formbook | 0bd6d95e80ee61cc9a7127dfbf5c88bd73ba74b225f3a931b49c26c014f6efe7

General

Target

invoice.exe
Size

255KB
MD5

370325f2e5f6a85aaf28087cb739e313
SHA1

617235f277614da1325dff53930e51bc45ac11df
SHA256

8692e6fd0eda4246c038c8671a633ee05b8a76b46bd024511c66020ba69e3f4f
SHA512

88cc1bc807eaefa33b803bc14ecf85078b1242596e504fa39be60fdcd65b94006beeb77fb7d0595e019f6a2253310d51fee9b8c27a45f12a7b880a0dba05c128
SSDEEP

6144:mbE/HUbWkN7a34BeKtzRVzSnGHWu7xS51LI8Ywh:mb/j7a34oK5rzMuxVSh

Score

10^/10

formbook mn21 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mn21

Decoy

h3k38c.icu

qbfstopp.com

butalip.xyz

hanghang.club

relativemotionsuspension.com

bjddjyfdc.com

patrichard.com

filyacat.com

mothertukker.co.uk

riescodesign.com

afierypulse.com

supplypartners.biz

ekkogroupmoment.com

ivnocup.com

lycyjzx.com

elbuensamaritanoinc.com

forzel.com

mykedairuncit.com

usuariosconsultasnet.store

idaparry.cfd

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2980-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2980-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2712	bjzfttovhy.exe

Loads dropped DLL 3 IoCs

pid	Process
2656	invoice.exe
2712	bjzfttovhy.exe
2980	bjzfttovhy.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 2980	2712	bjzfttovhy.exe	32
PID 2980 set thread context of 1200	2980	bjzfttovhy.exe	21
PID 2980 set thread context of 1200	2980	bjzfttovhy.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2912	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	invoice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bjzfttovhy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2980	bjzfttovhy.exe
2980	bjzfttovhy.exe
2980	bjzfttovhy.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2980	bjzfttovhy.exe
2980	bjzfttovhy.exe
2980	bjzfttovhy.exe
2980	bjzfttovhy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	bjzfttovhy.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2712	2656	invoice.exe	31
PID 2656 wrote to memory of 2712	2656	invoice.exe	31
PID 2656 wrote to memory of 2712	2656	invoice.exe	31
PID 2656 wrote to memory of 2712	2656	invoice.exe	31
PID 2712 wrote to memory of 2980	2712	bjzfttovhy.exe	32
PID 2712 wrote to memory of 2980	2712	bjzfttovhy.exe	32
PID 2712 wrote to memory of 2980	2712	bjzfttovhy.exe	32
PID 2712 wrote to memory of 2980	2712	bjzfttovhy.exe	32
PID 2712 wrote to memory of 2980	2712	bjzfttovhy.exe	32
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 1200 wrote to memory of 2912	1200	Explorer.EXE	33
PID 2912 wrote to memory of 2780	2912	msiexec.exe	34
PID 2912 wrote to memory of 2780	2912	msiexec.exe	34
PID 2912 wrote to memory of 2780	2912	msiexec.exe	34
PID 2912 wrote to memory of 2780	2912	msiexec.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe
    "C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe
      "C:\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2980
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 268
    3⤵
    - Program crash
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eyxxowq.tp

Filesize
185KB

MD5
4566513860f5341cb75f5dd209ac8acb

SHA1
2cc0b3f8f61b9530ddefd92099d20b5f7468460f

SHA256
86e86681303528f0ce0cff0b0deb6cd68f6971e90daf7586d64c0f3f53314738

SHA512
95d86ff71b5b697838433af281fe8c1d4d7b0eb646c0ff7f12d2a165a79815c71804cb9f0e7117b6f65e72e5d7a2a2f9fb1289811b8c2cf60a54eb937bcdd469

Download Submit
C:\Users\Admin\AppData\Local\Temp\nzkdfz.tu

Filesize
4KB

MD5
dda716ce55afb302eea7fbf921873b4e

SHA1
645885de5a11fc741373ab6066704ddde3e28cbe

SHA256
f87979ad0a96c6c412cc382caeb1f9aee06599acd648384fe377c99adc5f7c31

SHA512
a0cb90cd60827558f41d5b43c3ec8fba7bef54b1e4bdb2c8372c29ca5d8a6a36f6acc1bec38311a8afb502990ab5fc2e0f257ab54cf5623c60e449e1f6a44a73

Download Submit
\Users\Admin\AppData\Local\Temp\bjzfttovhy.exe

Filesize
59KB

MD5
8aaf366f0347501bad46a2593664c9fa

SHA1
8f80b099bc2eeee883fe6f3afb0b295cc9c10ec6

SHA256
266853551f6890103f71206b085307f1174b185f55b6b87aa3a3d3f189a1463f

SHA512
d0f4744479cff0f8f25fa312d502629041599aa97801a4ba1085e1cd4b12329d47f91fcfaa638c04274377534114934c2b94e07188355464498b08ed7f94a6a0

Download Submit
memory/1200-22-0x0000000006660000-0x00000000067D0000-memory.dmp

Filesize
1.4MB

Download
memory/1200-30-0x00000000061A0000-0x000000000626A000-memory.dmp

Filesize
808KB

Download
memory/1200-17-0x0000000006660000-0x00000000067D0000-memory.dmp

Filesize
1.4MB

Download
memory/1200-21-0x00000000061A0000-0x000000000626A000-memory.dmp

Filesize
808KB

Download
memory/2712-9-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2912-27-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/2912-24-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/2912-25-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/2980-14-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/2980-18-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/2980-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-15-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/2980-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing