formbook | 0a0ac8e138fdddc9e18357375ff41da88e340ac4dfc225d2d60976607dac8d8c

General

Target

RFQ_EDM202011.exe
Size

524KB
MD5

b20f108e61c409deeb691fbab3120a42
SHA1

0d486d407d650aea66d87d61af363da24c2c5dfe
SHA256

0a0ac8e138fdddc9e18357375ff41da88e340ac4dfc225d2d60976607dac8d8c
SHA512

1279f57366a776db447720f34756268da67b4b764c90b1cbc22769bde14fd0f99c49d1eb53d74c3e289b3f7996502295cef657ca2c82c96f3f90bbdc34ffd1cd

Score

10^/10

spyware trojan stealer formbook persistence

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 3796	3100	RFQ_EDM202011.exe	69
PID 3796 set thread context of 3020	3796	RFQ_EDM202011.exe	56
PID 3448 set thread context of 3020	3448	raserver.exe	56

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3796	RFQ_EDM202011.exe
3796	RFQ_EDM202011.exe
3796	RFQ_EDM202011.exe
3796	RFQ_EDM202011.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3796	RFQ_EDM202011.exe
3796	RFQ_EDM202011.exe
3796	RFQ_EDM202011.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe
3448	raserver.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3280	schtasks.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VLRT2NL8ED8 = "C:\\Program Files (x86)\\Ev4ax6\\igfx8pedclc.exe"	raserver.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3280	3100	RFQ_EDM202011.exe	67
PID 3100 wrote to memory of 3280	3100	RFQ_EDM202011.exe	67
PID 3100 wrote to memory of 3280	3100	RFQ_EDM202011.exe	67
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3100 wrote to memory of 3796	3100	RFQ_EDM202011.exe	69
PID 3020 wrote to memory of 3448	3020	Explorer.EXE	70
PID 3020 wrote to memory of 3448	3020	Explorer.EXE	70
PID 3020 wrote to memory of 3448	3020	Explorer.EXE	70
PID 3448 wrote to memory of 3188	3448	raserver.exe	71
PID 3448 wrote to memory of 3188	3448	raserver.exe	71
PID 3448 wrote to memory of 3188	3448	raserver.exe	71
PID 3448 wrote to memory of 1116	3448	raserver.exe	78
PID 3448 wrote to memory of 1116	3448	raserver.exe	78
PID 3448 wrote to memory of 1116	3448	raserver.exe	78
PID 3448 wrote to memory of 1372	3448	raserver.exe	80
PID 3448 wrote to memory of 1372	3448	raserver.exe	80
PID 3448 wrote to memory of 1372	3448	raserver.exe	80

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	RFQ_EDM202011.exe
Token: SeDebugPrivilege	3448	raserver.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ev4ax6\igfx8pedclc.exe	raserver.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	raserver.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:3020
- C:\Users\Admin\AppData\Local\Temp\RFQ_EDM202011.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ_EDM202011.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KxoKwFW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66F2.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\RFQ_EDM202011.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Modifies Internet Explorer settings
  - Adds Run entry to policy start application
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Drops file in Program Files directory
  - System policy modification
  PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RFQ_EDM202011.exe"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1372-13-0x00007FF7ADB50000-0x00007FF7ADBE3000-memory.dmp

Filesize
588KB

Download
memory/1372-14-0x00007FF7ADB50000-0x00007FF7ADBE3000-memory.dmp

Filesize
588KB

Download
memory/1372-15-0x00007FF7ADB50000-0x00007FF7ADBE3000-memory.dmp

Filesize
588KB

Download
memory/3448-8-0x0000000001050000-0x00000000010FF000-memory.dmp

Filesize
700KB

Download
memory/3448-5-0x0000000001190000-0x00000000011AF000-memory.dmp

Filesize
124KB

Download
memory/3448-6-0x0000000001190000-0x00000000011AF000-memory.dmp

Filesize
124KB

Download
memory/3796-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads