formbook | 0107b290b0c427141a30d9f9fb2a6168cb4459aa120ddd165c3e44e01465ff04

General

Target

108722FTTOO17_Advance TT.exe
Size

225KB
MD5

35c80a1656228ab11b5ea483dc7b5b20
SHA1

b4e46cf73a2cb91ca01a0b534749e14cfea12f27
SHA256

2b3d32ba155e67989eb11a9cf80ca81dc5ebccd90e1589996cbeb613d445874c
SHA512

4fbf15c926e718ef22f5c736d042a0459ca9e75b2a3fd2c1ca268595465fb8c068177c2f98a01c2c4ad76c1e3c1a965626d834389ea77af3cdcb8709a2365b36
SSDEEP

6144:qweEpLSWkNHG9sRXzoeHvqwf6CoOVj2JWJD:bVwH2Azhdf6+2OD

Score

10^/10

formbook axe3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

axe3

Decoy

nV63ydJMXMf7memspIpnnVLl3Q==

uJ50rs5Y/80AqT79guHh

FcsTFQ1xekTgcal8G0P2ZTQ=

uLWWVJP++ID3dkoB8g==

YyoybGF5Fsa/UH8=

Tk4htwkBBfM5ZA==

QgJ8vN9f+uCdsD79guHh

wmjC9UuSBGyTrY5PAX9t1A==

Sw7JEwOKl576ndxw/A==

BOqs09Ikjej1BN98ZYtVfSi5xQ==

YA5cbH3/4wVAYg==

fRWIvatAXM3+t0X9guHh

FAbZXq/jFuaEq2YCwQh3b2oE

STL+RDTA652/tD/9guHh

zgLNcuX32aFB

WmgwW1UCJ/9Nc0ofkIhVyQ==

jiWgy9ckGh8G+3Q7Rl//NW9ZU7TU

JCoawiBkwAkeJOehkNXRCYnj3A==

WQDFZvang91P

zGrJ4CA2pAhR

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 2 IoCs

pid	Process
1696	jxybtdctyj.exe
1684	jxybtdctyj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	jxybtdctyj.exe

Loads dropped DLL 3 IoCs

pid	Process
1456	108722FTTOO17_Advance TT.exe
1696	jxybtdctyj.exe
2024	control.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1684	1696	jxybtdctyj.exe	27
PID 1684 set thread context of 1360	1684	jxybtdctyj.exe	8
PID 2024 set thread context of 1360	2024	control.exe	8

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1684	jxybtdctyj.exe
1684	jxybtdctyj.exe
1684	jxybtdctyj.exe
1684	jxybtdctyj.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1696	jxybtdctyj.exe
1684	jxybtdctyj.exe
1684	jxybtdctyj.exe
1684	jxybtdctyj.exe
2024	control.exe
2024	control.exe
2024	control.exe
2024	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	jxybtdctyj.exe
Token: SeDebugPrivilege	2024	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1696	1456	108722FTTOO17_Advance TT.exe	26
PID 1456 wrote to memory of 1696	1456	108722FTTOO17_Advance TT.exe	26
PID 1456 wrote to memory of 1696	1456	108722FTTOO17_Advance TT.exe	26
PID 1456 wrote to memory of 1696	1456	108722FTTOO17_Advance TT.exe	26
PID 1696 wrote to memory of 1684	1696	jxybtdctyj.exe	27
PID 1696 wrote to memory of 1684	1696	jxybtdctyj.exe	27
PID 1696 wrote to memory of 1684	1696	jxybtdctyj.exe	27
PID 1696 wrote to memory of 1684	1696	jxybtdctyj.exe	27
PID 1696 wrote to memory of 1684	1696	jxybtdctyj.exe	27
PID 1360 wrote to memory of 2024	1360	Explorer.EXE	29
PID 1360 wrote to memory of 2024	1360	Explorer.EXE	29
PID 1360 wrote to memory of 2024	1360	Explorer.EXE	29
PID 1360 wrote to memory of 2024	1360	Explorer.EXE	29
PID 2024 wrote to memory of 984	2024	control.exe	32
PID 2024 wrote to memory of 984	2024	control.exe	32
PID 2024 wrote to memory of 984	2024	control.exe	32
PID 2024 wrote to memory of 984	2024	control.exe	32
PID 2024 wrote to memory of 984	2024	control.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\108722FTTOO17_Advance TT.exe
  "C:\Users\Admin\AppData\Local\Temp\108722FTTOO17_Advance TT.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe
    "C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe
      "C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1680
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fjfyijmwm.pg

Filesize
5KB

MD5
29231bce34fd03ba1db8ee339b1051e3

SHA1
b6235dd3f7d15266004e196128947a2374bdece1

SHA256
80b505f709a1596565857ae0bbee9f6089e353043ba6bbd40b02dc4afdfe8c96

SHA512
0d93741365094039f7219f03085640dd8de31d03abf2a5d9dc4afde346cd267c9d914a88bfc16fda1470d2bfd3cbaccc3b0a4c01172ae45fa715457a58b0eea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe

Filesize
7KB

MD5
1b3c05fa6e5175137fa0a1b7257ff606

SHA1
810da138b5b6703899518a48cfabb14df6185782

SHA256
e4e8f5fa19be282e3926e259265ec048ada69822b47622c0d1a26cb8652125a3

SHA512
bed6e7088aa2b11e9d5817be2f3cdbab5d1eef3dd62db8cc45351bc60c280006503756d20f9567141aa4564787e18843e1c47e7467ae1a750f874d60b2210517

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe

Filesize
7KB

MD5
1b3c05fa6e5175137fa0a1b7257ff606

SHA1
810da138b5b6703899518a48cfabb14df6185782

SHA256
e4e8f5fa19be282e3926e259265ec048ada69822b47622c0d1a26cb8652125a3

SHA512
bed6e7088aa2b11e9d5817be2f3cdbab5d1eef3dd62db8cc45351bc60c280006503756d20f9567141aa4564787e18843e1c47e7467ae1a750f874d60b2210517

Download Submit
C:\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe

Filesize
7KB

MD5
1b3c05fa6e5175137fa0a1b7257ff606

SHA1
810da138b5b6703899518a48cfabb14df6185782

SHA256
e4e8f5fa19be282e3926e259265ec048ada69822b47622c0d1a26cb8652125a3

SHA512
bed6e7088aa2b11e9d5817be2f3cdbab5d1eef3dd62db8cc45351bc60c280006503756d20f9567141aa4564787e18843e1c47e7467ae1a750f874d60b2210517

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugmbhjxfz.hf

Filesize
185KB

MD5
5d307f59a0a8c63fd7384058eaf68dbe

SHA1
e41e48332b4c1f770d89e3636266030288730624

SHA256
5b80d85079a29aba8c30f1eb794bb31588cf11a2829c208236cc80df3f67bbc2

SHA512
ebbe24d2e35c8ec1f6c6061e68fdb2e252c12b4ebfa3d6e45cd5a5a3862dbf515a090aea40ec7d1fba4c7364f456093e438045b773dfa7139257511074e3f48f

Download Submit
\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe

Filesize
7KB

MD5
1b3c05fa6e5175137fa0a1b7257ff606

SHA1
810da138b5b6703899518a48cfabb14df6185782

SHA256
e4e8f5fa19be282e3926e259265ec048ada69822b47622c0d1a26cb8652125a3

SHA512
bed6e7088aa2b11e9d5817be2f3cdbab5d1eef3dd62db8cc45351bc60c280006503756d20f9567141aa4564787e18843e1c47e7467ae1a750f874d60b2210517

Download Submit
\Users\Admin\AppData\Local\Temp\jxybtdctyj.exe

Filesize
7KB

MD5
1b3c05fa6e5175137fa0a1b7257ff606

SHA1
810da138b5b6703899518a48cfabb14df6185782

SHA256
e4e8f5fa19be282e3926e259265ec048ada69822b47622c0d1a26cb8652125a3

SHA512
bed6e7088aa2b11e9d5817be2f3cdbab5d1eef3dd62db8cc45351bc60c280006503756d20f9567141aa4564787e18843e1c47e7467ae1a750f874d60b2210517

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
memory/1360-77-0x0000000004080000-0x000000000415E000-memory.dmp

Filesize
888KB

Download
memory/1360-75-0x0000000004080000-0x000000000415E000-memory.dmp

Filesize
888KB

Download
memory/1360-68-0x0000000004D40000-0x0000000004E6B000-memory.dmp

Filesize
1.2MB

Download
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1684-67-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1684-66-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1684-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1684-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-71-0x0000000000560000-0x000000000057F000-memory.dmp

Filesize
124KB

Download
memory/2024-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2024-73-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/2024-74-0x0000000000580000-0x000000000060F000-memory.dmp

Filesize
572KB

Download
memory/2024-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing