formbook | 7eaf1a6ae44e94a0ec273a6d81953f18e74153c3754ca98a1c0d6a9b6db86a4e

General

Target

PO.exe
Size

874KB
MD5

82e39fd79e80fb9e2a5d1083db4649c2
SHA1

c0f5e1212746ea51b59d77ed7b18302c5ce76bcb
SHA256

735e6e491fcd3f5b9b0d678584298a2167a52b279dfc72f20ade5c48eb68587b
SHA512

f1f3e30c9fdd14c4771f931703dda252f68c9da93d4bec1e288a30de11f9cfe8e426785391d0c1b9e7b2d957b6ad10162a1153aa355170cf2cca0e6638b7313b
SSDEEP

12288:7xbkZK42iNC09uuRhIIVblRcDiLkR36xf8Dd4iMEpbADqjJ5nX8:7Q1Su/TNLkR3C8yMjrX

Score

10^/10

formbook r7cm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

r7cm

Decoy

Aqo0+xUSgri27ldyZ1IaWBPkw2TbEQ==

ZP/9kCFZzmfUkIgyoIwLGN0oyTc0W48=

P7qnLdI7nN6gDmiHlXEhWMpEO1bq

kiQwcHqHlEJGQOj4

iVggF68HUwBY9PKDvfZn3A==

85Xs9wxBf2/YbUnFHEl+fc1rAg==

fhCkZ4mlBTh3+2ZcVz9EULpn

9oQEyAM7q6Vzd1r8I22h39m/faY=

gFymGrT7TLQCkGjkIfdyvStfDA==

Tca3AVmwHVB7f+7rLdF9iMg=

P74RFbEaU4ZMMOLcH8qN

89WjqBar7bhM

hWQ2NcoNYFDNclLkKdF9iMg=

87qLiitpbJ4q4w==

67iJmOzoR/xtC4284tK91gmbTHy5HwUt

4lhAfaucExf7HQR1vfZn3A==

aTp3x97xXGz4cqgmJg==

EqafII6PyzJ99xBztYoRSW5tFQ==

vUanrfkDKfpnG1+4LpY=

i0tqsoz0DcJA

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PO.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation PO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	PO.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO.exePO.exesvchost.exe

description	pid	process	target process
PID 4776 set thread context of 2364	4776	PO.exe	PO.exe
PID 2364 set thread context of 3008	2364	PO.exe	Explorer.EXE
PID 744 set thread context of 3008	744	svchost.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

PO.exesvchost.exe

pid	process
2364	PO.exe
2364	PO.exe
2364	PO.exe
2364	PO.exe
2364	PO.exe
2364	PO.exe
2364	PO.exe
2364	PO.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe
744	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

PO.exesvchost.exe

pid process

2364 PO.exe
2364 PO.exe
2364 PO.exe
744 svchost.exe
744 svchost.exe
744 svchost.exe
744 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2364 PO.exe
Token: SeDebugPrivilege 744 svchost.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2364	PO.exe
Token: SeDebugPrivilege	744	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 4776 wrote to memory of 2364	4776	PO.exe	PO.exe
PID 3008 wrote to memory of 744	3008	Explorer.EXE	svchost.exe
PID 3008 wrote to memory of 744	3008	Explorer.EXE	svchost.exe
PID 3008 wrote to memory of 744	3008	Explorer.EXE	svchost.exe
PID 744 wrote to memory of 4616	744	svchost.exe	Firefox.exe
PID 744 wrote to memory of 4616	744	svchost.exe	Firefox.exe
PID 744 wrote to memory of 4616	744	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\PO.exe
"{path}"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:740

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1240

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4112

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3296

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3456

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-146-0x0000000000000000-mapping.dmp

Download
memory/744-154-0x0000000000C60000-0x0000000000C8D000-memory.dmp

Filesize
180KB

Download
memory/744-152-0x0000000001600000-0x000000000168F000-memory.dmp

Filesize
572KB

Download
memory/744-151-0x0000000000C60000-0x0000000000C8D000-memory.dmp

Filesize
180KB

Download
memory/744-149-0x0000000000E50000-0x0000000000E5E000-memory.dmp

Filesize
56KB

Download
memory/744-150-0x0000000001800000-0x0000000001B4A000-memory.dmp

Filesize
3.3MB

Download
memory/2364-137-0x0000000000000000-mapping.dmp

Download
memory/2364-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-141-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2364-143-0x0000000001510000-0x000000000185A000-memory.dmp

Filesize
3.3MB

Download
memory/2364-144-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2364-148-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2364-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-145-0x0000000007B70000-0x0000000007CC9000-memory.dmp

Filesize
1.3MB

Download
memory/3008-153-0x0000000002730000-0x000000000282E000-memory.dmp

Filesize
1016KB

Download
memory/3008-155-0x0000000002730000-0x000000000282E000-memory.dmp

Filesize
1016KB

Download
memory/4776-132-0x00000000004D0000-0x00000000005B0000-memory.dmp

Filesize
896KB

Download
memory/4776-136-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4776-135-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/4776-134-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/4776-133-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads