formbook | d90c8f08a6b5a82b6efdc12412194291256d8a7e9d7c82aca11f593153a4b669

General

Target

a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
Size

248KB
MD5

60268126a7a5c0a03358e7acb155753d
SHA1

6aa7f8495a0498d437c0a1255d31e1f85a4045c6
SHA256

a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0
SHA512

51c376341b15a3355d5e9b427b15d6552a332d2b5fc5934e5705db55d1106b77898396291c4b56ca05c3e00e0479bcda61a6dd354e19d855717fa22a3cc56979
SSDEEP

6144:HNeZmabIvllTu8EWvbk9Xi7asfYqGcWsL6Rq8:HNla0vllTuWjSiWaWsLiq8

Score

10^/10

formbook sn31 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn31

Decoy

matsuomatsuo.com

104wn.com

bolacorner.com

dawonderer.com

yourpamlano.xyz

mtzmx.icu

lepakzaparket.com

barmagli.com

danta.ltd

marumaru240.com

people-centeredhr.com

test-brew-inc.com

clairvoyantbusinesscoach.com

aforeignexchangeblog.com

erentekbilisim.com

gangqinqu123.net

defiguaranteebonds.com

thegioigaubong97.site

vaoiwin.info

vcwholeness.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2464-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2464-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2464-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2908-27-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2792	kruxx.exe
2464	kruxx.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
2792	kruxx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2464	2792	kruxx.exe	32
PID 2464 set thread context of 1144	2464	kruxx.exe	20
PID 2464 set thread context of 1144	2464	kruxx.exe	20
PID 2908 set thread context of 1144	2908	cmmon32.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kruxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kruxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2464	kruxx.exe
2464	kruxx.exe
2464	kruxx.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe
2908	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2464	kruxx.exe
2464	kruxx.exe
2464	kruxx.exe
2464	kruxx.exe
2908	cmmon32.exe
2908	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	kruxx.exe
Token: SeDebugPrivilege	2908	cmmon32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2792	2264	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	31
PID 2264 wrote to memory of 2792	2264	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	31
PID 2264 wrote to memory of 2792	2264	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	31
PID 2264 wrote to memory of 2792	2264	a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe	31
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2792 wrote to memory of 2464	2792	kruxx.exe	32
PID 2464 wrote to memory of 2908	2464	kruxx.exe	33
PID 2464 wrote to memory of 2908	2464	kruxx.exe	33
PID 2464 wrote to memory of 2908	2464	kruxx.exe	33
PID 2464 wrote to memory of 2908	2464	kruxx.exe	33
PID 2908 wrote to memory of 2816	2908	cmmon32.exe	34
PID 2908 wrote to memory of 2816	2908	cmmon32.exe	34
PID 2908 wrote to memory of 2816	2908	cmmon32.exe	34
PID 2908 wrote to memory of 2816	2908	cmmon32.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1144
- C:\Users\Admin\AppData\Local\Temp\a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe
  "C:\Users\Admin\AppData\Local\Temp\a9443eaa7d2d6dcb3c7fc77200c340bdfb7acba3f77aecbb5d07c0f50b5e1ee0.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\kruxx.exe
    C:\Users\Admin\AppData\Local\Temp\kruxx.exe C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\kruxx.exe
      C:\Users\Admin\AppData\Local\Temp\kruxx.exe C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\cmmon32.exe
        
        "C:\Windows\SysWOW64\cmmon32.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\kruxx.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ibrjgqmyl

Filesize
5KB

MD5
45ed546858332c77218e12066a6029fa

SHA1
0858494aa6e52959811e57e8398614cc09c62153

SHA256
810fdd38959fcf9f3dba6ae58163cffb80078085d5d647a6929211d90cb7c873

SHA512
003533ccca626dadfa4c4486effac47eca3150e93aad8123c1ffb5c39363e5048238d42c9b4c910c1c588a21393473d76e5cb6ab420a8c0d7bf3e005ca2fcd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyz7p5a4b3239vu443v

Filesize
184KB

MD5
c0d1a464617230b6629ebb9b91cd1505

SHA1
afa65713857e56caffa5fad7efb37df0f7596bbf

SHA256
58202640a0e3fe1c7bbf9ff4d3713bab99e4264ca358a369f4d8051a7a2adc17

SHA512
0641c5a98239e7ed1ccbe0d1cbdb5de390374f6752de350a9db8a0769119566db98e00912e7bd1fabb318859662f98f6def95c301a37ece1bf2b8fa4ea017e03

Download Submit
\Users\Admin\AppData\Local\Temp\kruxx.exe

Filesize
78KB

MD5
72cc5689ff61af5b6ce2ad9ab8e87695

SHA1
b30d786ff2e5ad9e916f188ecb463392e8ba75f6

SHA256
16e225b10cd5bc64956c75ac0fa201a37127badec00a33d9b4d5ad0b76e26198

SHA512
b3974b38475f39def30d4f9cadd4e6c3387f4296a75352bd88cc1f98f1adf9959eec06b1bf9d9f3dc4c0c14baf758ba9fcf8705ce3256a6487afb50afa26bf94

Download Submit
memory/1144-18-0x00000000067A0000-0x00000000068EE000-memory.dmp

Filesize
1.3MB

Download
memory/1144-26-0x0000000007C30000-0x0000000007DDF000-memory.dmp

Filesize
1.7MB

Download
memory/1144-22-0x00000000067A0000-0x00000000068EE000-memory.dmp

Filesize
1.3MB

Download
memory/1144-23-0x0000000007C30000-0x0000000007DDF000-memory.dmp

Filesize
1.7MB

Download
memory/2464-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-17-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/2464-14-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2464-21-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/2792-9-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/2908-24-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/2908-25-0x0000000000220000-0x000000000022D000-memory.dmp

Filesize
52KB

Download
memory/2908-27-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing