formbook | 2088000ab7a60b6d9eb519d1da9d42934e908a9724ab6977bc853d30b7f96642

General

Target

SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
Size

1.1MB
MD5

3c21079c403687f4339a136919931ef5
SHA1

05bb1260bbdc0d05460f41e2423691f7c044bbe9
SHA256

2088000ab7a60b6d9eb519d1da9d42934e908a9724ab6977bc853d30b7f96642
SHA512

1285f2e9b1fb1cf2785f88514542a8bf7beeed52558fa9fb49280e2c91b1e17ccfc514435969491cbd0cd0d4f9d29e7803eec248ca43e04ebf37d5f14d05bc38
SSDEEP

24576:LNlitFN9lSz5iPqjiX+Iv3GytN1YeZo82E+u6Sz73JEL:LvizNCzc2I/GYNj6zup5E

Score

10^/10

formbook u6hu persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

u6hu

Decoy

OvIuZKrtOMxghbaZbvb/8h9g+Q==

mjHLVEVO8gwVeZ+7

Lh1lcZzH8pTXgpdDzV0vzyVooAsviHQ=

OzJXhMQYaQKNT1aBY/gM8h9g+Q==

WSJFbX28mK+jXVvRJofdtSc=

mEv6JdT2o7Nq++XYt8MFpx5QrhRdhA==

Wxf/NnjMRlBj6JK3jg==

nB21Q0tg7gEVeZ+7

IZinOswGUPAn51eHvCAoMetC

INxV9PYg7AQP0xyDAyg=

kkZP+Iq1AgMVeZ+7

meuru6sSaxxuoLS7gA==

y0jMTFyffedqCSRXVfm/

sJbTfRVKuQScxw==

+ecHP3ayIjYFnb7j2Pt6z5dK

uZnHRwRE9QwVeZ+7

ZBg6Sy054P4oHp0DknCx

nFXn8j4yTuJ9aOfNlw==

35ygHt8uASpReRyDAyg=

8nT3T+8eWeh6aOfNlw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meqzxoacawt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Twtrqilcly\\Meqzxoacawt.exe\""	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
472	powershell.exe
2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
588	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
Token: SeDebugPrivilege	472	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 472	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	27
PID 2028 wrote to memory of 472	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	27
PID 2028 wrote to memory of 472	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	27
PID 2028 wrote to memory of 472	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	27
PID 2028 wrote to memory of 1064	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	29
PID 2028 wrote to memory of 1064	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	29
PID 2028 wrote to memory of 1064	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	29
PID 2028 wrote to memory of 1064	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	29
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30
PID 2028 wrote to memory of 588	2028	SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAzAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
  2⤵
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.23111.3388.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-61-0x000000006E440000-0x000000006E9EB000-memory.dmp

Filesize
5.7MB

Download
memory/472-59-0x000000006E440000-0x000000006E9EB000-memory.dmp

Filesize
5.7MB

Download
memory/472-60-0x000000006E440000-0x000000006E9EB000-memory.dmp

Filesize
5.7MB

Download
memory/588-69-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/588-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/588-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/588-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/588-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/588-70-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2028-56-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x0000000000F80000-0x0000000001094000-memory.dmp

Filesize
1.1MB

Download
memory/2028-55-0x00000000049A0000-0x0000000004BCC000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing