formbook | 3b56d7fd728103d3269e18e272e22d521d7c6c2304a2665217b1000631dded9d

Analysis

max time kernel
181s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TDD500000000000000000000000000000000000000.exe
Size

713KB
MD5

813890550ca56d37b0a986bf8cdde0b1
SHA1

88c1c4caca723a71c3f308fc8d66a44eb4a0230f
SHA256

3b56d7fd728103d3269e18e272e22d521d7c6c2304a2665217b1000631dded9d
SHA512

b29a49c5a17c2e91eeeb07816f39b0445a638452dde9841762c6a6130ee357320183f3cd68a299dc31f534d6c5dcf8839218fdbf49aca8a51d49bc4a247043e7
SSDEEP

12288:8ToPWBv/cpGrU3yH7mtstmTHIoELSbcV1W4WdV0zJPx:8TbBv5rUsmymTo7LSYxPx

Score

10^/10

formbook qqci rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

qqci

Decoy

QetTqZClp7wFVN7CUjvCiA==

3ZTYDLbtEiw+OynhJ9HGmQ==

ZyJunbSaaekF

OOwyczoCsSvKuI0H

S/FAZYtKY2vVzCc5qIiU

axVWijjhaCVDmZpGTt3RUxGrgZIZjcapEw==

1oHQ73CAnJntuX8=

Huo0LA3V+0JZHgONI/JPQ8UJ

BKzl63IkrnSA5W41XFM=

yoHbAS7smafIszYSGkQ=

iTyFttfzdTBbmGkOV67Mjg==

KcwIME5r+IeTEv+4PVTMOV2tqTzT3w==

FLXq6sZddO4Fm4VR95ScwqT66yI=

u2SjgGoNCB0lHuGBpskelaT66yI=

0YrQwnYjYNF2v3sQ

l0O9vrjpiyM91b54/JPPguMe

P+BLw9L68iIY

AZQeZo+7cXLIRN2gtg==

K94UQ2snUJC3gl45qIiU

vlewBydLxlB05sOKHzbPguMe

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 1 IoCs

Processes:

frqcewggrhw.exe

pid process

1184 frqcewggrhw.exe

pid	process
1184	frqcewggrhw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

frqcewggrhw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	frqcewggrhw.exe

Loads dropped DLL 12 IoCs

Processes:

TDD500000000000000000000000000000000000000.exefrqcewggrhw.exefrqcewggrhw.exeWerFault.exewuapp.exe

pid	process
888	TDD500000000000000000000000000000000000000.exe
888	TDD500000000000000000000000000000000000000.exe
888	TDD500000000000000000000000000000000000000.exe
888	TDD500000000000000000000000000000000000000.exe
1184	frqcewggrhw.exe
2044	frqcewggrhw.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
2000	WerFault.exe
1904	wuapp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

frqcewggrhw.exefrqcewggrhw.exewuapp.exe

description	pid	process	target process
PID 1184 set thread context of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 2044 set thread context of 1244	2044	frqcewggrhw.exe	Explorer.EXE
PID 1904 set thread context of 1244	1904	wuapp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 1184 WerFault.exe frqcewggrhw.exe

pid	pid_target	process	target process
2000	1184	WerFault.exe	frqcewggrhw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wuapp.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

frqcewggrhw.exewuapp.exe

pid	process
2044	frqcewggrhw.exe
2044	frqcewggrhw.exe
2044	frqcewggrhw.exe
2044	frqcewggrhw.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe
1904	wuapp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

frqcewggrhw.exewuapp.exe

pid process

2044 frqcewggrhw.exe
2044 frqcewggrhw.exe
2044 frqcewggrhw.exe
1904 wuapp.exe
1904 wuapp.exe
1904 wuapp.exe
1904 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

frqcewggrhw.exeExplorer.EXEwuapp.exe

description pid process

Token: SeDebugPrivilege 2044 frqcewggrhw.exe
Token: SeShutdownPrivilege 1244 Explorer.EXE
Token: SeDebugPrivilege 1904 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2044	frqcewggrhw.exe
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeDebugPrivilege	1904	wuapp.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

TDD500000000000000000000000000000000000000.exefrqcewggrhw.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 888 wrote to memory of 1184	888	TDD500000000000000000000000000000000000000.exe	frqcewggrhw.exe
PID 888 wrote to memory of 1184	888	TDD500000000000000000000000000000000000000.exe	frqcewggrhw.exe
PID 888 wrote to memory of 1184	888	TDD500000000000000000000000000000000000000.exe	frqcewggrhw.exe
PID 888 wrote to memory of 1184	888	TDD500000000000000000000000000000000000000.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2044	1184	frqcewggrhw.exe	frqcewggrhw.exe
PID 1184 wrote to memory of 2000	1184	frqcewggrhw.exe	WerFault.exe
PID 1184 wrote to memory of 2000	1184	frqcewggrhw.exe	WerFault.exe
PID 1184 wrote to memory of 2000	1184	frqcewggrhw.exe	WerFault.exe
PID 1184 wrote to memory of 2000	1184	frqcewggrhw.exe	WerFault.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1244 wrote to memory of 1904	1244	Explorer.EXE	wuapp.exe
PID 1904 wrote to memory of 972	1904	wuapp.exe	Firefox.exe
PID 1904 wrote to memory of 972	1904	wuapp.exe	Firefox.exe
PID 1904 wrote to memory of 972	1904	wuapp.exe	Firefox.exe
PID 1904 wrote to memory of 972	1904	wuapp.exe	Firefox.exe
PID 1904 wrote to memory of 972	1904	wuapp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\TDD500000000000000000000000000000000000000.exe
"C:\Users\Admin\AppData\Local\Temp\TDD500000000000000000000000000000000000000.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
"C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
"C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 244
4⤵
- Loads dropped DLL
- Program crash
PID:2000

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
C:\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnzrnm.mwx
Filesize
4KB

MD5
54c2259abdb49f848bdba460ed858024

SHA1
7e655cb9bda0b43fc00e60615a3a87582f2c55f8

SHA256
2998820c59e87763d0106ff04418db0ddd5623590dd97f5e9de4ad42bc7c6148

SHA512
6a317219345a48639912dfa4d080f22e2d070f7c3d2f286dc38414b91ede67ca421d8fa29e65f7fbd019ba2ce0dd92cca4fa6bd4346f6d15909b5e8e0b1cf9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxqklo.lgy
Filesize
185KB

MD5
5a21846043f65aeaab1a75e456fea017

SHA1
29af7fc55f4e3e3a98f4f298c062dab4f4c3ad47

SHA256
af680a037c85b1bff053ad6a4d5b4bf919fcd55230f0cd719a2a473c4ffe2f92

SHA512
d7dbb860b99dc34a2156934277fce9507cae2b59da2e2eb06d61c60001610dfebc189e2ce4e9fe491b05e4f0ce9225142b8849a26b0a12b27c612c230bb97738

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\frqcewggrhw.exe
Filesize
56KB

MD5
d0e90c275950aa6655921911057a9b8e

SHA1
56f2a2c421510e2772edee874e146196a5409597

SHA256
ff1bc96bcef0db6b933fefa041e8e38fbec9192d4ea53b309e5ba95ffb8b1ec8

SHA512
486fcfc96b28e20b6532fdf5ef6a986f25a3729b2c5331fd09291f999f841e820a52302ff3ff612873414aa683176b942eadac5c35605f70d7f7d9ed736df549

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/888-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1184-59-0x0000000000000000-mapping.dmp

Download
memory/1244-77-0x0000000006610000-0x0000000006754000-memory.dmp

Filesize
1.3MB

Download
memory/1244-86-0x0000000006C70000-0x0000000006D7D000-memory.dmp

Filesize
1.1MB

Download
memory/1244-83-0x0000000006C70000-0x0000000006D7D000-memory.dmp

Filesize
1.1MB

Download
memory/1904-80-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1904-78-0x0000000000000000-mapping.dmp

Download
memory/1904-79-0x0000000000950000-0x000000000095B000-memory.dmp

Filesize
44KB

Download
memory/1904-81-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1904-82-0x0000000001D60000-0x0000000001DEF000-memory.dmp

Filesize
572KB

Download
memory/1904-84-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2000-68-0x0000000000000000-mapping.dmp

Download
memory/2044-76-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2044-75-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/2044-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-66-0x00000000004012B0-mapping.dmp

Download