MB
MD5

9d2f586afb6c4b2e82e049702948b928
SHA1

38e04f9da21e7c671d2183dc3013dcddddd9aa18
SHA256

c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57
SHA512

8436c64227573862934c3008129dcf09168e43604dde72d2547c63e6a501db8a9834a0170c7855a4044392ed6c4d44cb858a25514342239b7cc376ede0503a0e
SSDEEP

24576:wu6J33O0c+JY5UZ+XC0kGso6FazbJQxGpVs5ia/5qX9cUtFl4u4KYM2WY:6u0c++OCvkGs9FazbJ6r5ia/5Q99FyfP

Score

10^/10

formbook k0d discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

k0d

Decoy

actanoverba.com

karenmckaylegal.com

magiatelier.link

asseto.co.uk

511227.com

friedharf.net

awesomebtc.com

cooperativatci.com

7r62wq4m2c.com

vetswhogetmarketing.com

supramvp.com

reusablecanninglids.net

skygouwu.com

51shengyuan.com

selekamenorezac.com

yt7876.com

haapaniemivalley.com

smlc8.com

transitium.com

dunkflre.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2700-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2700-5-0x0000000000E10000-0x0000000001113000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2792	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	30
PID 2696 wrote to memory of 2792	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	30
PID 2696 wrote to memory of 2792	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	30
PID 2696 wrote to memory of 2792	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	30
PID 2696 wrote to memory of 2816	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	31
PID 2696 wrote to memory of 2816	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	31
PID 2696 wrote to memory of 2816	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	31
PID 2696 wrote to memory of 2816	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	31
PID 2696 wrote to memory of 2948	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	32
PID 2696 wrote to memory of 2948	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	32
PID 2696 wrote to memory of 2948	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	32
PID 2696 wrote to memory of 2948	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	32
PID 2696 wrote to memory of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33
PID 2696 wrote to memory of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33
PID 2696 wrote to memory of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33
PID 2696 wrote to memory of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33
PID 2696 wrote to memory of 2700	2696	c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe	33

C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
"C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
  "C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
  "C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
  "C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe"
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe
  "C:\Users\Admin\AppData\Local\Temp\c8cab884daba148b1c8cd717f20b90cf4a2ca3c3c9f476b2da13e1be9272ba57.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-0-0x0000000000700000-0x0000000000755000-memory.dmp

Filesize
340KB

Download
memory/2696-1-0x0000000002620000-0x0000000002675000-memory.dmp

Filesize
340KB

Download
memory/2700-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2700-4-0x0000000000E10000-0x0000000001113000-memory.dmp

Filesize
3.0MB

Download
memory/2700-5-0x0000000000E10000-0x0000000001113000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing