formbook | 9983298c20cfbf4d592ab49495ff623673003a942259bab634c3cdad4b918adf

General

Target

0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
Size

409KB
MD5

d7fd44db6ff7913a79d60eae65422594
SHA1

00bdf1e46cb1c7a9f0c2d2b354482213517f2c18
SHA256

0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71
SHA512

b18ffc00c0b5c3e07554d846aa6ed3c99913f81fee441c09db54f77ec717a4161bc447d47780d6a16558f0e96757b1c5e98298dd994ca2ac4ed5531713114fa7
SSDEEP

6144:IzvmRaG/aq0YEYBJ6gjiOFuBt5a9LwNCKFYc/z3EHEle70IEU0rq/UiAY:IicGX0YHJ6gOp+LmCmz3EH1Ft/Uil

Score

10^/10

formbook dv9n discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv9n

Decoy

nblvqing.com

delmegebuildingproducts.com

xiongba8.com

latuawebreputation.online

nowcloud.tech

cckghs.com

tradeoo.ltd

ppapo.com

tphoaphuongdo.club

whitefoxy.site

bottle-sentences.net

computersewa.com

lushberryholidays.com

motobotz.com

shadurj.com

amazonlexdeveloper.com

shunli178.xyz

sjzzlmh.com

6eu09rp.xyz

novinmes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2804-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2804-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2804-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2248-30-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2804 set thread context of 1192	2804	RegSvcs.exe	21
PID 2804 set thread context of 1192	2804	RegSvcs.exe	21
PID 2248 set thread context of 1192	2248	netsh.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
2804	RegSvcs.exe
2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
2804	RegSvcs.exe
2804	RegSvcs.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe
2248	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2804	RegSvcs.exe
2804	RegSvcs.exe
2804	RegSvcs.exe
2804	RegSvcs.exe
2248	netsh.exe
2248	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
Token: SeDebugPrivilege	2804	RegSvcs.exe
Token: SeDebugPrivilege	2248	netsh.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2844	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	31
PID 2504 wrote to memory of 2844	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	31
PID 2504 wrote to memory of 2844	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	31
PID 2504 wrote to memory of 2844	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	31
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 2504 wrote to memory of 2804	2504	0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe	33
PID 1192 wrote to memory of 2248	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2248	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2248	1192	Explorer.EXE	36
PID 1192 wrote to memory of 2248	1192	Explorer.EXE	36
PID 2248 wrote to memory of 2296	2248	netsh.exe	37
PID 2248 wrote to memory of 2296	2248	netsh.exe	37
PID 2248 wrote to memory of 2296	2248	netsh.exe	37
PID 2248 wrote to memory of 2296	2248	netsh.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe
  "C:\Users\Admin\AppData\Local\Temp\0791e8ab1ff5119cb4dedba8cbd260f6a163100eb60657cad11f494cb34bbc71.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dvlGnUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3ACF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-31-0x0000000005140000-0x00000000052A8000-memory.dmp

Filesize
1.4MB

Download
memory/1192-26-0x0000000005140000-0x00000000052A8000-memory.dmp

Filesize
1.4MB

Download
memory/1192-22-0x0000000004FA0000-0x0000000005134000-memory.dmp

Filesize
1.6MB

Download
memory/1192-27-0x0000000004FA0000-0x0000000005134000-memory.dmp

Filesize
1.6MB

Download
memory/2248-29-0x0000000000B00000-0x0000000000B1B000-memory.dmp

Filesize
108KB

Download
memory/2248-30-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2248-28-0x0000000000B00000-0x0000000000B1B000-memory.dmp

Filesize
108KB

Download
memory/2504-5-0x00000000012A0000-0x00000000012F8000-memory.dmp

Filesize
352KB

Download
memory/2504-4-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-19-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/2504-3-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2504-2-0x0000000074E80000-0x000000007556E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-1-0x0000000001360000-0x00000000013CC000-memory.dmp

Filesize
432KB

Download
memory/2804-17-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2804-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-25-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/2804-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-21-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/2804-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads