formbook | 3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8

General

Target

wire_deposito# 00711 23-09-2022_IMG.exe
Size

294KB
MD5

ebf3bd44feb646d0113e34451935faec
SHA1

ff2c6c0ceacd9a97c845a1e4056ab7e1c097cf51
SHA256

3d4bcb3525d58d2270133e0349f8cc3463a2c5b151e8cc7b1580806c6e86fbf8
SHA512

b30b45f6c9b86be224078bd524f45df6db5b4d488ad257743c9ceb869e993e2c1c1296361f29c0279890c32a071950c3678651d5d9a70526cd489f96baaa05e1
SSDEEP

6144:UL8i9w0XHrJ7Cj3Z3I5shJd78mf9EFV2PsN2sFzVELTlg:ImqF7Mp3IKhJ58mf9E/QOFz8Tlg

Score

10^/10

formbook dqrv rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dqrv

Decoy

gBpw3Y4HTb1jiULo0eCNvVa1AUM=

ZrxXzYYGEr9rmw==

WZd0tp8eMltMtoAQ

sTwbDYOvwP/e+cIy7A==

2x9+6pABEr9rmw==

5APZR17a7SLBJ+uLaEHxQVMMVQ==

To5y5LGTop5N9MKIDJI7Rqg=

HmLC9XPWGo8wbVA1OzzbDM4Dgob+z9M=

qU4wemvm5BXKPhm7k4I6bXMpXw==

1/9k1Q9Dz2scN+VeSlk9UKk=

ocWw8L31/TrpUDjjh8hx2g==

ULSzhA6L41v+PzP1wJ5BbXMpXw==

2WPGn5/sP28R

CjKXeM4dKWwZ

219OmV+FktZrolf1zb1esHSEyvduDQ==

O3zrtJsXCr9ekQ==

QakRaQV0wTrlFwfVh8hx2g==

7kG0LMk1hfuox2rTkaJSbXMpXw==

+UQrlVma3UXyhDAA7g==

A4Hkzb/3ubdkJdfXmOw=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Loads dropped DLL 1 IoCs

pid	Process
616	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1672 set thread context of 1416	1672	aspnet_compiler.exe	13
PID 616 set thread context of 1416	616	chkdsk.exe	13

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1672	aspnet_compiler.exe
1672	aspnet_compiler.exe
1672	aspnet_compiler.exe
1672	aspnet_compiler.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1672	aspnet_compiler.exe
1672	aspnet_compiler.exe
1672	aspnet_compiler.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe
616	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	aspnet_compiler.exe
Token: SeDebugPrivilege	616	chkdsk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1416	Explorer.EXE
1416	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1088 wrote to memory of 1672	1088	wire_deposito# 00711 23-09-2022_IMG.exe	26
PID 1416 wrote to memory of 616	1416	Explorer.EXE	27
PID 1416 wrote to memory of 616	1416	Explorer.EXE	27
PID 1416 wrote to memory of 616	1416	Explorer.EXE	27
PID 1416 wrote to memory of 616	1416	Explorer.EXE	27
PID 616 wrote to memory of 1376	616	chkdsk.exe	30
PID 616 wrote to memory of 1376	616	chkdsk.exe	30
PID 616 wrote to memory of 1376	616	chkdsk.exe	30
PID 616 wrote to memory of 1376	616	chkdsk.exe	30
PID 616 wrote to memory of 1376	616	chkdsk.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe
  "C:\Users\Admin\AppData\Local\Temp\wire_deposito# 00711 23-09-2022_IMG.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
memory/616-76-0x00000000000E0000-0x000000000010D000-memory.dmp

Filesize
180KB

Download
memory/616-73-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/616-72-0x00000000000E0000-0x000000000010D000-memory.dmp

Filesize
180KB

Download
memory/616-74-0x0000000001DD0000-0x0000000001E5F000-memory.dmp

Filesize
572KB

Download
memory/616-71-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/616-77-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1088-54-0x0000000001080000-0x00000000010CA000-memory.dmp

Filesize
296KB

Download
memory/1088-57-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1088-56-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1088-55-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1416-75-0x00000000041C0000-0x0000000004259000-memory.dmp

Filesize
612KB

Download
memory/1416-78-0x00000000041C0000-0x0000000004259000-memory.dmp

Filesize
612KB

Download
memory/1416-69-0x0000000004B60000-0x0000000004C82000-memory.dmp

Filesize
1.1MB

Download
memory/1672-68-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1672-67-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/1672-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1672-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing