formbook | c67e6090d84532946ce00c79f918ea4733cd96b9ccb5dab54c0e0e2eeafb9cf9

General

Target

Purchase_Order.exe
Size

460KB
MD5

3b5056e4430804872a253c034ac9ca47
SHA1

2b0942b8aa1615a5d8c61326a3c88fa4d0658e09
SHA256

f468e0e25debea49005582be9279616ee2f100a73cbedaaecebdc210a5515102
SHA512

993b3511e6fa766b85418b2fc69ab921f8a51f377b3ca6a6caf818eaea9e6e90f26135c5dd89d76676b743d75f99a6d0d9c98942d16c522133e629a1484af3c3
SSDEEP

6144:j246z2kJ7ZM3X2a2gIi9pGB9o2L3v+1LqtOLzqTEogLXax:j246zrTMqi9EB9oU21LqtrETX

Score

10^/10

formbook i65a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Loads dropped DLL 1 IoCs

Processes:

wuapp.exe

pid process

944 wuapp.exe

pid	process
944	wuapp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase_Order.exeregsvcs.exewuapp.exe

description	pid	process	target process
PID 1228 set thread context of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1524 set thread context of 1212	1524	regsvcs.exe	Explorer.EXE
PID 944 set thread context of 1212	944	wuapp.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wuapp.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

Purchase_Order.exeregsvcs.exewuapp.exe

pid	process
1228	Purchase_Order.exe
1524	regsvcs.exe
1524	regsvcs.exe
1524	regsvcs.exe
1524	regsvcs.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

regsvcs.exewuapp.exe

pid process

1524 regsvcs.exe
1524 regsvcs.exe
1524 regsvcs.exe
944 wuapp.exe
944 wuapp.exe
944 wuapp.exe
944 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase_Order.exeregsvcs.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1228 Purchase_Order.exe
Token: SeDebugPrivilege 1524 regsvcs.exe
Token: SeDebugPrivilege 944 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1524	regsvcs.exe
1524	regsvcs.exe
1524	regsvcs.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe
944	wuapp.exe

description	pid	process
Token: SeDebugPrivilege	1228	Purchase_Order.exe
Token: SeDebugPrivilege	1524	regsvcs.exe
Token: SeDebugPrivilege	944	wuapp.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

Purchase_Order.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1608	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1228 wrote to memory of 1524	1228	Purchase_Order.exe	regsvcs.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 1212 wrote to memory of 944	1212	Explorer.EXE	wuapp.exe
PID 944 wrote to memory of 1128	944	wuapp.exe	Firefox.exe
PID 944 wrote to memory of 1128	944	wuapp.exe	Firefox.exe
PID 944 wrote to memory of 1128	944	wuapp.exe	Firefox.exe
PID 944 wrote to memory of 1128	944	wuapp.exe	Firefox.exe
PID 944 wrote to memory of 1128	944	wuapp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:756

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
837KB

MD5
e1b58e0aa1b377a1d0e940660ad1ace1

SHA1
5afc7291b26855b1252b26381ebc85ed3cca218f

SHA256
1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

SHA512
9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

Download Submit
memory/944-77-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/944-72-0x0000000000C70000-0x0000000000C7B000-memory.dmp

Filesize
44KB

Download
memory/944-75-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/944-74-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/944-73-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/944-69-0x0000000000000000-mapping.dmp

Download
memory/1212-78-0x0000000005EC0000-0x0000000005FBA000-memory.dmp

Filesize
1000KB

Download
memory/1212-76-0x0000000005EC0000-0x0000000005FBA000-memory.dmp

Filesize
1000KB

Download
memory/1212-68-0x0000000005CE0000-0x0000000005DDE000-memory.dmp

Filesize
1016KB

Download
memory/1228-56-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1228-55-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1228-54-0x0000000001380000-0x00000000013F6000-memory.dmp

Filesize
472KB

Download
memory/1524-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-70-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1524-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-67-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1524-66-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/1524-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-64-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1524-61-0x00000000004012B0-mapping.dmp

Download
memory/1524-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads