formbook | 1218c859c65e22d750a8c9c22df3d6555775b91a5ac797b85e70e3c123a78cff

General

Target

c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
Size

434KB
MD5

f6666d2dc66bf27af205c487c6a017d5
SHA1

639246ec825c9353bb22842de1b9411e53be2f35
SHA256

c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c
SHA512

72bef879fb5e924078f7af3808f026ce587af4d0abdb60a84696eeb147c79a4b4d6cdfbb16286657a80ae42f9ffdac78f0d61aa869cfa2c9809795504085af4c
SSDEEP

6144:qGi4U177myi8hHrVAn7PuzIuctvYWKJFa/ft3a7CfzeE3Nw:R87c8xVy7GzxugPJM/ftECby

Score

10^/10

formbook s1m4 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s1m4

Decoy

fritzimmo.com

seerefugee.com

f2ymj6ud.xyz

benchessell.com

annplumb.com

malpha.online

thebengalsking.com

ulctuscaloosa.church

fotosenrutas.com

lavishyummyinvite.quest

indielanguagelearner.net

tibbattipula.com

sugarbabycones.com

dxwzh.com

brownsfinancialllc.com

63838.xyz

esscentsbyjhai.com

therunningdoula.com

63693.xyz

ccchildrenscoalition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2352-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2352-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2352-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2716-26-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2972	xzzepj.exe
2352	xzzepj.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
2972	xzzepj.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2972 set thread context of 2352	2972	xzzepj.exe	31
PID 2352 set thread context of 1200	2352	xzzepj.exe	21
PID 2352 set thread context of 1200	2352	xzzepj.exe	21
PID 2716 set thread context of 1200	2716	svchost.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xzzepj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2352	xzzepj.exe
2352	xzzepj.exe
2352	xzzepj.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe
2716	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2352	xzzepj.exe
2352	xzzepj.exe
2352	xzzepj.exe
2352	xzzepj.exe
2716	svchost.exe
2716	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	xzzepj.exe
Token: SeDebugPrivilege	2716	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2972	2816	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	30
PID 2816 wrote to memory of 2972	2816	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	30
PID 2816 wrote to memory of 2972	2816	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	30
PID 2816 wrote to memory of 2972	2816	c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe	30
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 2972 wrote to memory of 2352	2972	xzzepj.exe	31
PID 1200 wrote to memory of 2716	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2716	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2716	1200	Explorer.EXE	32
PID 1200 wrote to memory of 2716	1200	Explorer.EXE	32
PID 2716 wrote to memory of 2680	2716	svchost.exe	33
PID 2716 wrote to memory of 2680	2716	svchost.exe	33
PID 2716 wrote to memory of 2680	2716	svchost.exe	33
PID 2716 wrote to memory of 2680	2716	svchost.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe
  "C:\Users\Admin\AppData\Local\Temp\c657108efc3f78a3052d15e5f2e8593181566f45c2c3e3316437bf7d6632095c.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\xzzepj.exe
    C:\Users\Admin\AppData\Local\Temp\xzzepj.exe C:\Users\Admin\AppData\Local\Temp\tqcey
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\xzzepj.exe
      C:\Users\Admin\AppData\Local\Temp\xzzepj.exe C:\Users\Admin\AppData\Local\Temp\tqcey
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2352
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\xzzepj.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tqcey

Filesize
5KB

MD5
fba283c3bab916f35797445394f795da

SHA1
c63a0ed77bbee8973b44e31ae206eef02474d425

SHA256
44ef39d2ef5a57f5dbdea050f8832219e6be19b621d67f401012a689b9d0f5df

SHA512
594cbc574682e6a2885bc724aed14625739ce3a408b4c38430b94c04fe157a8d3bbc29ba05ae8b21428b3c6d5dd1001397a09ba3ad7e563b177ab74665701625

Download Submit
C:\Users\Admin\AppData\Local\Temp\yg1039a0w95poxme

Filesize
212KB

MD5
5c9453fa9d71d302eae2b13c56a9cb3b

SHA1
40414d6c7f5e0c9e32c72b0f3c14039959b2a66a

SHA256
bddea1622085d80de6087e07a9d88db92b6edeed632afc220f98b91e76e3a6e1

SHA512
9d9eebf97a10476accef32cef9b33510f323e649433d8be3ece6a27936bf261da46ac1c42862ccdf66b955233a9accfc3bbe980b4e8eb6c919a1dc8605bb0663

Download Submit
\Users\Admin\AppData\Local\Temp\xzzepj.exe

Filesize
56KB

MD5
0a4cb859a673483a1f5612365975a485

SHA1
24ae60a57e5a374944c30351d898b5c1fe508c38

SHA256
ab0d73765ac2310f6401074f9a7d16fb30e32c2b188cb47697d9e0fe0d3ae16c

SHA512
9756bc2676adc754502f9d290242d71f62ee456ba1420735f78fc514783e26bb97acba1ba74a7921930faba2c55551c14b62b34b54658ea8da4f02e60ab08563

Download Submit
memory/1200-18-0x00000000070F0000-0x0000000007274000-memory.dmp

Filesize
1.5MB

Download
memory/1200-27-0x0000000004D10000-0x0000000004DF8000-memory.dmp

Filesize
928KB

Download
memory/1200-23-0x0000000004D10000-0x0000000004DF8000-memory.dmp

Filesize
928KB

Download
memory/2352-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-17-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2352-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-21-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/2352-14-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2716-25-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2716-24-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2716-26-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2972-9-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing