formbook | 0be35975a9936bc239c69fb4c6e123f1b9f8b20c469d7fc38c62ae41fbde017b

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InvoiceFB1.exe
Size

487KB
MD5

cea9f8ab6f247ba9d68798b685bc5ebd
SHA1

d02f86034c86efe9aa457306e76746e6df294115
SHA256

5ac464b04f871540a52fb5c7e8349f1bd7856a9e6f6d63eadd61755637e7d1da
SHA512

82ffe9ca68c189b6066e478c70d3b10d84bfd026988540ac4ce08ac58ece1f79789d362cbea2b779cb0a07ef50c4c4913328b98ac19aca43bfef4561e3e9f572
SSDEEP

12288:nanrKibhvVp2ygaKNOALUMEaRjByWActJNc7pQzqmgY:UvbhvVhzKnLdB2QJkCoY

Score

10^/10

formbook pw9 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pw9

Decoy

applephone.red

bureauxfashion.com

05044444.com

newmarketingideas.net

7754y.com

976life.com

rilio.realty

amandakohar.com

003manbetx.com

tomtomxl.com

pulse-group.com

qdhtdzj.com

desitebuilder.com

ivymaephotography.info

sgpoloclub.com

aaeventsshop.com

mobilesant.com

lewismobilewelding.com

firefromthearchives.com

printathomeparties.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2804-50-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2804-53-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
2816	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 1112	2804	cmd.exe	20
PID 3024 set thread context of 1112	3024	wscript.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InvoiceFB1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2816	rundll32.exe
2804	cmd.exe
2804	cmd.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe
3024	wscript.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2816	rundll32.exe
2804	cmd.exe
2804	cmd.exe
2804	cmd.exe
3024	wscript.exe
3024	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	cmd.exe
Token: SeDebugPrivilege	3024	wscript.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2496 wrote to memory of 2816	2496	InvoiceFB1.exe	30
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 2816 wrote to memory of 2804	2816	rundll32.exe	31
PID 1112 wrote to memory of 3024	1112	Explorer.EXE	33
PID 1112 wrote to memory of 3024	1112	Explorer.EXE	33
PID 1112 wrote to memory of 3024	1112	Explorer.EXE	33
PID 1112 wrote to memory of 3024	1112	Explorer.EXE	33
PID 3024 wrote to memory of 3040	3024	wscript.exe	34
PID 3024 wrote to memory of 3040	3024	wscript.exe	34
PID 3024 wrote to memory of 3040	3024	wscript.exe	34
PID 3024 wrote to memory of 3040	3024	wscript.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\InvoiceFB1.exe
  "C:\Users\Admin\AppData\Local\Temp\InvoiceFB1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe LigulaObloquy,Xerophytes
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jumpstart

Filesize
232KB

MD5
24c34d5b16162930fb64196afafd0e34

SHA1
26c94849c6af6154c1de2961182e7b58bbb0c08d

SHA256
bef1d5e34543ee442610285c6a255f80590edce10f2acbe31ce974d1e3a5a1cc

SHA512
05318f3ce77531a313b6f180e8dd43c4170cc1d3d59237e748924c35078aa9c2c7aa38256202f9672fe08cc89b27442a8431e7f46fb83ead6b043de3d7bbec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\LigulaObloquy.DLL

Filesize
60KB

MD5
f97e874de0ecea97bb5f0e6747907143

SHA1
870ea315994cf0c5cac4c815de79cf86c0d114a6

SHA256
c9c153387c7f0d6f3476431e6878b6d455cc2ce0b6ff8afd83753970289ce387

SHA512
3dcd8066cd7ecc0b0b781a6f3a99f30296c4fc7d9e40502b43d685927a31f2cae611f4e22755505e0e720382badd256e7f2234f428c90b19c7820dd1727d4531

Download Submit
memory/1112-55-0x0000000006680000-0x000000000678A000-memory.dmp

Filesize
1.0MB

Download
memory/1112-59-0x0000000006680000-0x000000000678A000-memory.dmp

Filesize
1.0MB

Download
memory/2804-53-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-47-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2804-54-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2804-50-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2804-51-0x00000000021E0000-0x00000000024E3000-memory.dmp

Filesize
3.0MB

Download
memory/2816-45-0x0000000074290000-0x00000000742E8000-memory.dmp

Filesize
352KB

Download
memory/2816-48-0x0000000074290000-0x00000000742E8000-memory.dmp

Filesize
352KB

Download
memory/2816-46-0x0000000075EF0000-0x0000000075F25000-memory.dmp

Filesize
212KB

Download
memory/2816-43-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/3024-56-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download
memory/3024-58-0x0000000000B80000-0x0000000000BA6000-memory.dmp

Filesize
152KB

Download