formbook | c1858ad1833c246ff8bf6cf2c60bace1f63dca90674b2a3006deaea9013c4079

General

Target

PO.exe
Size

465KB
MD5

4de9bfdd90db75c0b1ad968af9c094b2
SHA1

6c674e0cdc8735a3cf9bb6530c1ea08c4da13744
SHA256

45cb18a4c71c0330d1d8d493e0e32f7c55e6125d7219b0dedee54ccfe0aa85c9
SHA512

93a850a9881aedacfa2fafa35e7f316bcb260f424f4a566e35fdca773f10be1e3f02297c79f2ac882a027489b04f5c952e3c15a0151ece0f9be4ecf2c3318f59
SSDEEP

12288:ottbLWQOiDKDfdhBQwEgL8EObvrdz0YOsWN6Ax3ThZB:+bCiDuFhBQwtL8truYONN1B

Score

10^/10

formbook s2l6 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s2l6

Decoy

avispk.store

thomasfreitag.net

audazzo.com

wheelblastspareparts.com

babeson.top

bvvseafood-shop.com

fibertech.xyz

tapscrawlspacecleanup.com

jujiashu.com

lavech.com

kusdportal.com

luissonautodetailing.com

lomboktourist.com

mazaltovgift.com

u3vs.digital

metanovi.win

dakontoys.com

estavrse.com

partnerwithsentri.com

nissanquantum.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2844-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2844-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/544-23-0x0000000000890000-0x00000000008BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2844	2044	PO.exe	98
PID 2844 set thread context of 3520	2844	PO.exe	56
PID 544 set thread context of 3520	544	svchost.exe	56

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2844	PO.exe
2844	PO.exe
2844	PO.exe
2844	PO.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2844	PO.exe
2844	PO.exe
2844	PO.exe
544	svchost.exe
544	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	PO.exe
Token: SeDebugPrivilege	544	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 2044 wrote to memory of 2844	2044	PO.exe	98
PID 3520 wrote to memory of 544	3520	Explorer.EXE	99
PID 3520 wrote to memory of 544	3520	Explorer.EXE	99
PID 3520 wrote to memory of 544	3520	Explorer.EXE	99
PID 544 wrote to memory of 1512	544	svchost.exe	100
PID 544 wrote to memory of 1512	544	svchost.exe	100
PID 544 wrote to memory of 1512	544	svchost.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\PO.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-19-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/544-23-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download
memory/544-21-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2044-6-0x00000000073C0000-0x00000000073CC000-memory.dmp

Filesize
48KB

Download
memory/2044-3-0x00000000073D0000-0x0000000007462000-memory.dmp

Filesize
584KB

Download
memory/2044-5-0x0000000004980000-0x000000000498A000-memory.dmp

Filesize
40KB

Download
memory/2044-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/2044-7-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/2044-8-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2044-9-0x0000000008A00000-0x0000000008A9C000-memory.dmp

Filesize
624KB

Download
memory/2044-10-0x0000000008AA0000-0x0000000008AF8000-memory.dmp

Filesize
352KB

Download
memory/2044-1-0x0000000000430000-0x00000000004AA000-memory.dmp

Filesize
488KB

Download
memory/2044-13-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2044-2-0x00000000078E0000-0x0000000007E84000-memory.dmp

Filesize
5.6MB

Download
memory/2044-4-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2844-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-17-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/2844-14-0x0000000001240000-0x000000000158A000-memory.dmp

Filesize
3.3MB

Download
memory/2844-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-18-0x0000000007B60000-0x0000000007CF4000-memory.dmp

Filesize
1.6MB

Download
memory/3520-22-0x0000000007B60000-0x0000000007CF4000-memory.dmp

Filesize
1.6MB

Download
memory/3520-27-0x0000000002910000-0x00000000029CF000-memory.dmp

Filesize
764KB

Download
memory/3520-28-0x0000000002910000-0x00000000029CF000-memory.dmp

Filesize
764KB

Download
memory/3520-30-0x0000000002910000-0x00000000029CF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing