formbook | c85a06161a28fcfcc80891d618c37d37b72e970be0be060fec72925424412044

General

Target

Specification 5678.exe
Size

783KB
MD5

10a84bec0fb372b198ef40ca39f55bd8
SHA1

3865a090d536a52b9e2625ca4eee5e3b346b74f0
SHA256

c85a06161a28fcfcc80891d618c37d37b72e970be0be060fec72925424412044
SHA512

fc4f3cb89b437a2e29b95c4b39c8dbc5a3cde31d6b73281d1080c4dc29788f56fe39580eb9498ac8b250fa81602bd4dcc1ea825978f3e06817f8b0ed6886522c
SSDEEP

12288:jb7Vnri6k1mS35TcRi1fHlFKIBVKlAhQhngAKEogIYWkejwFGf:jRri6koS35rHbzMnngAKEogIreG

Score

10^/10

formbook nhg6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Specification 5678.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Specification 5678.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Specification 5678.exeRegSvcs.exesvchost.exe

description	pid	process	target process
PID 848 set thread context of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 3772 set thread context of 3004	3772	RegSvcs.exe	Explorer.EXE
PID 2972 set thread context of 3004	2972	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3132 schtasks.exe

pid	process
3132	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Specification 5678.exepowershell.exeRegSvcs.exesvchost.exe

pid	process
848	Specification 5678.exe
848	Specification 5678.exe
848	Specification 5678.exe
848	Specification 5678.exe
848	Specification 5678.exe
848	Specification 5678.exe
3136	powershell.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
3136	powershell.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3004 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegSvcs.exesvchost.exe

pid process

3772 RegSvcs.exe
3772 RegSvcs.exe
3772 RegSvcs.exe
2972 svchost.exe
2972 svchost.exe
2972 svchost.exe
2972 svchost.exe

pid	process
3004	Explorer.EXE

pid	process
3772	RegSvcs.exe
3772	RegSvcs.exe
3772	RegSvcs.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

Specification 5678.exepowershell.exeRegSvcs.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	848	Specification 5678.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	3772	RegSvcs.exe
Token: SeDebugPrivilege	2972	svchost.exe
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE
Token: SeShutdownPrivilege	3004	Explorer.EXE
Token: SeCreatePagefilePrivilege	3004	Explorer.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Specification 5678.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 848 wrote to memory of 3136	848	Specification 5678.exe	powershell.exe
PID 848 wrote to memory of 3136	848	Specification 5678.exe	powershell.exe
PID 848 wrote to memory of 3136	848	Specification 5678.exe	powershell.exe
PID 848 wrote to memory of 3132	848	Specification 5678.exe	schtasks.exe
PID 848 wrote to memory of 3132	848	Specification 5678.exe	schtasks.exe
PID 848 wrote to memory of 3132	848	Specification 5678.exe	schtasks.exe
PID 848 wrote to memory of 2672	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 2672	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 2672	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 4388	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 4388	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 4388	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 848 wrote to memory of 3772	848	Specification 5678.exe	RegSvcs.exe
PID 3004 wrote to memory of 2972	3004	Explorer.EXE	svchost.exe
PID 3004 wrote to memory of 2972	3004	Explorer.EXE	svchost.exe
PID 3004 wrote to memory of 2972	3004	Explorer.EXE	svchost.exe
PID 2972 wrote to memory of 1596	2972	svchost.exe	Firefox.exe
PID 2972 wrote to memory of 1596	2972	svchost.exe	Firefox.exe
PID 2972 wrote to memory of 1596	2972	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\Specification 5678.exe
"C:\Users\Admin\AppData\Local\Temp\Specification 5678.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pPXFqtKQrbbp.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pPXFqtKQrbbp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp"
3⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54F6.tmp
Filesize
1KB

MD5
d7e4d271a54c5fd0a645e90ca59b1546

SHA1
4af1a6da3cdeb0d64266e7eb151afcbb8d323132

SHA256
c4452aa9743a57fda3f6c39ee4a461cbba708f189d6e76b05c0087e1b2f83714

SHA512
7c6b53963a43a023741a375849b96b4076d48881a08d68df115e8236e4c07ec546f51b613b30adaabe99e1928e97b61af4b734fa6202d035e0f02814072a1c3f

Download Submit
memory/848-133-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/848-134-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/848-135-0x0000000004A70000-0x0000000004A7A000-memory.dmp

Filesize
40KB

Download
memory/848-136-0x0000000007120000-0x00000000071BC000-memory.dmp

Filesize
624KB

Download
memory/848-132-0x0000000000010000-0x00000000000DA000-memory.dmp

Filesize
808KB

Download
memory/2672-141-0x0000000000000000-mapping.dmp

Download
memory/2972-173-0x0000000000EF0000-0x0000000000F7F000-memory.dmp

Filesize
572KB

Download
memory/2972-174-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/2972-162-0x0000000000000000-mapping.dmp

Download
memory/2972-169-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/2972-166-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/2972-164-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/3004-179-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/3004-175-0x0000000002850000-0x0000000002949000-memory.dmp

Filesize
996KB

Download
memory/3004-196-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3004-195-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/3004-194-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/3004-193-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-192-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-191-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-190-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-156-0x0000000007970000-0x0000000007AFF000-memory.dmp

Filesize
1.6MB

Download
memory/3004-189-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-188-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-187-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-186-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-185-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/3004-184-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-183-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/3004-182-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/3004-181-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-180-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/3004-178-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/3004-177-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3004-176-0x0000000002850000-0x0000000002949000-memory.dmp

Filesize
996KB

Download
memory/3132-138-0x0000000000000000-mapping.dmp

Download
memory/3136-160-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/3136-148-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/3136-139-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/3136-171-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/3136-170-0x0000000007510000-0x000000000751E000-memory.dmp

Filesize
56KB

Download
memory/3136-142-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/3136-168-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/3136-167-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/3136-137-0x0000000000000000-mapping.dmp

Download
memory/3136-158-0x0000000070F10000-0x0000000070F5C000-memory.dmp

Filesize
304KB

Download
memory/3136-149-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3136-154-0x0000000004D50000-0x0000000004D6E000-memory.dmp

Filesize
120KB

Download
memory/3136-157-0x00000000065B0000-0x00000000065E2000-memory.dmp

Filesize
200KB

Download
memory/3136-172-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download
memory/3136-161-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/3136-146-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/3136-159-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/3772-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-155-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3772-144-0x0000000000000000-mapping.dmp

Download
memory/3772-153-0x0000000001550000-0x000000000189A000-memory.dmp

Filesize
3.3MB

Download
memory/3772-152-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3772-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-165-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4388-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads