formbook | ddf35d45c7f1257634905c047c8ddfd40e75dcda9ca39a658c00698e25f3db22

General

Target

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
Size

884KB
MD5

1b415a56616a9f7c2e37fc2ce570664f
SHA1

2e7a5b8378e9a0e5fd7f5a8321af4d128ef2a1a3
SHA256

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd
SHA512

e77e25ffeae630cc2413fd969462a7fd019738f2981b4304ab6ba4cc5bb9530db3f1210c5cb90665529f6c25c03f6a63362362a18e6bb801edeccc979a0f711b
SSDEEP

12288:c6NsBxnXmu2YWb3Hc3qGuyTM/cTO5t0M5XYMQ2Ds0yW7AWgLmKijL8DP:c6NE2u2YWaDucTO5mM5XHhzy4AsXcP

Score

10^/10

formbook vn3b discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vn3b

Decoy

rowenglobal.com

abrirumaempresa.com

videosbet.xyz

blackbettyxt.com

trust-red.net

sonyalpharunors.com

shiqichaoji.com

allex-ru.com

totalpowerpc.store

ptocom.com

quantumsai.club

toughcookie.love

nivafitness.com

bioskopmovie21.com

giatsaygiare.com

xiongmaojingxuan.com

zjjly88.com

trampmotorsports.com

pibblekibble.com

mymounntnittanyhealth.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5000-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
5000	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
5000	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 5020	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	102
PID 1628 wrote to memory of 5020	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	102
PID 1628 wrote to memory of 5020	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	102
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103
PID 1628 wrote to memory of 5000	1628	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	103

C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
"C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
  "C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe"
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
  "C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-8-0x0000000004FD0000-0x0000000004FE4000-memory.dmp

Filesize
80KB

Download
memory/1628-7-0x0000000004DB0000-0x0000000004E06000-memory.dmp

Filesize
344KB

Download
memory/1628-2-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/1628-3-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/1628-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/1628-5-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1628-1-0x0000000000040000-0x0000000000122000-memory.dmp

Filesize
904KB

Download
memory/1628-6-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/1628-4-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/1628-9-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/1628-10-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1628-11-0x00000000075A0000-0x0000000007620000-memory.dmp

Filesize
512KB

Download
memory/1628-12-0x0000000009CC0000-0x0000000009D04000-memory.dmp

Filesize
272KB

Download
memory/1628-15-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/5000-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5000-16-0x0000000000F90000-0x00000000012DA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing