formbook | 764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de

General

Target

764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
Size

865KB
MD5

6cec68a114c5819a40c4b2d5fcf842da
SHA1

96d986f3ee7b4e8df59868337621d282ece89474
SHA256

764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de
SHA512

58265c58039a514d7cd888c612a15ea1073ad209cf72627aa20b11f0a53351d42bf6a5a01860da5c22036e38fe17ec5f00d914f29992b9a062d7958556688341
SSDEEP

12288:+UxjsqTpr6h76xNUNpkUmVhzKMJBjUwkBrjXr5dsAjPJc:1pTlr6d6QTkpVJ9TYwoTs

Score

10^/10

formbook tbgn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

tbgn

Decoy

72uabkWDao+ISa9+tnvd8g==

iHmPX6PZRe2+KUpH8bvyQ68=

DDZrOvw0IT/2cK9sgmSn5Q==

c9nixBxRvLxNBkHR/Q==

Ms/6ydhGJCsp8F8rmWeBMbg=

9vwtEc/074RPygwVx3vJk1Sj6nRnFQ==

3Xy/qN8agnyJQpliwmSqtMLvdQ==

4YelbYl+4fT6sSYguZ3Lhh+rSJQ=

3HSghdAThh2rZPMKqkifKesnqu9orLE=

zwA5DmqaB+VyYuw=

JcUFx6bdrcZbFjWu4rL4

IL7z2C5vtEdYBx/NAYE=

H4+ggrrmXwTFTain36T5

IBEn7UyPK8eER+id9w==

j7LfxdFDOWJlInsaWRhTRMXjLpByHw==

gBsrBXWAXWg9MqYDIug0G+l2k9gQ

432wiJgA7Ox7OsNDexmDtMLvdQ==

fJzoyChf4PQCtyIny2K6jQsBLpByHw==

gLTzwFJTKj3Pds0HC83YDd4h

EKPToXy2sdR1J4bau1KqkwsBLpByHw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
1408	powershell.exe
596	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1408	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	27
PID 1760 wrote to memory of 1408	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	27
PID 1760 wrote to memory of 1408	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	27
PID 1760 wrote to memory of 1408	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	27
PID 1760 wrote to memory of 1656	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	29
PID 1760 wrote to memory of 1656	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	29
PID 1760 wrote to memory of 1656	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	29
PID 1760 wrote to memory of 1656	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	29
PID 1760 wrote to memory of 1812	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	31
PID 1760 wrote to memory of 1812	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	31
PID 1760 wrote to memory of 1812	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	31
PID 1760 wrote to memory of 1812	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	31
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32
PID 1760 wrote to memory of 596	1760	764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe	32

C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
"C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\plcEFkzTfF.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\plcEFkzTfF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBA7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
  "C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe"
  2⤵
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe
  "C:\Users\Admin\AppData\Local\Temp\764a3d3a0444a7bafb816a39624a5e2ae85c0465f5d13c63dd6fda04a35696de.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEBA7.tmp

Filesize
1KB

MD5
2abb69fc0ed2f136a2d765ec94d4b60d

SHA1
75faa396ac5957b2e65a021e3ea694571d64b370

SHA256
7b241b4753e38f3da89e23192776d3c6ca5a7465a1cb7399c5405c2eb7c6e6a7

SHA512
a073644f37486a868e058a6b41e60822996ca4abd35d9f7a3274aac2c002d8863000dfca774b49e2f5d0b79c5ebe94b0422bbd1f5ac3e7a54a4c048dde10652e

Download Submit
memory/596-72-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/596-71-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/596-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/596-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-74-0x000000006E310000-0x000000006E8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-73-0x000000006E310000-0x000000006E8BB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-58-0x0000000007C70000-0x0000000007CFE000-memory.dmp

Filesize
568KB

Download
memory/1760-63-0x00000000050C0000-0x00000000050F4000-memory.dmp

Filesize
208KB

Download
memory/1760-54-0x0000000000230000-0x000000000030E000-memory.dmp

Filesize
888KB

Download
memory/1760-57-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/1760-56-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/1760-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads