formbook | 99607d96ca718ce72871ebca1d1f2934e9a29e6a4033b287586514b776c76786

General

Target

092222 00109_pdf.exe
Size

283KB
MD5

1edf928f61d9ae78501dfdc4eb076661
SHA1

5d448e3ea1ae1603785ecd6371be097b6bbf5e9f
SHA256

c923b5976862e86bd94180a0f141ff001715eed24b895c1e4e2b066107c40412
SHA512

913607f88456b1f08680934e52eb06ff3036c399164803f6a8cc07e72c5aa08be6f55b807219af10a1a5e18f313a9d50317387ab84f723e642e91e28e47c46f0
SSDEEP

6144:GC3kNNEwg0zwQnfkpmCdrmBnf3wkUhH7ZnMpLCQy1GvhxpMG:D0zwak5KBf3B+Zaug7/

Score

10^/10

formbook i3tw rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i3tw

Decoy

016XYOaa546POq6CaRVpEfQ=

6WCLUcRz6K7qTqIK

bIa/9uWTepQa6eQd

32urdxWXgrknUIeDYktb

EojfLVA0GyB2mYgMgzdT

jFbHYJhPwpebnHjAY0pZ

gxSusEwA30uVtrErCrQ=

EeJOmOn63OaCHIw=

r3K0jTvKtOR4EV3q1dOdHgYVCLVG

6LEakplWzoSSLXZH3t6XDQ==

MThmlLavncxvAo1f3t6XDQ==

SqUmLs+BeJfa69kp7qSmIfuU5K3ZMg==

GuIYfF0o7zGPJY4=

AEd4Wd7JRsdzBX9dPgO7KNJY6NX2Sga4

E1SDU8MxGoZaPFgn9w==

cIq96QyWC/k1XDBRTR9FQOaLosd4Og==

/zRZMuaxmZnX291wZQCXhiq1his=

+47IMmwvk2jyx7MA

IGKz6DH4iraNLQ==

Kh1gHpxbw0MDkwSyaOqjKgTlK69R

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Loads dropped DLL 1 IoCs

pid	Process
568	NETSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 572	1880	092222 00109_pdf.exe	27
PID 572 set thread context of 1344	572	aspnet_compiler.exe	14
PID 568 set thread context of 1344	568	NETSTAT.EXE	14

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
568	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
572	aspnet_compiler.exe
572	aspnet_compiler.exe
572	aspnet_compiler.exe
572	aspnet_compiler.exe
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
572	aspnet_compiler.exe
572	aspnet_compiler.exe
572	aspnet_compiler.exe
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE
568	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	aspnet_compiler.exe
Token: SeDebugPrivilege	568	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1880 wrote to memory of 572	1880	092222 00109_pdf.exe	27
PID 1344 wrote to memory of 568	1344	Explorer.EXE	28
PID 1344 wrote to memory of 568	1344	Explorer.EXE	28
PID 1344 wrote to memory of 568	1344	Explorer.EXE	28
PID 1344 wrote to memory of 568	1344	Explorer.EXE	28
PID 568 wrote to memory of 1908	568	NETSTAT.EXE	31
PID 568 wrote to memory of 1908	568	NETSTAT.EXE	31
PID 568 wrote to memory of 1908	568	NETSTAT.EXE	31
PID 568 wrote to memory of 1908	568	NETSTAT.EXE	31
PID 568 wrote to memory of 1908	568	NETSTAT.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\092222 00109_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\092222 00109_pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/568-70-0x0000000000000000-mapping.dmp

Download
memory/568-78-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/568-76-0x0000000001F40000-0x0000000001FCF000-memory.dmp

Filesize
572KB

Download
memory/568-75-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/568-73-0x0000000000820000-0x0000000000829000-memory.dmp

Filesize
36KB

Download
memory/568-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/572-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/572-67-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/572-68-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/572-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-62-0x00000000004012B0-mapping.dmp

Download
memory/572-72-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/572-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1344-77-0x0000000006CA0000-0x0000000006DE0000-memory.dmp

Filesize
1.2MB

Download
memory/1344-69-0x0000000006A00000-0x0000000006B55000-memory.dmp

Filesize
1.3MB

Download
memory/1344-79-0x0000000006CA0000-0x0000000006DE0000-memory.dmp

Filesize
1.2MB

Download
memory/1880-54-0x0000000000E70000-0x0000000000EBC000-memory.dmp

Filesize
304KB

Download
memory/1880-57-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/1880-56-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1880-55-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing