formbook | 80c30db2d99ff849295e7c0a8e6924ead10228105d0d675f02c1244ef6bd0106

General

Target

Orignal Invoice_pdf.exe
Size

299KB
MD5

d9145fe0ca078e3e8ed799105e393108
SHA1

3dab0d6ac85b82314add7e0773ad05635e5dbc1f
SHA256

2aa2b861c5fad54e2a32fa2cc376871cd2d80a1485412073f5b5f461a7723e29
SHA512

8cccc42d5bf3fe345ff3dc119408de574ac3da756e9b0f2e76160b225b21dba7bfbbc61cd40bccaef3c104fb566f3bd53a4ca1c17f55867bcccfbe37fbdc1229
SSDEEP

6144:ibE/HUk01969hJRIA767oUL5J3RvZrLZcCEyBoh/uwmZZ+:ibw01969PR9xU/1EyBWmw6Z+

Score

10^/10

formbook sy01 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sy01

Decoy

aeria.life

jotted.community

mozarspalace.com

bfkoxoih.work

doganmuzik.com

ljsq.shop

vitalitycook.store

74574575.xyz

infiniteuniverse.site

storkrv.com

amendmentsymmetrical.top

adevodigital.com

renammsac.com

tptretry.info

ninfainacquerello.com

25038.top

httpsthothub.lol

yvxbt.com

72028.top

vzxtopi.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral3/memory/2820-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral3/memory/2632-21-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2804	duzcazams.exe

Loads dropped DLL 3 IoCs

pid	Process
2648	Orignal Invoice_pdf.exe
2804	duzcazams.exe
2820	duzcazams.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 2820	2804	duzcazams.exe	33
PID 2820 set thread context of 1148	2820	duzcazams.exe	20
PID 2632 set thread context of 1148	2632	ipconfig.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orignal Invoice_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duzcazams.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2632	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2820	duzcazams.exe
2820	duzcazams.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe
2632	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2820	duzcazams.exe
2820	duzcazams.exe
2820	duzcazams.exe
2632	ipconfig.exe
2632	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	duzcazams.exe
Token: SeDebugPrivilege	2632	ipconfig.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2804	2648	Orignal Invoice_pdf.exe	31
PID 2648 wrote to memory of 2804	2648	Orignal Invoice_pdf.exe	31
PID 2648 wrote to memory of 2804	2648	Orignal Invoice_pdf.exe	31
PID 2648 wrote to memory of 2804	2648	Orignal Invoice_pdf.exe	31
PID 2804 wrote to memory of 2820	2804	duzcazams.exe	33
PID 2804 wrote to memory of 2820	2804	duzcazams.exe	33
PID 2804 wrote to memory of 2820	2804	duzcazams.exe	33
PID 2804 wrote to memory of 2820	2804	duzcazams.exe	33
PID 2804 wrote to memory of 2820	2804	duzcazams.exe	33
PID 1148 wrote to memory of 2632	1148	Explorer.EXE	34
PID 1148 wrote to memory of 2632	1148	Explorer.EXE	34
PID 1148 wrote to memory of 2632	1148	Explorer.EXE	34
PID 1148 wrote to memory of 2632	1148	Explorer.EXE	34
PID 2632 wrote to memory of 2812	2632	ipconfig.exe	35
PID 2632 wrote to memory of 2812	2632	ipconfig.exe	35
PID 2632 wrote to memory of 2812	2632	ipconfig.exe	35
PID 2632 wrote to memory of 2812	2632	ipconfig.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\Orignal Invoice_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Orignal Invoice_pdf.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\duzcazams.exe
    "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\duzcazams.exe
      "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\duzcazams.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eecmykwj.xuq

Filesize
185KB

MD5
eb786ca8456fb02e6299292f7464fa75

SHA1
4b6939380e970bcf1cc92b3ad3fa21916ea1ddab

SHA256
3e00383dd3ada755bb6cb3394d3b8b2d3e43dce6051600f4273f82d9963521c9

SHA512
9b1f6717f845975871fd45d5d6518a20b3ec223959acdbfd23fc2693f5f15d4a72f4f16a8220ac2bada3ffccba25068196b6c5afbc0d67ce3edbc9b3964e0979

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgiybpcm.x

Filesize
4KB

MD5
f16bf3d9ad3ecf461f26e9a75e9bdc8b

SHA1
d5342aa6db4efa8e58ca7a7e379a66797c78203b

SHA256
d6f00878293204cc85c2a112f4f8160aeaa7601afcf4a64f78735a8eea11559b

SHA512
5156bcfa507faf5788bb92648a48c1cb56901798d351cdf6deff7861bd80962b52715c5e034146da07066acf434f85e7b660643dcb9d51b082067fc3dd9bcdaa

Download Submit
\Users\Admin\AppData\Local\Temp\duzcazams.exe

Filesize
133KB

MD5
9cc4b3dcc8a712968339507dfbefa5bc

SHA1
5909f209cf93e4365180ac050d663a2076e81af8

SHA256
3017920f6f2c95870bf938c2aab1c64e77c9b65e7f8ad7e3d81cdaeb58bacff3

SHA512
c5f5955302883578f4899f9250984bcedc375a7f2c1b3e1dd3912a1e334c8f247df757cb94a4ac8ed94918659b22f0070172dfbe0dc9fe567fece22a7b34364e

Download Submit
memory/1148-17-0x0000000004E50000-0x0000000004F8A000-memory.dmp

Filesize
1.2MB

Download
memory/1148-27-0x0000000004F90000-0x00000000050B3000-memory.dmp

Filesize
1.1MB

Download
memory/1148-22-0x0000000004E50000-0x0000000004F8A000-memory.dmp

Filesize
1.2MB

Download
memory/2632-20-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/2632-19-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/2632-21-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2804-8-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2820-15-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/2820-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-14-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing