formbook | ef8889bc09b9944478bf8d6ef9b8f8bd0e4f4060c928c9d61a10af991e3a32fe

General

Target

5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
Size

1.1MB
MD5

3a2dac5ed50f9bdc48174ccadc1c9c14
SHA1

6c2fd41b108989a39a78f19d74777b38bbe597b5
SHA256

5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153
SHA512

0bc298a252d7354edee351073afbee4de6819a3aacf0e21d579d1c0c46a142cb4598f3b41edb1134ce6fd21acba6eec74ccced3e568c282573ebd93910067e2e
SSDEEP

12288:XG2iNBd/xvwMDpEN8PgUruKQl3UINjwB7BbuUzvNePgrNW2:W1Z/Bp86gtKQl/s7gevNePgr7

Score

10^/10

formbook fwmz discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fwmz

Decoy

EVMoY7Gw+zpNcMLX

eXADD4RePMOo+0RvOxjO/Q==

HUAzaMufWaVUl6RcbC0gPiu7EQ==

2M3iedmKTSWi8D5pOxjO/Q==

heFzVamRKfl1dwTLbA==

fxyeUGblrhj0MlLfOxjO/Q==

6jEARb17RJQKRJHIYB3LD/+9

3htk8zHUxezkKDA=

Sj1Hu/6kYE4HhsMxSAA=

Zq8IzvjIWeB4+w==

eYiQ3SG7qOzkKDA=

PZMa7lsB2+zkKDA=

aXEH9k8N1q1jdwTLbA==

7BdtDGwYBNOP0i4Bkj7+CPXsCUv6

DPnyLItdG2EPaIItUfICLLc4zvkWHA==

FyEvlOiOVMK3GHUpuVYJaUYbG3M=

MjnCgM52NPlJkaBLbxzLD/+9

1cXQN5JaL3gcY6Z5j1AYg0YbG3M=

39ReTLB4YOVaoSfqmhc=

oP/Fwf+hYLx8ftOlwlU6Iy6zAIHTFA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3168 set thread context of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
1032	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
1032	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 736	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	99
PID 3168 wrote to memory of 736	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	99
PID 3168 wrote to memory of 736	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	99
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100
PID 3168 wrote to memory of 1032	3168	5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe	100

C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
"C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
  "C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe"
  2⤵
  PID:736
- C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe
  "C:\Users\Admin\AppData\Local\Temp\5e15c8defcd19717e92050ad1918f6e33382c6b600d0f19662036a2ece9f1153.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-20-0x0000000000F00000-0x000000000124A000-memory.dmp

Filesize
3.3MB

Download
memory/1032-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-8-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3168-11-0x0000000006570000-0x000000000660C000-memory.dmp

Filesize
624KB

Download
memory/3168-6-0x0000000004D60000-0x0000000004D7A000-memory.dmp

Filesize
104KB

Download
memory/3168-7-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/3168-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/3168-9-0x0000000005090000-0x000000000509C000-memory.dmp

Filesize
48KB

Download
memory/3168-10-0x0000000006440000-0x00000000064CE000-memory.dmp

Filesize
568KB

Download
memory/3168-5-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/3168-12-0x0000000006610000-0x0000000006676000-memory.dmp

Filesize
408KB

Download
memory/3168-13-0x00000000064E0000-0x0000000006514000-memory.dmp

Filesize
208KB

Download
memory/3168-4-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3168-3-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/3168-2-0x0000000005120000-0x00000000056C4000-memory.dmp

Filesize
5.6MB

Download
memory/3168-19-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1-0x0000000000030000-0x0000000000158000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing