formbook | 6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab

General

Target

USD92.15.exe
Size

997KB
MD5

7b711b729b01c38bbbed5ee08ef88347
SHA1

45c70d807a9b741aec980b559ebec0c79a4cd1a0
SHA256

6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab
SHA512

b94950da81e664bb2248411c39adb748f2042cad9e03ed4c212913e1b6e861d99e174b39e90084eaeeeaae6e067af7fd164ecf20d2f115a0ae77ffa9156f4581
SSDEEP

12288:vJ6ShV7uikFgEeYeFav5bq5/wA9IVBrFPVgIBzcJtNv2j:h9hlubgSeFOb6/6frFPVXBzcRI

Score

10^/10

formbook ejgp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ejgp

Decoy

+0NM3RekW0bfgQ==

iQmI3Aw2aoOljoA0XZi1

5Ei2CVwQyOgZwV/u4eiMFdKqc84=

ImSvoul9o0reZ9TKUAUkXgw=

kuCrMIco5vT3sxCUQ+pYsVoG7Q==

btgpLo8XM+qHGLzoizgjRg==

fqK2iM5vW0bfgQ==

ObS1UE+TByKRZozamdULr0naXbKPLA==

bcohBkmNNcpp3gJ/XE2/mBs=

yY5b/cLb3+0llg==

GVEVqBNXl7Kic2Sm

Tqpt2tTlW0bfgQ==

eurYRI7UFDBjDbzpIJKz

7wwDuczemAaJNrrpIJKz

bprQyLvLEj+hhMLHHg==

qdoAqq/XOjh0ItzLLJpHBgxoJgM2

gr5SnMA66BpM8+hUM+iawNKeZsQ=

XLoO6yFTsdNuEYpUPfScwqXEk7dqBnU=

vS2Cjfg0tqBF1GpuHemLV8/g4wUwPspS

U5wqXJjP/u/qg3sE+YKsgVVByFw+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	USD92.15.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 3512	3968	USD92.15.exe	93
PID 3512 set thread context of 2832	3512	RegSvcs.exe	33
PID 4724 set thread context of 2832	4724	mstsc.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1540	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3968	USD92.15.exe
3968	USD92.15.exe
224	powershell.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
224	powershell.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3512	RegSvcs.exe
3512	RegSvcs.exe
3512	RegSvcs.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe
4724	mstsc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	USD92.15.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	3512	RegSvcs.exe
Token: SeDebugPrivilege	4724	mstsc.exe
Token: SeShutdownPrivilege	2832	Explorer.EXE
Token: SeCreatePagefilePrivilege	2832	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3968	USD92.15.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3968	USD92.15.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 224	3968	USD92.15.exe	89
PID 3968 wrote to memory of 224	3968	USD92.15.exe	89
PID 3968 wrote to memory of 224	3968	USD92.15.exe	89
PID 3968 wrote to memory of 1540	3968	USD92.15.exe	91
PID 3968 wrote to memory of 1540	3968	USD92.15.exe	91
PID 3968 wrote to memory of 1540	3968	USD92.15.exe	91
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 3968 wrote to memory of 3512	3968	USD92.15.exe	93
PID 2832 wrote to memory of 4724	2832	Explorer.EXE	94
PID 2832 wrote to memory of 4724	2832	Explorer.EXE	94
PID 2832 wrote to memory of 4724	2832	Explorer.EXE	94
PID 4724 wrote to memory of 3700	4724	mstsc.exe	95
PID 4724 wrote to memory of 3700	4724	mstsc.exe	95
PID 4724 wrote to memory of 3700	4724	mstsc.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Local\Temp\USD92.15.exe
  "C:\Users\Admin\AppData\Local\Temp\USD92.15.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UWqtQgp.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UWqtQgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13B7.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp13B7.tmp

Filesize
1KB

MD5
23a31cef18fccdf750ca602e93a0c3da

SHA1
0cb0c4c3a5f36b1b1d28243c4dd250201b0d3a3a

SHA256
35e574b052bf191df732238aef1d61cd7e5c31e43c98af5aae779901f4246875

SHA512
5d29af8e4541c617224e47445414c1814bcb02cdf6342ef7c175a4dec3cd3354504e750a541db1413c954655e36590a77bacfc37902cb26c38e47e19f7752d57

Download Submit
memory/224-165-0x0000000006F90000-0x0000000006F9E000-memory.dmp

Filesize
56KB

Download
memory/224-146-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/224-167-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/224-166-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/224-154-0x0000000070CE0000-0x0000000070D2C000-memory.dmp

Filesize
304KB

Download
memory/224-159-0x0000000006FE0000-0x0000000007076000-memory.dmp

Filesize
600KB

Download
memory/224-153-0x0000000006A30000-0x0000000006A62000-memory.dmp

Filesize
200KB

Download
memory/224-155-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/224-156-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/224-157-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/224-158-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/224-143-0x0000000004B40000-0x0000000005168000-memory.dmp

Filesize
6.2MB

Download
memory/224-141-0x00000000044D0000-0x0000000004506000-memory.dmp

Filesize
216KB

Download
memory/224-147-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/224-149-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/2832-169-0x00000000081A0000-0x0000000008327000-memory.dmp

Filesize
1.5MB

Download
memory/2832-171-0x00000000081A0000-0x0000000008327000-memory.dmp

Filesize
1.5MB

Download
memory/2832-152-0x0000000002970000-0x0000000002ABF000-memory.dmp

Filesize
1.3MB

Download
memory/3512-151-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download
memory/3512-161-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3512-150-0x0000000001960000-0x0000000001CAA000-memory.dmp

Filesize
3.3MB

Download
memory/3512-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3968-135-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/3968-138-0x000000000A030000-0x000000000A096000-memory.dmp

Filesize
408KB

Download
memory/3968-137-0x0000000009CF0000-0x0000000009D8C000-memory.dmp

Filesize
624KB

Download
memory/3968-136-0x0000000009590000-0x0000000009ABC000-memory.dmp

Filesize
5.2MB

Download
memory/3968-132-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/3968-134-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3968-133-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/4724-162-0x0000000000080000-0x00000000001BA000-memory.dmp

Filesize
1.2MB

Download
memory/4724-163-0x0000000000750000-0x000000000077B000-memory.dmp

Filesize
172KB

Download
memory/4724-164-0x00000000029C0000-0x0000000002D0A000-memory.dmp

Filesize
3.3MB

Download
memory/4724-168-0x0000000002720000-0x00000000027AF000-memory.dmp

Filesize
572KB

Download
memory/4724-170-0x0000000000750000-0x000000000077B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads