formbook | 5463db9a5e180df75642646615cfd6ff7598b9846718c2224f19c878ee01dc00

General

Target

4e256d3d4ddbcc9c1d2cfa57034a0d52.exe
Size

295KB
MD5

4e256d3d4ddbcc9c1d2cfa57034a0d52
SHA1

60ec184a1ab03af29341f093791e210202814f1c
SHA256

5463db9a5e180df75642646615cfd6ff7598b9846718c2224f19c878ee01dc00
SHA512

2e455bd66870778fc511515d3db4ae3b14d16374436cc4f6b70c182b42f2c70f977b9976194c1fb392f0ab28ebc4b7fd3ecec87fba279a541c6be396425fd79e
SSDEEP

6144:uj5zFdfKy5i+xc+tR5VwWmKH0LYlA8yjXeIIzls3GEioll+8zE7ev:efKy5p9tBmKUL0uhIoGEiQltEi

Score

10^/10

formbook i65a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

i65a

Decoy

r00zzvD9uoqMkFT8XDSqPg==

iSMQDJ3Tyuj8KXflBw==

Gq+tYoFrGU/5B4gGNnzHNg==

wEwcynSwpynZKUFhqyIK

bw3PbrjowhAVJA==

TggEt9LuwhAVJA==

r0UqC6sxgcWN7vc=

0m+fwBgf0oyehByUtx51BsBkuj8=

dhtdWWyIhRatp2dpv8tPcJoQ

jTAw4/4TCwcXjpECXDSqPg==

aglx4nPPkGp/raeivGVOfzdbFIu4

+qXr4cAGtQJm7Mf6

sU2Dc4ySSKZJc2/L32pFRrq+NgA0Yi8=

E6ohOo2zadVgzLIfaWALaik=

wXwu0yo/KbNm7Mf6

EcoyojCJYKg1laCuBK+exkNbFIu4

bhZgFvj6yP+R4F+0/5S/oFMpAA==

rzlylCB1NIMabG2dzGQd

+5ngCKjwwhAVJA==

AMUtZrYh+0LPL/QyfSo=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 3 IoCs

Processes:

cscript.exe

flow pid process

6 1772 cscript.exe
10 1772 cscript.exe
16 1772 cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1772 cscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
6	1772	cscript.exe
10	1772	cscript.exe
16	1772	cscript.exe

pid	process
1772	cscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4e256d3d4ddbcc9c1d2cfa57034a0d52.execvtres.execscript.exe

description	pid	process	target process
PID 780 set thread context of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 1200 set thread context of 1236	1200	cvtres.exe	Explorer.EXE
PID 1772 set thread context of 1236	1772	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

cvtres.execscript.exe

pid	process
1200	cvtres.exe
1200	cvtres.exe
1200	cvtres.exe
1200	cvtres.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe
1772	cscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

cvtres.execscript.exe

pid process

1200 cvtres.exe
1200 cvtres.exe
1200 cvtres.exe
1772 cscript.exe
1772 cscript.exe
1772 cscript.exe
1772 cscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cvtres.execscript.exe

description pid process

Token: SeDebugPrivilege 1200 cvtres.exe
Token: SeDebugPrivilege 1772 cscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1200	cvtres.exe
Token: SeDebugPrivilege	1772	cscript.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4e256d3d4ddbcc9c1d2cfa57034a0d52.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 780 wrote to memory of 1200	780	4e256d3d4ddbcc9c1d2cfa57034a0d52.exe	cvtres.exe
PID 1236 wrote to memory of 1772	1236	Explorer.EXE	cscript.exe
PID 1236 wrote to memory of 1772	1236	Explorer.EXE	cscript.exe
PID 1236 wrote to memory of 1772	1236	Explorer.EXE	cscript.exe
PID 1236 wrote to memory of 1772	1236	Explorer.EXE	cscript.exe
PID 1772 wrote to memory of 1932	1772	cscript.exe	Firefox.exe
PID 1772 wrote to memory of 1932	1772	cscript.exe	Firefox.exe
PID 1772 wrote to memory of 1932	1772	cscript.exe	Firefox.exe
PID 1772 wrote to memory of 1932	1772	cscript.exe	Firefox.exe
PID 1772 wrote to memory of 1932	1772	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\4e256d3d4ddbcc9c1d2cfa57034a0d52.exe
"C:\Users\Admin\AppData\Local\Temp\4e256d3d4ddbcc9c1d2cfa57034a0d52.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
902KB

MD5
50338cc1fa2582fa0cad8a8fa7ceb4d2

SHA1
ae697ef05b6bec38fb79ff4512ae50a303dcdbce

SHA256
0815a80fa73286d8c6bf0982471c61833821d9f10a20612deaa134562e7a3cda

SHA512
02a006e26b1d08cb53a4b3dab23ce6a6756a7275f8b3ef00b7412f10cff75411685a3542c5dc330dad7c9f7ff26288a2e94254d00bf53c1394e7252e000c9a61

Download Submit
memory/780-54-0x00000000003A0000-0x00000000003EE000-memory.dmp

Filesize
312KB

Download
memory/780-55-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/780-56-0x0000000001D00000-0x0000000001D06000-memory.dmp

Filesize
24KB

Download
memory/780-57-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/780-58-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1200-68-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/1200-63-0x00000000004012B0-mapping.dmp

Download
memory/1200-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1200-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-69-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1200-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1236-76-0x00000000063B0000-0x0000000006491000-memory.dmp

Filesize
900KB

Download
memory/1236-70-0x0000000006170000-0x000000000628E000-memory.dmp

Filesize
1.1MB

Download
memory/1236-78-0x00000000063B0000-0x0000000006491000-memory.dmp

Filesize
900KB

Download
memory/1772-71-0x0000000000000000-mapping.dmp

Download
memory/1772-75-0x0000000000440000-0x00000000004CF000-memory.dmp

Filesize
572KB

Download
memory/1772-74-0x00000000022A0000-0x00000000025A3000-memory.dmp

Filesize
3.0MB

Download
memory/1772-77-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1772-73-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1772-72-0x0000000000120000-0x0000000000142000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads