formbook | abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5

General

Target

Acount Details.com.exe
Size

291KB
MD5

d15fc838aacf85c873bca9adfe7b9997
SHA1

43ff525b542d1e73c4345fd3312788876cf422a5
SHA256

abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5
SHA512

831e8bb86b3fb42a678052db8c8d703546320525cfd211d51b7dea56abeddb0a4ecfa37f45de3543768db784eee15d70bd7033906b1ecc31fa0019744cd5f92f

Score

10^/10

persistence spyware trojan stealer formbook

Malware Config

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Acount Details.com.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3984 wrote to memory of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3028 wrote to memory of 3908	3028	Explorer.EXE	netsh.exe
PID 3028 wrote to memory of 3908	3028	Explorer.EXE	netsh.exe
PID 3028 wrote to memory of 3908	3028	Explorer.EXE	netsh.exe
PID 3908 wrote to memory of 3412	3908	netsh.exe	cmd.exe
PID 3908 wrote to memory of 3412	3908	netsh.exe	cmd.exe
PID 3908 wrote to memory of 3412	3908	netsh.exe	cmd.exe
PID 3908 wrote to memory of 1196	3908	netsh.exe	cmd.exe
PID 3908 wrote to memory of 1196	3908	netsh.exe	cmd.exe
PID 3908 wrote to memory of 1196	3908	netsh.exe	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Acount Details.com.exeAcount Details.com.exenetsh.exe

description	pid	process	target process
PID 3984 set thread context of 3640	3984	Acount Details.com.exe	Acount Details.com.exe
PID 3640 set thread context of 3028	3640	Acount Details.com.exe	Explorer.EXE
PID 3908 set thread context of 3028	3908	netsh.exe	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Acount Details.com.exenetsh.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3640	Acount Details.com.exe
Token: SeDebugPrivilege	3908	netsh.exe
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MF1PGTBPO2 = "C:\\Program Files (x86)\\Ynfc82xt\\nrulmsxe.exe"	netsh.exe

Drops file in Program Files directory 1 IoCs

Processes:

netsh.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ynfc82xt\nrulmsxe.exe netsh.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

netsh.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer netsh.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ynfc82xt\nrulmsxe.exe	netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	netsh.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Acount Details.com.exenetsh.exe

pid	process
3640	Acount Details.com.exe
3640	Acount Details.com.exe
3640	Acount Details.com.exe
3640	Acount Details.com.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe
3908	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Acount Details.com.exenetsh.exe

pid process

3640 Acount Details.com.exe
3640 Acount Details.com.exe
3640 Acount Details.com.exe
3908 netsh.exe
3908 netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe
"C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3984

C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3640

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to policy start application
- Drops file in Program Files directory
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
PID:3908

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"
3⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logrg.ini

Download Submit
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logrv.ini

Download Submit
memory/1196-8-0x0000000000000000-mapping.dmp

Download
memory/3412-6-0x0000000000000000-mapping.dmp

Download
memory/3640-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3640-1-0x000000000041B680-mapping.dmp

Download
memory/3908-3-0x0000000000000000-mapping.dmp

Download
memory/3908-4-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/3908-5-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads