formbook | 564b0058f3279d208079cc2369077a4358432acfcc9236247b3ae7517928b342

Analysis

max time kernel
297s
max time network
300s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFERTA_5420220000000000000000000000000000000.exe
Size

713KB
MD5

cd37d60e8e4e73bf7cc73737da77bd66
SHA1

5241609a9066cf44f9fec214d4b1048007e4fb39
SHA256

564b0058f3279d208079cc2369077a4358432acfcc9236247b3ae7517928b342
SHA512

e241a492e8a76eec49365996fab506257979d91b81b89dae78336403c418f72bb44c442519b0875f1a5b954bdc0acbd95d3bf854f53c582e95506ef95793bfdc
SSDEEP

12288:8ToPWBv/cpGrU3yH7mp7O0aJLpNBB/Dhw9Z7ho:8TbBv5rUsmp7jSLbBB/Dhw9Z7ho

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

QYZ6iE9Y+CsiZpCBareS0uU=

N2FQLAaH6xXE

Vc6t0MQXN+Llxsqg

ElBedmSvYGGm6yLDhHqzAtmlCxWl

4VpIWShqHR5cpjfQ4bs=

mepO9miu/iFiQQ==

Z8Owqh54IlwEpDfQ4bs=

qcq4uT5HecWZG3EVwKTiUE7slrGQGiyo

IaYYoJikKDDqgV/NigZCLA==

4Xz5pfoCCW/76NnOUrFEOw==

xiijSkVJ3Yuh9OKDcmui/d2lCxWl

cr8MmfpCEu0ULsO3p6w=

JLm2yKHo7hdVb8O3p6w=

Hriy5svWm2Qfq9mPQib9jJI65gOr

2G3nkRpidunlxsqg

gPHUAeXmi8Q9ARy3

6l5WaOf8BxhQDkp5gKQ=

KHHiXs4WOqXZdPhpaw==

+UQ5Vz5O0Ms9ARy3

pNQygKu0OziAvjOHRGLnJA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 1 IoCs

Processes:

zaiynxotnb.exe

pid process

1144 zaiynxotnb.exe

pid	process
1144	zaiynxotnb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zaiynxotnb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	zaiynxotnb.exe

Loads dropped DLL 12 IoCs

Processes:

OFERTA_5420220000000000000000000000000000000.exezaiynxotnb.exezaiynxotnb.exeWerFault.exemsdt.exe

pid	process
1456	OFERTA_5420220000000000000000000000000000000.exe
1456	OFERTA_5420220000000000000000000000000000000.exe
1456	OFERTA_5420220000000000000000000000000000000.exe
1456	OFERTA_5420220000000000000000000000000000000.exe
1144	zaiynxotnb.exe
1796	zaiynxotnb.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
956	WerFault.exe
992	msdt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zaiynxotnb.exezaiynxotnb.exemsdt.exe

description	pid	process	target process
PID 1144 set thread context of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1796 set thread context of 1396	1796	zaiynxotnb.exe	Explorer.EXE
PID 992 set thread context of 1396	992	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 1144 WerFault.exe zaiynxotnb.exe

pid	pid_target	process	target process
956	1144	WerFault.exe	zaiynxotnb.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

zaiynxotnb.exemsdt.exe

pid	process
1796	zaiynxotnb.exe
1796	zaiynxotnb.exe
1796	zaiynxotnb.exe
1796	zaiynxotnb.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe
992	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

zaiynxotnb.exemsdt.exe

pid process

1796 zaiynxotnb.exe
1796 zaiynxotnb.exe
1796 zaiynxotnb.exe
992 msdt.exe
992 msdt.exe
992 msdt.exe
992 msdt.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zaiynxotnb.exeExplorer.EXEmsdt.exe

description pid process

Token: SeDebugPrivilege 1796 zaiynxotnb.exe
Token: SeShutdownPrivilege 1396 Explorer.EXE
Token: SeDebugPrivilege 992 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1396	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1796	zaiynxotnb.exe
Token: SeShutdownPrivilege	1396	Explorer.EXE
Token: SeDebugPrivilege	992	msdt.exe

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

OFERTA_5420220000000000000000000000000000000.exezaiynxotnb.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1456 wrote to memory of 1144	1456	OFERTA_5420220000000000000000000000000000000.exe	zaiynxotnb.exe
PID 1456 wrote to memory of 1144	1456	OFERTA_5420220000000000000000000000000000000.exe	zaiynxotnb.exe
PID 1456 wrote to memory of 1144	1456	OFERTA_5420220000000000000000000000000000000.exe	zaiynxotnb.exe
PID 1456 wrote to memory of 1144	1456	OFERTA_5420220000000000000000000000000000000.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 1796	1144	zaiynxotnb.exe	zaiynxotnb.exe
PID 1144 wrote to memory of 956	1144	zaiynxotnb.exe	WerFault.exe
PID 1144 wrote to memory of 956	1144	zaiynxotnb.exe	WerFault.exe
PID 1144 wrote to memory of 956	1144	zaiynxotnb.exe	WerFault.exe
PID 1144 wrote to memory of 956	1144	zaiynxotnb.exe	WerFault.exe
PID 1396 wrote to memory of 992	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 992	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 992	1396	Explorer.EXE	msdt.exe
PID 1396 wrote to memory of 992	1396	Explorer.EXE	msdt.exe
PID 992 wrote to memory of 1516	992	msdt.exe	Firefox.exe
PID 992 wrote to memory of 1516	992	msdt.exe	Firefox.exe
PID 992 wrote to memory of 1516	992	msdt.exe	Firefox.exe
PID 992 wrote to memory of 1516	992	msdt.exe	Firefox.exe
PID 992 wrote to memory of 1516	992	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\OFERTA_5420220000000000000000000000000000000.exe
"C:\Users\Admin\AppData\Local\Temp\OFERTA_5420220000000000000000000000000000000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
"C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
"C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 244
4⤵
- Loads dropped DLL
- Program crash
PID:956

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ufquzdqwths.sq
Filesize
4KB

MD5
8ce8af99aec0f201425a470be6fdeca5

SHA1
6f056a3ade454becbcc604143bab3a5ba65ee212

SHA256
6457d729a4154f853d4cada8d0f6b89e134877dfb3356ee3751021ade54f6ceb

SHA512
42965d4b0708276b8c301541603a9c5002d0edfad1fa0edeb9e48ad622c2de5372fb29d28a0100df5410c5796f229dd32882990c8ff7b8576101d85f05846dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmlpovh.yf
Filesize
185KB

MD5
cb452aa55d9d50901046c0aad5568912

SHA1
1c2e420c5409be312a1cfb8f36848dd3559101c0

SHA256
873b5f2b215d0ec6ec9f4686ee6f881518dac9c589067d61455f6331b6fea7c8

SHA512
076ed0ee3fb1ec1ced18fdb6d3f5e7915ababa0f5ab2c85e4729c618650572081dea6686b61c3a718a69a27570f271d17c5853e3c30ac2aedf8c7c42884ef710

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
C:\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
\Users\Admin\AppData\Local\Temp\zaiynxotnb.exe
Filesize
56KB

MD5
719833e92eaca21eb5ebce6c33157c89

SHA1
3aafc77c21ab150976d050a5ef9fc42a76b49774

SHA256
82fb77e7d9ad285f60bf9a742145790aa88646b409ee9057144c2c61359f7b4c

SHA512
9ec7633434b81b9842e2b5ffdea0ba1813ea30805bcba6ccede4ed8c10884e0af98dae2143aa53ef364fd7dc9c52f5c9afa5c28b192a85bf21bde8c9ce5b2734

Download Submit
memory/956-68-0x0000000000000000-mapping.dmp

Download
memory/992-80-0x0000000000290000-0x0000000000384000-memory.dmp

Filesize
976KB

Download
memory/992-81-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/992-82-0x0000000002360000-0x0000000002663000-memory.dmp

Filesize
3.0MB

Download
memory/992-85-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/992-83-0x0000000001FA0000-0x000000000202F000-memory.dmp

Filesize
572KB

Download
memory/992-78-0x0000000000000000-mapping.dmp

Download
memory/1144-59-0x0000000000000000-mapping.dmp

Download
memory/1396-77-0x0000000006C80000-0x0000000006DEA000-memory.dmp

Filesize
1.4MB

Download
memory/1396-86-0x00000000065A0000-0x00000000066AC000-memory.dmp

Filesize
1.0MB

Download
memory/1396-84-0x00000000065A0000-0x00000000066AC000-memory.dmp

Filesize
1.0MB

Download
memory/1456-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1796-66-0x00000000004012B0-mapping.dmp

Download
memory/1796-76-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1796-75-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1796-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download