formbook | cc1c62b8dd91838972b7f45c0d442b471474e8acf464500a491e839fea047423

General

Target

280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe
Size

1.1MB
MD5

d59b57c9148dca2f692fd46b87d5cfa4
SHA1

02aecf7a03667332c65c998030754f66ca95ae5c
SHA256

280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881
SHA512

5ae30d9855d7792cb3a6baa55ec33c9aaf0e33c9cb516b6f509d8febaaf73b6ffc498b84f00f49f88febdd064d87886ccaa08fe85e5c6d22f37248f94686f48a
SSDEEP

24576:thLuyybqu13JvG47hloOmxpKTFfP/9hnZs:bLuyybb13Ju47hEpKZnv

Score

10^/10

formbook fwmz discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fwmz

Decoy

EVMoY7Gw+zpNcMLX

eXADD4RePMOo+0RvOxjO/Q==

HUAzaMufWaVUl6RcbC0gPiu7EQ==

2M3iedmKTSWi8D5pOxjO/Q==

heFzVamRKfl1dwTLbA==

fxyeUGblrhj0MlLfOxjO/Q==

6jEARb17RJQKRJHIYB3LD/+9

3htk8zHUxezkKDA=

Sj1Hu/6kYE4HhsMxSAA=

Zq8IzvjIWeB4+w==

eYiQ3SG7qOzkKDA=

PZMa7lsB2+zkKDA=

aXEH9k8N1q1jdwTLbA==

7BdtDGwYBNOP0i4Bkj7+CPXsCUv6

DPnyLItdG2EPaIItUfICLLc4zvkWHA==

FyEvlOiOVMK3GHUpuVYJaUYbG3M=

MjnCgM52NPlJkaBLbxzLD/+9

1cXQN5JaL3gcY6Z5j1AYg0YbG3M=

39ReTLB4YOVaoSfqmhc=

oP/Fwf+hYLx8ftOlwlU6Iy6zAIHTFA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2192	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31
PID 2568 wrote to memory of 2192	2568	280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe	31

C:\Users\Admin\AppData\Local\Temp\280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe
"C:\Users\Admin\AppData\Local\Temp\280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe
  "C:\Users\Admin\AppData\Local\Temp\280dfcc65a689143d9976fa88636c45c1dee63190a20ef72612d384635a22881.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2192-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-21-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2192-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2192-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-4-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/2568-9-0x0000000005370000-0x00000000053BE000-memory.dmp

Filesize
312KB

Download
memory/2568-8-0x00000000064D0000-0x0000000006578000-memory.dmp

Filesize
672KB

Download
memory/2568-7-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2568-6-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-5-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2568-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/2568-3-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/2568-2-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-1-0x0000000001130000-0x000000000124C000-memory.dmp

Filesize
1.1MB

Download
memory/2568-20-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing