formbook | 57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

General

Target

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
Size

305KB
MD5

843485dbff12620fb58532fab189a3fe
SHA1

fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65
SHA256

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6
SHA512

a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Score

10^/10

formbook hx227 persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

hx227

Decoy

lapizapps.com

heitoping.com

pthelperspositivev.win

gmxpic.com

valuecodeliving.com

kredit-hilfe-gesucht.com

totalwebservices.online

impressionscarpetcleaning.net

cqpsds.info

1q2fiveafter.men

campbellpropertiesuk.com

avalon.loans

bankcardssite.market

connqa.com

luludallas.com

acessoitaucard.net

ad-concier.com

blrsi.com

zecrypto.com

com-services-secure-id.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/952-143-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/952-151-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/1204-155-0x0000000000690000-0x00000000006BA000-memory.dmp	formbook
behavioral2/memory/1204-158-0x0000000000690000-0x00000000006BA000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\7NQLM00P3HN = "C:\\Program Files (x86)\\Awbax2\\pz2ptv24bfgp.exe"	control.exe

Executes dropped EXE 4 IoCs

Processes:

ncvmxzo.exencvmxzo.exencvmxzo.exencvmxzo.exe

pid process

3268 ncvmxzo.exe
2016 ncvmxzo.exe
904 ncvmxzo.exe
952 ncvmxzo.exe

pid	process
3268	ncvmxzo.exe
2016	ncvmxzo.exe
904	ncvmxzo.exe
952	ncvmxzo.exe

Drops startup file 2 IoCs

Processes:

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvmxzoureascvnz = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\ncvmxzoureascvnz.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ncvmxzo.exencvmxzo.execontrol.exe

description	pid	process	target process
PID 3268 set thread context of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 952 set thread context of 1188	952	ncvmxzo.exe	Explorer.EXE
PID 1204 set thread context of 1188	1204	control.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

control.exe

description ioc process

File opened for modification C:\Program Files (x86)\Awbax2\pz2ptv24bfgp.exe control.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Awbax2\pz2ptv24bfgp.exe	control.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.execontrol.exe

pid	process
2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
3268	ncvmxzo.exe
3268	ncvmxzo.exe
952	ncvmxzo.exe
952	ncvmxzo.exe
952	ncvmxzo.exe
952	ncvmxzo.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe
1204	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1188 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ncvmxzo.execontrol.exe

pid process

952 ncvmxzo.exe
952 ncvmxzo.exe
952 ncvmxzo.exe
1204 control.exe
1204 control.exe

pid	process
1188	Explorer.EXE

pid	process
952	ncvmxzo.exe
952	ncvmxzo.exe
952	ncvmxzo.exe
1204	control.exe
1204	control.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exencvmxzo.exencvmxzo.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
Token: SeDebugPrivilege	3268	ncvmxzo.exe
Token: SeDebugPrivilege	952	ncvmxzo.exe
Token: SeDebugPrivilege	1204	control.exe
Token: SeShutdownPrivilege	1188	Explorer.EXE
Token: SeCreatePagefilePrivilege	1188	Explorer.EXE
Token: SeShutdownPrivilege	1188	Explorer.EXE
Token: SeCreatePagefilePrivilege	1188	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.execmd.exencvmxzo.execmd.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 2060 wrote to memory of 4068	2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe	cmd.exe
PID 2060 wrote to memory of 4068	2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe	cmd.exe
PID 2060 wrote to memory of 4068	2060	57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe	cmd.exe
PID 4068 wrote to memory of 3268	4068	cmd.exe	ncvmxzo.exe
PID 4068 wrote to memory of 3268	4068	cmd.exe	ncvmxzo.exe
PID 4068 wrote to memory of 3268	4068	cmd.exe	ncvmxzo.exe
PID 3268 wrote to memory of 688	3268	ncvmxzo.exe	cmd.exe
PID 3268 wrote to memory of 688	3268	ncvmxzo.exe	cmd.exe
PID 3268 wrote to memory of 688	3268	ncvmxzo.exe	cmd.exe
PID 688 wrote to memory of 616	688	cmd.exe	reg.exe
PID 688 wrote to memory of 616	688	cmd.exe	reg.exe
PID 688 wrote to memory of 616	688	cmd.exe	reg.exe
PID 3268 wrote to memory of 2016	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 2016	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 2016	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 904	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 904	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 904	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 3268 wrote to memory of 952	3268	ncvmxzo.exe	ncvmxzo.exe
PID 1188 wrote to memory of 1204	1188	Explorer.EXE	control.exe
PID 1188 wrote to memory of 1204	1188	Explorer.EXE	control.exe
PID 1188 wrote to memory of 1204	1188	Explorer.EXE	control.exe
PID 1204 wrote to memory of 1580	1204	control.exe	cmd.exe
PID 1204 wrote to memory of 1580	1204	control.exe	cmd.exe
PID 1204 wrote to memory of 1580	1204	control.exe	cmd.exe
PID 1204 wrote to memory of 2624	1204	control.exe	cmd.exe
PID 1204 wrote to memory of 2624	1204	control.exe	cmd.exe
PID 1204 wrote to memory of 2624	1204	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe
"C:\Users\Admin\AppData\Local\Temp\57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cmd.exe
"cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ncvmxzoureascvnz" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\ncvmxzoureascvnz.txt" | cmd"
6⤵
- Adds Run key to start application
PID:616

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"
5⤵
- Executes dropped EXE
PID:904

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"
5⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3296

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4012

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1536

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2092

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4580

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:832

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2740

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4500

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
Filesize
305KB

MD5
843485dbff12620fb58532fab189a3fe

SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65

SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
Filesize
305KB

MD5
843485dbff12620fb58532fab189a3fe

SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65

SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
Filesize
305KB

MD5
843485dbff12620fb58532fab189a3fe

SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65

SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
Filesize
305KB

MD5
843485dbff12620fb58532fab189a3fe

SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65

SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ncvmxzo.exe
Filesize
305KB

MD5
843485dbff12620fb58532fab189a3fe

SHA1
fb6287c7bd9cfd01481430c14f4e9c2ed4d1fd65

SHA256
57cb79ff37edcbacd2f4d7aabe5835099a75ee078107b0b00efdb41906d3a1b6

SHA512
a582cd5c679d65e5997a2e1f899ece3a5f6834ba4d4c24ca36cb877e3275cff86d8b7aeb223014e845ee326a5e491425f1519fa67e6fa4fba5344d14605c7f00

Download Submit
memory/616-137-0x0000000000000000-mapping.dmp

Download
memory/688-136-0x0000000000000000-mapping.dmp

Download
memory/904-140-0x0000000000000000-mapping.dmp

Download
memory/952-148-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/952-142-0x0000000000000000-mapping.dmp

Download
memory/952-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/952-151-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/952-147-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download
memory/1188-159-0x00000000080B0000-0x000000000822E000-memory.dmp

Filesize
1.5MB

Download
memory/1188-157-0x00000000080B0000-0x000000000822E000-memory.dmp

Filesize
1.5MB

Download
memory/1188-149-0x0000000002700000-0x00000000027E5000-memory.dmp

Filesize
916KB

Download
memory/1204-150-0x0000000000000000-mapping.dmp

Download
memory/1204-158-0x0000000000690000-0x00000000006BA000-memory.dmp

Filesize
168KB

Download
memory/1204-156-0x00000000025F0000-0x0000000002683000-memory.dmp

Filesize
588KB

Download
memory/1204-155-0x0000000000690000-0x00000000006BA000-memory.dmp

Filesize
168KB

Download
memory/1204-154-0x00000000028B0000-0x0000000002BFA000-memory.dmp

Filesize
3.3MB

Download
memory/1204-153-0x0000000000720000-0x0000000000747000-memory.dmp

Filesize
156KB

Download
memory/1580-152-0x0000000000000000-mapping.dmp

Download
memory/2016-138-0x0000000000000000-mapping.dmp

Download
memory/2060-134-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/2060-135-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/2624-160-0x0000000000000000-mapping.dmp

Download
memory/3268-145-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/3268-131-0x0000000000000000-mapping.dmp

Download
memory/4068-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads