formbook | 527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1

General

Target

JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe
Size

1.1MB
MD5

fb009fdbd8542d823c4cc9fb02ecc6dc
SHA1

76837f628081a7e7f620de9d44c92ead052efe46
SHA256

527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1
SHA512

637e8a164ca98b0d5187030ce6eebdd2297efbe8ac4dcf2aaa27f003fae23778c8f3547b4bea4504ec7660de00cbe818f96bcddc56dd7c281af1b9bf97707e4c
SSDEEP

24576:QxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussxvfCBBVa:5vfovu8yBthQoJFdj

Score

10^/10

formbook xoqd discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

xoqd

Decoy

H5Xrxamh0f+N/tax

kD7yxmoTHSewkFqlnqV14wuw

RLsWzULVoCMc+A==

SOzPYHAMr8HKhU4b3XZSPb+gnUc=

Li195vujSFxYOpMGx2n2

kH4rLttwbW703GwH2z4=

uWRYsosnwsGcigoCt4ePgDDQZzr3d9ST

OrIL0WgG9VNBHvP2lkE1vnt0oE0=

NG2ALNd/l8Mw4WwH2z4=

VgnfELdrcdvMsD0uz3t3gBWUyas7gw==

DxNwymeJ/lPRqndL+WzAVUy4

mYxRaXV1X6WuqB4Op2d5MgrgIg==

8Um50qpVPodey2OVew==

irKA6NyNP0oxy2OVew==

KVo8zsszovt9JkmEbxfAVUy4

ZrSnCLtRSTV9Ujx9LigBEFq+

ty/Fn16LA2isSw5fYg==

MLFtv3Tmp+zu0Rr3nEhJLnt0oE0=

qTDnPBatWH9CF5jPvmhnVr+gnUc=

SXhRqlXv6M8V8d0hJ/93b/g=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2912	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31
PID 2044 wrote to memory of 2912	2044	JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-6-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2044-8-0x0000000004310000-0x0000000004342000-memory.dmp

Filesize
200KB

Download
memory/2044-1-0x0000000000BD0000-0x0000000000CE8000-memory.dmp

Filesize
1.1MB

Download
memory/2044-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2044-4-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2044-5-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-7-0x0000000000350000-0x00000000003DC000-memory.dmp

Filesize
560KB

Download
memory/2044-3-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/2044-17-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2912-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-16-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-9-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2912-18-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing