formbook | 228c95bb180523da48687125b28042a2c663819e627bfff839a18a35b22f0b4f

General

Target

89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
Size

879KB
MD5

79dc6309e5428498138288258408ebec
SHA1

bd9b708b3743278df0a6c3a494dc8e3a0c89ed6a
SHA256

89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54
SHA512

1b2d3b0dd1e7f43264ed0cd535b4095efbf3f635b988893556450d3d9654fb6d494f8626984d31b7605730c7ad1a8b38e0bcb1bb24ad8099c81e96c78e156ce4
SSDEEP

6144:KrNLru22ulz4ntAC/cl47K9jYhCioJHBqVBixGQX1PfBOeVOdvXhNuxD9JJYWU:QNG22u+Aq+sMhqV+GQpfFVOxXhNu3JJ

Score

10^/10

formbook dxe discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dxe

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1336-15-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4308 set thread context of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
1336	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
1336	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4988	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	98
PID 4308 wrote to memory of 4988	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	98
PID 4308 wrote to memory of 4988	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	98
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100
PID 4308 wrote to memory of 1336	4308	89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe	100

C:\Users\Admin\AppData\Local\Temp\89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
"C:\Users\Admin\AppData\Local\Temp\89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wpmCRnOONY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFED2.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\89f32b16d874afc972f69f0108ccd4b163427bd30d66f2ee07f0771ac0f47d54.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFED2.tmp

Filesize
1KB

MD5
16e3ffb9318fdc1305eee43c5d1117d8

SHA1
fca18461b131ea95214ba86c19adba9664b9c7bf

SHA256
69c035e924a06e9fc56ad8a98b43ee32036f3d217c7fb222863df438f5b02a97

SHA512
d2dceb01e3f1c901ec125592e7eb937cff46e53c8979eca7496b8ae47ce8c789a740ad1367a60816237e5900f38bfa67dd47daddeb0c8ca815117e26f09d9378

Download Submit
memory/1336-19-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/1336-18-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/1336-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4308-4-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

Filesize
624KB

Download
memory/4308-5-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/4308-6-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4308-7-0x0000000004D50000-0x0000000004D58000-memory.dmp

Filesize
32KB

Download
memory/4308-8-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4308-9-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4308-10-0x0000000007660000-0x00000000076E2000-memory.dmp

Filesize
520KB

Download
memory/4308-11-0x0000000009D90000-0x0000000009DC6000-memory.dmp

Filesize
216KB

Download
memory/4308-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4308-3-0x0000000004A70000-0x0000000004B02000-memory.dmp

Filesize
584KB

Download
memory/4308-17-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4308-2-0x0000000005020000-0x00000000055C4000-memory.dmp

Filesize
5.6MB

Download
memory/4308-1-0x0000000000090000-0x0000000000172000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads