formbook | 6725025d1d3161a6fc010098879ef9cda0dd40a08f59283affd2deb2d5ef7b4b

General

Target

2022FHS0927.exe
Size

288KB
MD5

3d474b52e155bf6899882733f23c07c7
SHA1

faa8e7dafbd29de8562658e2b97fbafb481e2c6e
SHA256

6725025d1d3161a6fc010098879ef9cda0dd40a08f59283affd2deb2d5ef7b4b
SHA512

ebe25a70c00d71eaeea5193e015d4f60340ff46b4e59da799e2b4448411fa714ed7caf1fc9deeea3ffdd0a76a78fa7d1ecd472f8d4538cf4c5764b341d18064b
SSDEEP

6144:cNvlCluYxaCm8Gq3W2m4iFndd0j0LMp/3kSB:NaujmNFndKj0Lck

Score

10^/10

formbook i65a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

2022FHS0927.execvtres.exeipconfig.exe

description	pid	process	target process
PID 4384 set thread context of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4872 set thread context of 2740	4872	cvtres.exe	Explorer.EXE
PID 4844 set thread context of 2740	4844	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4844 ipconfig.exe

pid	process
4844	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

2022FHS0927.execvtres.exeipconfig.exe

pid	process
4384	2022FHS0927.exe
4384	2022FHS0927.exe
4384	2022FHS0927.exe
4384	2022FHS0927.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2740 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

cvtres.exeipconfig.exe

pid process

4872 cvtres.exe
4872 cvtres.exe
4872 cvtres.exe
4844 ipconfig.exe
4844 ipconfig.exe
4844 ipconfig.exe
4844 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2022FHS0927.execvtres.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 4384 2022FHS0927.exe
Token: SeDebugPrivilege 4872 cvtres.exe
Token: SeDebugPrivilege 4844 ipconfig.exe

pid	process
2740	Explorer.EXE

pid	process
4872	cvtres.exe
4872	cvtres.exe
4872	cvtres.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe
4844	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	4384	2022FHS0927.exe
Token: SeDebugPrivilege	4872	cvtres.exe
Token: SeDebugPrivilege	4844	ipconfig.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2022FHS0927.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4384 wrote to memory of 1580	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 1580	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 1580	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4212	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4212	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4212	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 4384 wrote to memory of 4872	4384	2022FHS0927.exe	cvtres.exe
PID 2740 wrote to memory of 4844	2740	Explorer.EXE	ipconfig.exe
PID 2740 wrote to memory of 4844	2740	Explorer.EXE	ipconfig.exe
PID 2740 wrote to memory of 4844	2740	Explorer.EXE	ipconfig.exe
PID 4844 wrote to memory of 3824	4844	ipconfig.exe	Firefox.exe
PID 4844 wrote to memory of 3824	4844	ipconfig.exe	Firefox.exe
PID 4844 wrote to memory of 3824	4844	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe
"C:\Users\Admin\AppData\Local\Temp\2022FHS0927.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-133-0x0000000000000000-mapping.dmp

Download
memory/2740-151-0x0000000008670000-0x0000000008783000-memory.dmp

Filesize
1.1MB

Download
memory/2740-149-0x0000000008670000-0x0000000008783000-memory.dmp

Filesize
1.1MB

Download
memory/2740-143-0x0000000003660000-0x00000000037B3000-memory.dmp

Filesize
1.3MB

Download
memory/4212-134-0x0000000000000000-mapping.dmp

Download
memory/4384-132-0x0000000000870000-0x00000000008B8000-memory.dmp

Filesize
288KB

Download
memory/4844-145-0x0000000000C00000-0x0000000000C0B000-memory.dmp

Filesize
44KB

Download
memory/4844-150-0x00000000005A0000-0x00000000005CD000-memory.dmp

Filesize
180KB

Download
memory/4844-148-0x0000000000D10000-0x0000000000D9F000-memory.dmp

Filesize
572KB

Download
memory/4844-147-0x0000000001070000-0x00000000013BA000-memory.dmp

Filesize
3.3MB

Download
memory/4844-146-0x00000000005A0000-0x00000000005CD000-memory.dmp

Filesize
180KB

Download
memory/4844-144-0x0000000000000000-mapping.dmp

Download
memory/4872-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-142-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/4872-141-0x0000000001370000-0x00000000016BA000-memory.dmp

Filesize
3.3MB

Download
memory/4872-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4872-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads