formbook | 0386237d9dd5d9280a6ed6c397a2090da52fb9576c923579c90d058aa6a1409f

General

Target

sample1.exe
Size

569KB
MD5

56046153a51fe6eaa8814f9d11ac34f6
SHA1

bd55ff7ab969a8aa5485a6c5c6844e9224780dba
SHA256

abd47175466abe2058151e12919ca9501497dbb286909bf7896d20d59fe73ef6
SHA512

fd92ff39626538835b8e8eb63c1fbd6c0828d0fc22261077c83b13ce838f72aac58bda29547c3bc3d356e4c4e9af5c8ae5061648fbebd5040b30d31883183770
SSDEEP

12288:89KZTldLdFz3HEJi5LAWePIBD0WZqkyn2qDdzffF8jo+P1:89mnLnEId+WuFFfNSP1

Score

10^/10

formbook kbm discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kbm

Decoy

qyhattj.icu

kyrenegordo.com

tprgaming.com

sparklemodelscebu.com

bladeha.com

19625ne23ave.com

bigbossgreezy.com

topbusinesskerala.com

aikqq.com

imprussts.com

hd282.com

esrholding.com

senxiv.net

arcustomwork.com

buscoveterinaria.com

genhayakawa.com

1sttividalebrownies.com

agenciawebdigital.com

planguin.online

blackmantech.institute

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1672-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1672-18-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 1672	956	sample1.exe	100
PID 1672 set thread context of 3460	1672	sample1.exe	55
PID 1724 set thread context of 3460	1724	colorcpl.exe	55

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1672	sample1.exe
1672	sample1.exe
1672	sample1.exe
1672	sample1.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe
1724	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1672	sample1.exe
1672	sample1.exe
1672	sample1.exe
1724	colorcpl.exe
1724	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	sample1.exe
Token: SeDebugPrivilege	1724	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 956 wrote to memory of 1672	956	sample1.exe	100
PID 3460 wrote to memory of 1724	3460	Explorer.EXE	101
PID 3460 wrote to memory of 1724	3460	Explorer.EXE	101
PID 3460 wrote to memory of 1724	3460	Explorer.EXE	101
PID 1724 wrote to memory of 4584	1724	colorcpl.exe	102
PID 1724 wrote to memory of 4584	1724	colorcpl.exe	102
PID 1724 wrote to memory of 4584	1724	colorcpl.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\sample1.exe
  "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Local\Temp\sample1.exe
    "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\sample1.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-12-0x0000000005CD0000-0x0000000005D04000-memory.dmp

Filesize
208KB

Download
memory/956-4-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/956-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/956-3-0x00000000052E0000-0x0000000005884000-memory.dmp

Filesize
5.6MB

Download
memory/956-7-0x0000000004FC0000-0x0000000005016000-memory.dmp

Filesize
344KB

Download
memory/956-5-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/956-6-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/956-15-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/956-8-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/956-9-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/956-10-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/956-11-0x0000000005C60000-0x0000000005CCC000-memory.dmp

Filesize
432KB

Download
memory/956-2-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/956-1-0x0000000000220000-0x00000000002B4000-memory.dmp

Filesize
592KB

Download
memory/1672-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1672-16-0x0000000001C80000-0x0000000001FCA000-memory.dmp

Filesize
3.3MB

Download
memory/1672-19-0x0000000001A20000-0x0000000001A34000-memory.dmp

Filesize
80KB

Download
memory/1672-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1724-21-0x0000000000AF0000-0x0000000000B09000-memory.dmp

Filesize
100KB

Download
memory/1724-22-0x0000000000AF0000-0x0000000000B09000-memory.dmp

Filesize
100KB

Download
memory/3460-20-0x00000000024C0000-0x0000000002604000-memory.dmp

Filesize
1.3MB

Download
memory/3460-23-0x00000000024C0000-0x0000000002604000-memory.dmp

Filesize
1.3MB

Download
memory/3460-27-0x00000000081C0000-0x000000000834F000-memory.dmp

Filesize
1.6MB

Download
memory/3460-28-0x00000000081C0000-0x000000000834F000-memory.dmp

Filesize
1.6MB

Download
memory/3460-30-0x00000000081C0000-0x000000000834F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing