formbook | 2fad0c1405a98d28710bc60f6c698f67551eb8ac82159809c63c954186f1b831

General

Target

21 de agosto Nueva solicitud de cotización.exe
Size

910KB
MD5

14089f35edb31d10e2e9619ee5008159
SHA1

f75f2aec3c32d5fa43ce9861d273ea9762fa8386
SHA256

d9993a3a31c12b8f8c15f571680a14fb426e28ecd130430a93e3b3cd34563ac0
SHA512

7e4a759ca47f8dadb42f39e51d5096a958fbe659ed67c344109c086f36942fb1c5609547e721798ee8505ca13182145d87ed65af5b1069c6c44ec35cc0dd7e2b
SSDEEP

12288:CG8Dc9F3nC0Py3gAhvKWi/ZDPOB/fXgGgm+hWVqpCyyPqqFizttIOIFye2YX6TZd:CGqi/ZYpq/CnFQt5Re2A6TcYCS4sfD

Score

10^/10

formbook gz92 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gz92

Decoy

ayurvedichealthformulas.com

plazaconstrutora.com

nat-hetong.info

eapdigital.com

ibluebaytvwdshop.com

committable.com

escapesbyek.com

mywebdesigner.pro

jianianhong.com

benvenutoqui.com

beiyet.com

theartofgifs.com

mbwvyksnk.icu

nshahwelfare.com

hhhservice.com

thechaibali.com

travelscreen.expert

best123-movies.com

leiahin.com

runplay11.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4776-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4776-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 728 set thread context of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 4776 set thread context of 3444	4776	21 de agosto Nueva solicitud de cotización.exe	56
PID 5108 set thread context of 3444	5108	WWAHost.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WWAHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21 de agosto Nueva solicitud de cotización.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4776	21 de agosto Nueva solicitud de cotización.exe
4776	21 de agosto Nueva solicitud de cotización.exe
4776	21 de agosto Nueva solicitud de cotización.exe
4776	21 de agosto Nueva solicitud de cotización.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe
5108	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4776	21 de agosto Nueva solicitud de cotización.exe
4776	21 de agosto Nueva solicitud de cotización.exe
4776	21 de agosto Nueva solicitud de cotización.exe
5108	WWAHost.exe
5108	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4776	21 de agosto Nueva solicitud de cotización.exe
Token: SeDebugPrivilege	5108	WWAHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 728 wrote to memory of 4776	728	21 de agosto Nueva solicitud de cotización.exe	91
PID 3444 wrote to memory of 5108	3444	Explorer.EXE	93
PID 3444 wrote to memory of 5108	3444	Explorer.EXE	93
PID 3444 wrote to memory of 5108	3444	Explorer.EXE	93
PID 5108 wrote to memory of 4896	5108	WWAHost.exe	94
PID 5108 wrote to memory of 4896	5108	WWAHost.exe	94
PID 5108 wrote to memory of 4896	5108	WWAHost.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\21 de agosto Nueva solicitud de cotización.exe
  "C:\Users\Admin\AppData\Local\Temp\21 de agosto Nueva solicitud de cotización.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Users\Admin\AppData\Local\Temp\21 de agosto Nueva solicitud de cotización.exe
    "C:\Users\Admin\AppData\Local\Temp\21 de agosto Nueva solicitud de cotización.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1276
- C:\Windows\SysWOW64\WWAHost.exe
  "C:\Windows\SysWOW64\WWAHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\21 de agosto Nueva solicitud de cotización.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/728-8-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/728-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/728-9-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/728-10-0x0000000006480000-0x0000000006536000-memory.dmp

Filesize
728KB

Download
memory/728-5-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/728-4-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/728-6-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/728-7-0x0000000005730000-0x0000000005748000-memory.dmp

Filesize
96KB

Download
memory/728-14-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/728-1-0x00000000009A0000-0x0000000000A8A000-memory.dmp

Filesize
936KB

Download
memory/728-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/728-11-0x0000000008A50000-0x0000000008A98000-memory.dmp

Filesize
288KB

Download
memory/728-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/3444-19-0x0000000003030000-0x0000000003115000-memory.dmp

Filesize
916KB

Download
memory/3444-30-0x0000000008ED0000-0x000000000901C000-memory.dmp

Filesize
1.3MB

Download
memory/3444-28-0x0000000008ED0000-0x000000000901C000-memory.dmp

Filesize
1.3MB

Download
memory/3444-27-0x0000000008ED0000-0x000000000901C000-memory.dmp

Filesize
1.3MB

Download
memory/3444-23-0x0000000003030000-0x0000000003115000-memory.dmp

Filesize
916KB

Download
memory/4776-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4776-18-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/4776-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4776-15-0x0000000001750000-0x0000000001A9A000-memory.dmp

Filesize
3.3MB

Download
memory/5108-22-0x0000000000FD0000-0x00000000010AC000-memory.dmp

Filesize
880KB

Download
memory/5108-20-0x0000000000FD0000-0x00000000010AC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing