formbook | 659e650188ad7c1d1580b878dd01b049dd6f403afef642ca7a62a488fc414bf8

General

Target

d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe
Size

936KB
MD5

bfb9abb75108871639ab6341d97677b4
SHA1

f1dff2faef0a0e3e74ffcebb4b6aee8fb512c274
SHA256

d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
SHA512

a98430ba24fd3048422b99d1c8fc94f3094b7ec20aea571ad0ab5191f934cf8f6a93f50e3e65e2612204873078f63ce33ab6fd6b4d8bb8a661a1a6a08f4cc49f
SSDEEP

24576:Qlubg3rMXy/fzfEarna8MFeN2ZtZzi10:Q4s3Yi/fIaras4Zzi1

Score

10^/10

formbook c1no discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

c1no

Decoy

NOAZ1GtFnUx1bqjUWmD6

sUBk3CYAoWuQfq3UWmD6

5vwrVl0msDtpEkYt

VtL6sSoIchhMStcj5DxYbm3FBw==

BKjy1ZxyhhuJ2guPWUI=

eAgklPLAE7zgqOmwRqPNOQLXz1Y=

aApC9n9Zp0ZhObwjLLLUAg1cjsx6Lg==

OrLZYLeFBavC1cD5+A==

jJm87eu4hy/QMbYE/wzDRQLXz1Y=

s63OS5RsBKrY3FurpDZXbm3FBw==

hyxwKsePxJNCwwejbEg=

l5667e2vQOkM4hFPE5yA0Q==

wTtVQBT04YkyoNKoN53GFV9m2hpS

+pzWhBnS26FJqiRyZXQrqR1Ow/1B

d/VHx031x5W2

GjhhiKSDZ/1txQejbEg=

nDhRjp5e9JeQiKzm+gqI41hdV5nFhsI=

ws4wtUMZYA1pEkYt

GazXV6Fr6akfcvxEOcbpTTCmMEq7Jg==

2vAOHufF5MT6VdU=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1096	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe
1096	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99
PID 5048 wrote to memory of 1096	5048	d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe	99

C:\Users\Admin\AppData\Local\Temp\d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe
"C:\Users\Admin\AppData\Local\Temp\d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe
  "C:\Users\Admin\AppData\Local\Temp\d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-20-0x0000000000FB0000-0x00000000012FA000-memory.dmp

Filesize
3.3MB

Download
memory/1096-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-8-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5048-11-0x00000000086C0000-0x000000000875C000-memory.dmp

Filesize
624KB

Download
memory/5048-6-0x0000000006B80000-0x0000000006B96000-memory.dmp

Filesize
88KB

Download
memory/5048-7-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/5048-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/5048-9-0x00000000083D0000-0x00000000083DC000-memory.dmp

Filesize
48KB

Download
memory/5048-10-0x0000000008570000-0x00000000085FE000-memory.dmp

Filesize
568KB

Download
memory/5048-5-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5048-12-0x0000000001670000-0x00000000016D6000-memory.dmp

Filesize
408KB

Download
memory/5048-13-0x00000000011D0000-0x0000000001204000-memory.dmp

Filesize
208KB

Download
memory/5048-4-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/5048-3-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/5048-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/5048-19-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/5048-1-0x0000000000C10000-0x0000000000CFE000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing