formbook | 6ae8071cc6e2878cecd868d14a012b5a85dc37305f0e476d07fa809b699c1ee2

General

Target

soa.exe
Size

451KB
MD5

db7035b451f169a670b56a3a023b18e8
SHA1

d586fb0dbdfb1a37cf8097c3f11f4db745e9faa9
SHA256

aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
SHA512

fc6f4c6321747aa92301f8ac3d01cae40ad5d51df1cf294e179bd866537de0f5cef7f1b17616efbc2194679b7d7eff8b807d9d1ef9dc12331c497cbb4f89d707
SSDEEP

6144:rr5h1r6lmPMk8X25ahxL4XUhaGFo69nwTge6qG5yjNeQFgv8dKgvW:rrH1GIUk83xLfHSTg5qGIjNeDCKg

Score

10^/10

formbook bg6 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bg6

Decoy

uvs57.info

perfectpointapparel.com

sportsthrem.com

debowerdesigns.com

wzjs99.com

chothuexenangxecauninhbinh.com

blackkeymanagement.com

verdesonline.com

hezehzxx0530.com

alientechcenterlondon.com

body-suit.com

pcfip.com

perocreations.com

mingary.life

goldengoddessglamour.com

reparmaxpro.com

xn--fiqv1al2p20d348d.com

yourhomehealthcarellc.net

weddingproper.com

felicityhorseclub.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4196-6-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4196-11-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 4196	4484	soa.exe	91
PID 4196 set thread context of 3468	4196	RegSvcs.exe	56
PID 1072 set thread context of 3468	1072	control.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4484	soa.exe
4196	RegSvcs.exe
4196	RegSvcs.exe
4196	RegSvcs.exe
4196	RegSvcs.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe
1072	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4196	RegSvcs.exe
4196	RegSvcs.exe
4196	RegSvcs.exe
1072	control.exe
1072	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	soa.exe
Token: SeDebugPrivilege	4196	RegSvcs.exe
Token: SeDebugPrivilege	1072	control.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 4484 wrote to memory of 4196	4484	soa.exe	91
PID 3468 wrote to memory of 1072	3468	Explorer.EXE	92
PID 3468 wrote to memory of 1072	3468	Explorer.EXE	92
PID 3468 wrote to memory of 1072	3468	Explorer.EXE	92
PID 1072 wrote to memory of 1160	1072	control.exe	93
PID 1072 wrote to memory of 1160	1072	control.exe	93
PID 1072 wrote to memory of 1160	1072	control.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\soa.exe
  "C:\Users\Admin\AppData\Local\Temp\soa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-14-0x0000000000EB0000-0x0000000000ED7000-memory.dmp

Filesize
156KB

Download
memory/1072-15-0x0000000000EB0000-0x0000000000ED7000-memory.dmp

Filesize
156KB

Download
memory/3468-13-0x0000000002CC0000-0x0000000002D98000-memory.dmp

Filesize
864KB

Download
memory/3468-23-0x00000000075E0000-0x00000000076A4000-memory.dmp

Filesize
784KB

Download
memory/3468-21-0x00000000075E0000-0x00000000076A4000-memory.dmp

Filesize
784KB

Download
memory/3468-20-0x00000000075E0000-0x00000000076A4000-memory.dmp

Filesize
784KB

Download
memory/3468-16-0x0000000002CC0000-0x0000000002D98000-memory.dmp

Filesize
864KB

Download
memory/4196-9-0x0000000000EF0000-0x000000000123A000-memory.dmp

Filesize
3.3MB

Download
memory/4196-12-0x0000000000990000-0x00000000009A4000-memory.dmp

Filesize
80KB

Download
memory/4196-11-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4196-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4484-0-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/4484-8-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4484-5-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4484-4-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4484-3-0x0000000074C32000-0x0000000074C33000-memory.dmp

Filesize
4KB

Download
memory/4484-2-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download
memory/4484-1-0x0000000074C30000-0x00000000751E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing