formbook | 5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927

General

Target

Quotation.pif.exe
Size

991KB
MD5

59d24bcc44a883d21a48b2d368a1ff45
SHA1

d933aac89872b6a5f60901563b19c6715a0d007a
SHA256

5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
SHA512

9281ea610f54c4df7f849d4c9e9021b6b3983a04ce0c6606db587d8d3b412de0494a1717adc9e701947ddd97f40216768d40af96983ad95449040e5bccbdecaf
SSDEEP

12288:dHeyEXo6MY++34Ot1UzDMHvRJUHoPYFoBMmTA0+bB/jIyBXRsZZ4wiPWL1QORWl5:m/DkM1nHvRJ9PYqs0+5FXk+P41Q7BBz

Score

10^/10

formbook nhg6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Loads dropped DLL 1 IoCs

Processes:

NETSTAT.EXE

pid process

1704 NETSTAT.EXE

pid	process
1704	NETSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotation.pif.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 1468 set thread context of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1552 set thread context of 1424	1552	RegSvcs.exe	Explorer.EXE
PID 1704 set thread context of 1424	1704	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1368 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1704 NETSTAT.EXE

pid	process
1368	schtasks.exe

pid	process
1704	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Quotation.pif.exeRegSvcs.exepowershell.exeNETSTAT.EXE

pid	process
1468	Quotation.pif.exe
1468	Quotation.pif.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
592	powershell.exe
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

1552 RegSvcs.exe
1552 RegSvcs.exe
1552 RegSvcs.exe
1704 NETSTAT.EXE
1704 NETSTAT.EXE
1704 NETSTAT.EXE
1704 NETSTAT.EXE

pid	process
1424	Explorer.EXE

pid	process
1552	RegSvcs.exe
1552	RegSvcs.exe
1552	RegSvcs.exe
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE
1704	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Quotation.pif.exeRegSvcs.exepowershell.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1468	Quotation.pif.exe
Token: SeDebugPrivilege	1552	RegSvcs.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1704	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Quotation.pif.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1468 wrote to memory of 592	1468	Quotation.pif.exe	powershell.exe
PID 1468 wrote to memory of 592	1468	Quotation.pif.exe	powershell.exe
PID 1468 wrote to memory of 592	1468	Quotation.pif.exe	powershell.exe
PID 1468 wrote to memory of 592	1468	Quotation.pif.exe	powershell.exe
PID 1468 wrote to memory of 1368	1468	Quotation.pif.exe	schtasks.exe
PID 1468 wrote to memory of 1368	1468	Quotation.pif.exe	schtasks.exe
PID 1468 wrote to memory of 1368	1468	Quotation.pif.exe	schtasks.exe
PID 1468 wrote to memory of 1368	1468	Quotation.pif.exe	schtasks.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1468 wrote to memory of 1552	1468	Quotation.pif.exe	RegSvcs.exe
PID 1424 wrote to memory of 1704	1424	Explorer.EXE	NETSTAT.EXE
PID 1424 wrote to memory of 1704	1424	Explorer.EXE	NETSTAT.EXE
PID 1424 wrote to memory of 1704	1424	Explorer.EXE	NETSTAT.EXE
PID 1424 wrote to memory of 1704	1424	Explorer.EXE	NETSTAT.EXE
PID 1704 wrote to memory of 1848	1704	NETSTAT.EXE	Firefox.exe
PID 1704 wrote to memory of 1848	1704	NETSTAT.EXE	Firefox.exe
PID 1704 wrote to memory of 1848	1704	NETSTAT.EXE	Firefox.exe
PID 1704 wrote to memory of 1848	1704	NETSTAT.EXE	Firefox.exe
PID 1704 wrote to memory of 1848	1704	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\Quotation.pif.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.pif.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OJGfLeUSALnpf.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OJGfLeUSALnpf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB932.tmp"
3⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB932.tmp
Filesize
1KB

MD5
a9d509f3b1842578f4ac9af2fb75817b

SHA1
62258bfc9868742920c9ec19c230706e603d616a

SHA256
f120cc869960b4adbb055f62f9e4856450d7e618397e3643fb8dfd825a490cda

SHA512
c3cd3e3c6f83893938cd946b02d6354d5a765904206ab332e20b22dc9938bd20be7c446edfe573807bc2f10a5db9b3e1416a4226322f25fa335821a9b575a5fc

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
memory/592-71-0x000000006F0D0000-0x000000006F67B000-memory.dmp

Filesize
5.7MB

Download
memory/592-59-0x0000000000000000-mapping.dmp

Download
memory/592-77-0x000000006F0D0000-0x000000006F67B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-60-0x0000000000000000-mapping.dmp

Download
memory/1424-86-0x00000000099B0000-0x0000000009B1F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-76-0x0000000006D70000-0x0000000006F04000-memory.dmp

Filesize
1.6MB

Download
memory/1424-83-0x00000000099B0000-0x0000000009B1F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-57-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/1468-58-0x0000000007CC0000-0x0000000007D88000-memory.dmp

Filesize
800KB

Download
memory/1468-56-0x00000000008D0000-0x00000000008E4000-memory.dmp

Filesize
80KB

Download
memory/1468-63-0x0000000008560000-0x00000000085D0000-memory.dmp

Filesize
448KB

Download
memory/1468-54-0x0000000000EB0000-0x0000000000FAE000-memory.dmp

Filesize
1016KB

Download
memory/1468-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1552-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-68-0x00000000004012B0-mapping.dmp

Download
memory/1552-74-0x0000000000AC0000-0x0000000000DC3000-memory.dmp

Filesize
3.0MB

Download
memory/1552-75-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1552-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-73-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1552-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-84-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1704-82-0x0000000000530000-0x00000000005BF000-memory.dmp

Filesize
572KB

Download
memory/1704-81-0x00000000022E0000-0x00000000025E3000-memory.dmp

Filesize
3.0MB

Download
memory/1704-80-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1704-79-0x00000000008A0000-0x00000000008A9000-memory.dmp

Filesize
36KB

Download
memory/1704-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads