formbook | 5e97613cb0491ba041dd3e94a510578afbc306a5b317c3441b29cd73e6a10654

General

Target

madzig1.3.exe
Size

904KB
MD5

7272ea4c00d27f61d0fdb06766ec349e
SHA1

81e72cd1bc4f5213cc41f5c78b184d47f2d36dd0
SHA256

bfe6a417287d1f3c25bb93b8841620c3a7274c715f749c425d146b67496299f1
SHA512

3898d9fb2417f484803fd9ef0f105f35e7c986219d635ba7cff78aecfc3617d041eb669f8297942f60248302f49cc12fbcb724484c2ea216a2ad89c49a2af64c
SSDEEP

24576:mbpDQ4Y0F4Ji4U4+4484olVxA9VJ30eoPF+Fb3bDorUsXQAKZNA46jgPdD:cvFzQ/g9uodD

Score

10^/10

formbook wh23 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wh23

Decoy

ow9vyvfee.com

alvis.one

mutantgobz.claims

plynofon.com

southofkingst.store

nuvidamedspa.com

coffeeforyou56.com

opaletechevents.com

momobar.life

abcmousu.com

learnicd-11.com

tipokin.xyz

kahvezevki.com

suratdimond.com

oldartists.best

infoepic.info

mattresslabo.com

skarlmotors.com

cl9319x.xyz

med49app.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2608-26-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 3 IoCs

pid	Process
2796	xtzzxbx.exe
2284	xtzzxbx.exe
2852	xtzzxbx.exe

Loads dropped DLL 9 IoCs

pid	Process
2400	madzig1.3.exe
2796	xtzzxbx.exe
2796	xtzzxbx.exe
2796	xtzzxbx.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2608	2796	xtzzxbx.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	2796	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	madzig1.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtzzxbx.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2796	xtzzxbx.exe
2796	xtzzxbx.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2796	xtzzxbx.exe
2796	xtzzxbx.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2796	2400	madzig1.3.exe	30
PID 2400 wrote to memory of 2796	2400	madzig1.3.exe	30
PID 2400 wrote to memory of 2796	2400	madzig1.3.exe	30
PID 2400 wrote to memory of 2796	2400	madzig1.3.exe	30
PID 2796 wrote to memory of 2284	2796	xtzzxbx.exe	31
PID 2796 wrote to memory of 2284	2796	xtzzxbx.exe	31
PID 2796 wrote to memory of 2284	2796	xtzzxbx.exe	31
PID 2796 wrote to memory of 2284	2796	xtzzxbx.exe	31
PID 2796 wrote to memory of 2852	2796	xtzzxbx.exe	32
PID 2796 wrote to memory of 2852	2796	xtzzxbx.exe	32
PID 2796 wrote to memory of 2852	2796	xtzzxbx.exe	32
PID 2796 wrote to memory of 2852	2796	xtzzxbx.exe	32
PID 2796 wrote to memory of 2608	2796	xtzzxbx.exe	33
PID 2796 wrote to memory of 2608	2796	xtzzxbx.exe	33
PID 2796 wrote to memory of 2608	2796	xtzzxbx.exe	33
PID 2796 wrote to memory of 2608	2796	xtzzxbx.exe	33
PID 2796 wrote to memory of 2608	2796	xtzzxbx.exe	33
PID 2796 wrote to memory of 2916	2796	xtzzxbx.exe	34
PID 2796 wrote to memory of 2916	2796	xtzzxbx.exe	34
PID 2796 wrote to memory of 2916	2796	xtzzxbx.exe	34
PID 2796 wrote to memory of 2916	2796	xtzzxbx.exe	34

C:\Users\Admin\AppData\Local\Temp\madzig1.3.exe
"C:\Users\Admin\AppData\Local\Temp\madzig1.3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
  "C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe" "C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
    "C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe" "C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3"
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
    "C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe" "C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3"
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe
    "C:\Users\Admin\AppData\Local\Temp\xtzzxbx.exe" "C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 312
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\azwovjtxhn.dw

Filesize
36KB

MD5
d6e1c7b21467a5abb8bf7905c0df8269

SHA1
e691fa39cb04cf04aaa6f69fa0fda60bb4cff799

SHA256
1b838e446889eec4d84cf5ab66eb5656019f611c58d7b758279cd492bceb7eb5

SHA512
004aa5df26dbdb61fc57633f8a62f7ac58b21fcdfeb35fcdf1fe842b7a9ef188fc4deea53f6452b8689ae39495bd03f69108a90adbbcf939427c030302f0f0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfdpkhyiha.g

Filesize
185KB

MD5
91417fefd9465110ca2ce182f16dcabf

SHA1
049e446939b302595a4318f976cc5e3d83a5d499

SHA256
5d84f0c087e6d6928bd641b46db069f01d54ab88049906ea804409146f6452b0

SHA512
568c2bec10d6d07784379e15518c797788ee490db177d270a7b86409c014b4ba7bad2079d0ebad8a25331b85b02ce13605318edee6a1e96bf53928ab041cf117

Download Submit
C:\Users\Admin\AppData\Local\Temp\uvrnbijywa.au3

Filesize
4KB

MD5
2b951a4d0cd35c8bd945ba81138604fe

SHA1
f8400a801766f7bc9d41917703027e1628890446

SHA256
e1ed35d54e9a1bd2766ab47b66148af3037fcba26604a5c764a842015cee0638

SHA512
782ae563c588181143a75ef4df136604c68949e4e675d73ae36caf095664a6f5df9a7ec6d0ac4cfdce0fec927351d76c9653080a4672b0c1d7e1ffd005f66587

Download Submit
\Users\Admin\AppData\Local\Temp\xtzzxbx.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/2608-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-10-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing