formbook | 5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927

General

Target

Quotation.exe
Size

991KB
MD5

59d24bcc44a883d21a48b2d368a1ff45
SHA1

d933aac89872b6a5f60901563b19c6715a0d007a
SHA256

5032a3dbc97f17dba5cf4a7dc67a6c9ae6293a344d9d9433d63e8cd180226927
SHA512

9281ea610f54c4df7f849d4c9e9021b6b3983a04ce0c6606db587d8d3b412de0494a1717adc9e701947ddd97f40216768d40af96983ad95449040e5bccbdecaf
SSDEEP

12288:dHeyEXo6MY++34Ot1UzDMHvRJUHoPYFoBMmTA0+bB/jIyBXRsZZ4wiPWL1QORWl5:m/DkM1nHvRJ9PYqs0+5FXk+P41Q7BBz

Score

10^/10

formbook nhg6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Quotation.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotation.exeRegSvcs.exerundll32.exe

description	pid	process	target process
PID 4864 set thread context of 832	4864	Quotation.exe	RegSvcs.exe
PID 832 set thread context of 2152	832	RegSvcs.exe	Explorer.EXE
PID 2184 set thread context of 2152	2184	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3796 schtasks.exe

pid	process
3796	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Quotation.exepowershell.exeRegSvcs.exerundll32.exe

pid	process
4864	Quotation.exe
4864	Quotation.exe
3400	powershell.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
3400	powershell.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2152 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exerundll32.exe

pid process

832 RegSvcs.exe
832 RegSvcs.exe
832 RegSvcs.exe
2184 rundll32.exe
2184 rundll32.exe
2184 rundll32.exe
2184 rundll32.exe

pid	process
2152	Explorer.EXE

pid	process
832	RegSvcs.exe
832	RegSvcs.exe
832	RegSvcs.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Quotation.exepowershell.exeRegSvcs.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4864	Quotation.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	832	RegSvcs.exe
Token: SeDebugPrivilege	2184	rundll32.exe
Token: SeShutdownPrivilege	2152	Explorer.EXE
Token: SeCreatePagefilePrivilege	2152	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Quotation.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4864 wrote to memory of 3400	4864	Quotation.exe	powershell.exe
PID 4864 wrote to memory of 3400	4864	Quotation.exe	powershell.exe
PID 4864 wrote to memory of 3400	4864	Quotation.exe	powershell.exe
PID 4864 wrote to memory of 3796	4864	Quotation.exe	schtasks.exe
PID 4864 wrote to memory of 3796	4864	Quotation.exe	schtasks.exe
PID 4864 wrote to memory of 3796	4864	Quotation.exe	schtasks.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 4864 wrote to memory of 832	4864	Quotation.exe	RegSvcs.exe
PID 2152 wrote to memory of 2184	2152	Explorer.EXE	rundll32.exe
PID 2152 wrote to memory of 2184	2152	Explorer.EXE	rundll32.exe
PID 2152 wrote to memory of 2184	2152	Explorer.EXE	rundll32.exe
PID 2184 wrote to memory of 1812	2184	rundll32.exe	Firefox.exe
PID 2184 wrote to memory of 1812	2184	rundll32.exe	Firefox.exe
PID 2184 wrote to memory of 1812	2184	rundll32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OJGfLeUSALnpf.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OJGfLeUSALnpf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1618.tmp"
3⤵
- Creates scheduled task(s)
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1618.tmp
Filesize
1KB

MD5
771a2c043443bd78d6f97d12e732bae9

SHA1
462965f969ffa3f8ad57d30246ab91801b017f43

SHA256
0fb0ea70afba29da669495aa92b4166cf46421eca8b369977010ab9ea8d1b6c9

SHA512
a167c0ae55285d898a95c058c561a2b6b9e17c452cdedbe8201633e793e7337991be18da243d471f1974593f288b995dd6169d9bb2077d9fb549a62be58e6fb1

Download Submit
memory/832-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-152-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/832-151-0x0000000001650000-0x000000000199A000-memory.dmp

Filesize
3.3MB

Download
memory/832-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/832-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/832-142-0x0000000000000000-mapping.dmp

Download
memory/2152-172-0x0000000007B30000-0x0000000007BD8000-memory.dmp

Filesize
672KB

Download
memory/2152-170-0x0000000007B30000-0x0000000007BD8000-memory.dmp

Filesize
672KB

Download
memory/2152-153-0x0000000007CB0000-0x0000000007DB7000-memory.dmp

Filesize
1.0MB

Download
memory/2184-164-0x0000000000690000-0x00000000006BD000-memory.dmp

Filesize
180KB

Download
memory/2184-160-0x0000000000000000-mapping.dmp

Download
memory/2184-171-0x0000000000690000-0x00000000006BD000-memory.dmp

Filesize
180KB

Download
memory/2184-169-0x00000000023D0000-0x000000000245F000-memory.dmp

Filesize
572KB

Download
memory/2184-165-0x00000000025A0000-0x00000000028EA000-memory.dmp

Filesize
3.3MB

Download
memory/2184-163-0x0000000000E10000-0x0000000000E24000-memory.dmp

Filesize
80KB

Download
memory/3400-166-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/3400-161-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3400-146-0x00000000056C0000-0x00000000056E2000-memory.dmp

Filesize
136KB

Download
memory/3400-147-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/3400-154-0x0000000006580000-0x000000000659E000-memory.dmp

Filesize
120KB

Download
memory/3400-155-0x0000000006B60000-0x0000000006B92000-memory.dmp

Filesize
200KB

Download
memory/3400-156-0x0000000071240000-0x000000007128C000-memory.dmp

Filesize
304KB

Download
memory/3400-157-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/3400-158-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/3400-159-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/3400-138-0x0000000000000000-mapping.dmp

Download
memory/3400-168-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/3400-162-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/3400-167-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/3400-143-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/3400-140-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/3796-139-0x0000000000000000-mapping.dmp

Download
memory/4864-132-0x0000000000FC0000-0x00000000010BE000-memory.dmp

Filesize
1016KB

Download
memory/4864-137-0x0000000009CB0000-0x0000000009D16000-memory.dmp

Filesize
408KB

Download
memory/4864-135-0x0000000005A50000-0x0000000005A5A000-memory.dmp

Filesize
40KB

Download
memory/4864-134-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/4864-136-0x0000000009870000-0x000000000990C000-memory.dmp

Filesize
624KB

Download
memory/4864-133-0x0000000006110000-0x00000000066B4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads