formbook | d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10

General

Target

swift code.exe
Size

929KB
MD5

4810babd170ef3c7d890a2898237342f
SHA1

e12471750e0a24c3835a632249c544d453196561
SHA256

d06e9a0bc38a688ec308ebf3b7806de3d4f13bc7e630f1c34f8e2356a9123e10
SHA512

54e234ad0177c1dd599b112c4df4a0766e9c6b0855256221d6df4f85143a504b881f58892f5928816120be716ed4094d2630b0dd8b50122b47eb13218f8305cc
SSDEEP

12288:Dvbx1O4xoFLbbvQE550OZmwNwO051Gf1k2DtLLTp3QDkJBhsvt+:vcFLXvd5+9wNN051+hLHpKkB48

Score

10^/10

formbook ejgp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ejgp

Decoy

+0NM3RekW0bfgQ==

iQmI3Aw2aoOljoA0XZi1

5Ei2CVwQyOgZwV/u4eiMFdKqc84=

ImSvoul9o0reZ9TKUAUkXgw=

kuCrMIco5vT3sxCUQ+pYsVoG7Q==

btgpLo8XM+qHGLzoizgjRg==

fqK2iM5vW0bfgQ==

ObS1UE+TByKRZozamdULr0naXbKPLA==

bcohBkmNNcpp3gJ/XE2/mBs=

yY5b/cLb3+0llg==

GVEVqBNXl7Kic2Sm

Tqpt2tTlW0bfgQ==

eurYRI7UFDBjDbzpIJKz

7wwDuczemAaJNrrpIJKz

bprQyLvLEj+hhMLHHg==

qdoAqq/XOjh0ItzLLJpHBgxoJgM2

gr5SnMA66BpM8+hUM+iawNKeZsQ=

XLoO6yFTsdNuEYpUPfScwqXEk7dqBnU=

vS2Cjfg0tqBF1GpuHemLV8/g4wUwPspS

U5wqXJjP/u/qg3sE+YKsgVVByFw+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 1124	768	swift code.exe	31
PID 1124 set thread context of 1396	1124	RegSvcs.exe	14
PID 1476 set thread context of 1396	1476	wininit.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1988	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
768	swift code.exe
768	swift code.exe
2028	powershell.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe
1476	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	swift code.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1124	RegSvcs.exe
Token: SeDebugPrivilege	1476	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2028	768	swift code.exe	27
PID 768 wrote to memory of 2028	768	swift code.exe	27
PID 768 wrote to memory of 2028	768	swift code.exe	27
PID 768 wrote to memory of 2028	768	swift code.exe	27
PID 768 wrote to memory of 1988	768	swift code.exe	29
PID 768 wrote to memory of 1988	768	swift code.exe	29
PID 768 wrote to memory of 1988	768	swift code.exe	29
PID 768 wrote to memory of 1988	768	swift code.exe	29
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 768 wrote to memory of 1124	768	swift code.exe	31
PID 1396 wrote to memory of 1476	1396	Explorer.EXE	32
PID 1396 wrote to memory of 1476	1396	Explorer.EXE	32
PID 1396 wrote to memory of 1476	1396	Explorer.EXE	32
PID 1396 wrote to memory of 1476	1396	Explorer.EXE	32
PID 1476 wrote to memory of 828	1476	wininit.exe	34
PID 1476 wrote to memory of 828	1476	wininit.exe	34
PID 1476 wrote to memory of 828	1476	wininit.exe	34
PID 1476 wrote to memory of 828	1476	wininit.exe	34
PID 1476 wrote to memory of 828	1476	wininit.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\swift code.exe
  "C:\Users\Admin\AppData\Local\Temp\swift code.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pqFexk.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqFexk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3AE.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC3AE.tmp

Filesize
1KB

MD5
7cf435c614af2ca766bc2b7574ff9964

SHA1
c08a9db709b27668c822a987a115e04f7136a079

SHA256
71d661cf7b79950263f096bf0878eb7f2cedd7773ea70493b20d05bba55d389d

SHA512
a2a32c21e27340b77ac0d11fde2da0ee3edc600a1dcc25f5b781a10bc6002c57766a9973e765ccdea50a9f36c16e59d0e9df87256dbaa3add9349b2c19839d0b

Download Submit
memory/768-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/768-56-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/768-57-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/768-58-0x0000000005670000-0x00000000056FC000-memory.dmp

Filesize
560KB

Download
memory/768-54-0x0000000000C20000-0x0000000000D0E000-memory.dmp

Filesize
952KB

Download
memory/768-63-0x0000000005090000-0x00000000050C2000-memory.dmp

Filesize
200KB

Download
memory/1124-74-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1124-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-67-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-73-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/1396-75-0x0000000006B40000-0x0000000006BF4000-memory.dmp

Filesize
720KB

Download
memory/1396-81-0x0000000004B50000-0x0000000004BF6000-memory.dmp

Filesize
664KB

Download
memory/1396-84-0x0000000004B50000-0x0000000004BF6000-memory.dmp

Filesize
664KB

Download
memory/1476-77-0x00000000008B0000-0x00000000008CA000-memory.dmp

Filesize
104KB

Download
memory/1476-78-0x0000000001E60000-0x0000000002163000-memory.dmp

Filesize
3.0MB

Download
memory/1476-79-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/1476-80-0x0000000001D10000-0x0000000001D9F000-memory.dmp

Filesize
572KB

Download
memory/1476-82-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/2028-72-0x000000006F230000-0x000000006F7DB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-70-0x000000006F230000-0x000000006F7DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads