formbook | 89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5

General

Target

Quotation.exe
Size

1.0MB
MD5

7fd40d18e9804f154780cbb3d2b017d8
SHA1

772940d64eb308d240cd205d29c4e1c5881a96b4
SHA256

89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5
SHA512

1cbfe6168b30db197a140ccc3fdf9b2dbe5e63db246c734d3374c0e026863bec025f7a1f104f35e77058370203b76ee3ff805c697a74d04ba2343d722d9d1154
SSDEEP

12288:8OHgGPilFfoqztDiGW8E2YoFhqJLNu6n0o/rUbihaIJDk:HbiAkD08rYoFALK44bisYI

Score

10^/10

formbook nhg6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quotation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Quotation.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Quotation.exeRegSvcs.exeraserver.exe

description	pid	process	target process
PID 5100 set thread context of 3520	5100	Quotation.exe	RegSvcs.exe
PID 3520 set thread context of 724	3520	RegSvcs.exe	Explorer.EXE
PID 3520 set thread context of 724	3520	RegSvcs.exe	Explorer.EXE
PID 2196 set thread context of 724	2196	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4888 schtasks.exe

pid	process
4888	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

RegSvcs.exepowershell.exeraserver.exe

pid	process
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
444	powershell.exe
444	powershell.exe
3520	RegSvcs.exe
3520	RegSvcs.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe
2196	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

724 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeraserver.exe

pid process

3520 RegSvcs.exe
3520 RegSvcs.exe
3520 RegSvcs.exe
3520 RegSvcs.exe
2196 raserver.exe
2196 raserver.exe
2196 raserver.exe
2196 raserver.exe

pid	process
724	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RegSvcs.exepowershell.exeExplorer.EXEraserver.exe

description	pid	process
Token: SeDebugPrivilege	3520	RegSvcs.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	2196	raserver.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Quotation.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 5100 wrote to memory of 444	5100	Quotation.exe	powershell.exe
PID 5100 wrote to memory of 444	5100	Quotation.exe	powershell.exe
PID 5100 wrote to memory of 444	5100	Quotation.exe	powershell.exe
PID 5100 wrote to memory of 4888	5100	Quotation.exe	schtasks.exe
PID 5100 wrote to memory of 4888	5100	Quotation.exe	schtasks.exe
PID 5100 wrote to memory of 4888	5100	Quotation.exe	schtasks.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 5100 wrote to memory of 3520	5100	Quotation.exe	RegSvcs.exe
PID 724 wrote to memory of 2196	724	Explorer.EXE	raserver.exe
PID 724 wrote to memory of 2196	724	Explorer.EXE	raserver.exe
PID 724 wrote to memory of 2196	724	Explorer.EXE	raserver.exe
PID 2196 wrote to memory of 660	2196	raserver.exe	Firefox.exe
PID 2196 wrote to memory of 660	2196	raserver.exe	Firefox.exe
PID 2196 wrote to memory of 660	2196	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UDBEbqvAJGhh.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDBEbqvAJGhh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp"
3⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC265.tmp
Filesize
1KB

MD5
47cc3c8a7ac619461585e8c773a98561

SHA1
b935fbb72fc4823e27c0f864d5b455f347b0b984

SHA256
5399c9b7eb5e4a9ee124d2a63e867e4f1118e3a4374f5f7d93ad1c6565f0500a

SHA512
b2b1bfb5612b0875754a44bb5211d40e013a7ef2e007235d28b681c5626ca1ca429f422cdbd7d18265fb96855ba82ab5e1da23f0b7bdaa605ff3798b4171cb9e

Download Submit
memory/444-153-0x0000000006780000-0x00000000067B2000-memory.dmp

Filesize
200KB

Download
memory/444-147-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/444-156-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/444-162-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/444-137-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/444-159-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/444-158-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/444-155-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/444-157-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/444-143-0x0000000005390000-0x00000000059B8000-memory.dmp

Filesize
6.2MB

Download
memory/444-163-0x00000000077D0000-0x00000000077D8000-memory.dmp

Filesize
32KB

Download
memory/444-134-0x0000000000000000-mapping.dmp

Download
memory/444-154-0x0000000073BA0000-0x0000000073BEC000-memory.dmp

Filesize
304KB

Download
memory/444-161-0x00000000076E0000-0x00000000076EE000-memory.dmp

Filesize
56KB

Download
memory/444-148-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/444-146-0x0000000005300000-0x0000000005322000-memory.dmp

Filesize
136KB

Download
memory/444-152-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/724-151-0x00000000084E0000-0x0000000008609000-memory.dmp

Filesize
1.2MB

Download
memory/724-165-0x0000000008760000-0x000000000889B000-memory.dmp

Filesize
1.2MB

Download
memory/724-174-0x0000000008080000-0x0000000008123000-memory.dmp

Filesize
652KB

Download
memory/724-175-0x0000000008080000-0x0000000008123000-memory.dmp

Filesize
652KB

Download
memory/2196-169-0x0000000000780000-0x000000000079F000-memory.dmp

Filesize
124KB

Download
memory/2196-168-0x0000000000000000-mapping.dmp

Download
memory/2196-170-0x0000000000410000-0x000000000043D000-memory.dmp

Filesize
180KB

Download
memory/2196-171-0x00000000022B0000-0x00000000025FA000-memory.dmp

Filesize
3.3MB

Download
memory/2196-172-0x0000000000410000-0x000000000043D000-memory.dmp

Filesize
180KB

Download
memory/2196-173-0x0000000002130000-0x00000000021BF000-memory.dmp

Filesize
572KB

Download
memory/3520-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-164-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3520-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-167-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3520-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3520-149-0x0000000001150000-0x000000000149A000-memory.dmp

Filesize
3.3MB

Download
memory/3520-150-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/3520-138-0x0000000000000000-mapping.dmp

Download
memory/3520-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4888-135-0x0000000000000000-mapping.dmp

Download
memory/5100-132-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/5100-144-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download
memory/5100-133-0x0000000074ED0000-0x0000000075481000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads