formbook | cfe210ae906aaa82fdf2bf3879af8f271897e5497c285140d1ca130b38936982

General

Target

vAsA7v93dCn2vOg.exe
Size

1.1MB
MD5

b66e3047c2dd35c5f477b29c12bf8499
SHA1

bda916b26b30ede5e2817c736afbc54cf06cc2b7
SHA256

cfe210ae906aaa82fdf2bf3879af8f271897e5497c285140d1ca130b38936982
SHA512

5ba8b8d10408bfce85c2e84d90f6f4e99195d1da14f6d76343e10c6de3144a4ff10d07f82bbac8588e048bc6f56fd00fd1a1d60f14d557f0051f49bb418f7938
SSDEEP

24576:8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8qAb+RWK:QqAqRWVg35/qroFdj

Score

10^/10

formbook axe3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vAsA7v93dCn2vOg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 4272 set thread context of 376	4272	vAsA7v93dCn2vOg.exe	35
PID 4272 set thread context of 376	4272	vAsA7v93dCn2vOg.exe	35
PID 2936 set thread context of 376	2936	chkdsk.exe	35

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
376	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
4272	vAsA7v93dCn2vOg.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe
2936	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	vAsA7v93dCn2vOg.exe
Token: SeDebugPrivilege	2936	chkdsk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 3044 wrote to memory of 4272	3044	vAsA7v93dCn2vOg.exe	91
PID 376 wrote to memory of 2936	376	Explorer.EXE	92
PID 376 wrote to memory of 2936	376	Explorer.EXE	92
PID 376 wrote to memory of 2936	376	Explorer.EXE	92
PID 2936 wrote to memory of 836	2936	chkdsk.exe	93
PID 2936 wrote to memory of 836	2936	chkdsk.exe	93
PID 2936 wrote to memory of 836	2936	chkdsk.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\vAsA7v93dCn2vOg.exe
  "C:\Users\Admin\AppData\Local\Temp\vAsA7v93dCn2vOg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\vAsA7v93dCn2vOg.exe
    "C:\Users\Admin\AppData\Local\Temp\vAsA7v93dCn2vOg.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-149-0x0000000002780000-0x00000000028FD000-memory.dmp

Filesize
1.5MB

Download
memory/376-146-0x0000000008170000-0x00000000082FE000-memory.dmp

Filesize
1.6MB

Download
memory/376-159-0x0000000008020000-0x00000000080BA000-memory.dmp

Filesize
616KB

Download
memory/376-158-0x0000000008020000-0x00000000080BA000-memory.dmp

Filesize
616KB

Download
memory/2936-153-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2936-154-0x0000000000A40000-0x0000000000A6D000-memory.dmp

Filesize
180KB

Download
memory/2936-155-0x0000000001170000-0x00000000014BA000-memory.dmp

Filesize
3.3MB

Download
memory/2936-157-0x00000000014C0000-0x000000000154F000-memory.dmp

Filesize
572KB

Download
memory/2936-156-0x0000000000A40000-0x0000000000A6D000-memory.dmp

Filesize
180KB

Download
memory/3044-136-0x000000000BB50000-0x000000000BBEC000-memory.dmp

Filesize
624KB

Download
memory/3044-137-0x000000000BBF0000-0x000000000BC56000-memory.dmp

Filesize
408KB

Download
memory/3044-132-0x0000000000590000-0x00000000006AC000-memory.dmp

Filesize
1.1MB

Download
memory/3044-135-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/3044-134-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/3044-133-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/4272-145-0x0000000001A40000-0x0000000001A50000-memory.dmp

Filesize
64KB

Download
memory/4272-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-152-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4272-148-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

Filesize
64KB

Download
memory/4272-144-0x00000000016F0000-0x0000000001A3A000-memory.dmp

Filesize
3.3MB

Download
memory/4272-143-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4272-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads