formbook | 6f4e9a6a4df1ebb560c92b10c56280a2cc05a07056d127cc8afe47556ed9bec3

General

Target

eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
Size

595KB
MD5

2f24e23110366756b11b46d2cccd7aeb
SHA1

6ad4e3016224725a991492d21c6811c0dad51fdd
SHA256

eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d
SHA512

1ced575e2b17883f68a2f3b1847a4540109f9d87bbed3d25c2deeabcc1f09550e952bf38eb652cee6939d1ddf0b30d070c9d3638f0713f660f895209f8bea903
SSDEEP

12288:0FIkLt1kuvZu0qNWe9mD+zT4u3DTFlebL0477oaXnz61QIb:03tDvYjWeM6Hx3fFle30gz

Score

10^/10

formbook m6tn discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m6tn

Decoy

deborahtokarz.com

bearpawshoe.com

fukugyo111.com

chacie.com

amoresalonprescott.com

aiiecrs.xyz

betmoristv.com

metauniversalmentalhealth.com

miravalfarmspa.com

satyrwoodslifestyle.com

biomend.life

dolevelup.com

fengshidg.com

alshuhranews.com

nuomisummer.xyz

mankaucleaning.com

sierradelaculebrazamora.com

311ly.com

universetechco.com

duurzamepopcornbak.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2940-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
2940	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2908	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	31
PID 2064 wrote to memory of 2908	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	31
PID 2064 wrote to memory of 2908	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	31
PID 2064 wrote to memory of 2908	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	31
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32
PID 2064 wrote to memory of 2940	2064	eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe	32

C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
"C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
  "C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe"
  2⤵
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe
  "C:\Users\Admin\AppData\Local\Temp\eac788bb8bcf8bc689550efc391941cc112c5bd92f227cc71c2ae6f42842ac2d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-6-0x0000000004ED0000-0x0000000004F24000-memory.dmp

Filesize
336KB

Download
memory/2064-1-0x0000000000040000-0x00000000000DA000-memory.dmp

Filesize
616KB

Download
memory/2064-2-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-3-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2064-4-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/2064-5-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/2064-14-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-15-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing