formbook | c146830c91a48b199be408e0e885eb7f94cb9a716f614310986584e452a77374

General

Target

efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe
Size

915KB
MD5

792353205b038d4109dc86fbfaf1836e
SHA1

788fd33360c15eaefe8074d0d67ec3198d028e7e
SHA256

efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177
SHA512

5a91c9662e0ea4e9db2ea2046a0b696f0a85c99aa851cda9987ba81c4a0edc92d05862efea481fe50492f44352cb38bb5bd3bb16b2cda20e96a612da68c0c8ec
SSDEEP

12288:jqY3c8/y70cUbrU/4Rj8JIJTcbfdK1rZdnSWBopL/DCn6k6DNwIrqaewt1KgP:Wmx7g/0gJzbfdSDSWBopfC6BD

Score

10^/10

formbook oc5e discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

oc5e

Decoy

9gZPW9yJUzcMFJ6KSbk=

kWCy2lf52OGbUmtEHR9i3aOIb8c=

mKKp192P5FQ5p4cxJ8vQyqOIb8c=

5On+xX5s0VE5pruTMQ+5

xs0RFcesYRb5MAHGrTUPz6OIb8c=

m36XWeE+J455493HVQTJfCo=

QtLkoNvKqJ9eJrVmXC7PlSg=

0jiSSgO6GNN7N1jk5A==

aX7BtX5eyln88rZeJKWuY1Hy0g==

tQ9ZEtyxE6FfoLGTMQ+5

MZHXcyvfLOXMCeGPSfKrkCI=

qYzioZQLHKOtY7FH2tltaA==

mH5m/biP4UL5c6uTMQ+5

Qla8f3DYrQy2bocc

iRoQtvLlAFxDv3Me8w==

p+4A7eVNLpeQBPGon3NMCOZXFX9O

WfAzGFQF3jkZk7eTMQ+5

Z7oF0kuvBLNkXBvBgwcNEulXFX9O

KBFnE0PvwOuIlBPBm2OqYA==

alm1creOsHsx7g==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2728	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31
PID 2504 wrote to memory of 2728	2504	efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe	31

C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe
"C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe
  "C:\Users\Admin\AppData\Local\Temp\efb19672e87fabd19381a971af5776394e593b13e3f065f20e4ef8bbfd923177.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2504-8-0x0000000002060000-0x0000000002094000-memory.dmp

Filesize
208KB

Download
memory/2504-6-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2504-2-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-3-0x0000000000580000-0x0000000000594000-memory.dmp

Filesize
80KB

Download
memory/2504-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2504-5-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-1-0x0000000000B70000-0x0000000000C5A000-memory.dmp

Filesize
936KB

Download
memory/2504-7-0x00000000054F0000-0x000000000557E000-memory.dmp

Filesize
568KB

Download
memory/2504-4-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/2504-18-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-19-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing