formbook | 697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1

General

Target

vbc(1).exe
Size

304KB
MD5

60d9730a7f59ab1fd59f0714ef881b06
SHA1

ca8d63135460836a001a38b50c28eae975a2a36c
SHA256

697864448562120dd68a9b3a4c36f294292626999e3c80d3217206544e3f91b1
SHA512

ef6c2bb3fcb705da66416bee8191c9ec7f8992aef9bc5bc108742f15cfc132d2887062e3a85977b0ae005ea8796fb3670517da834534107454957209a851bac4
SSDEEP

6144:U5SuupRIxrjvwT97hu1nbuTnFlzFeVuQqJa64BUR3XR0Ah0eZXBp6bS0fhr8w:UghhwbuTFlzF0uQqCidR0AJrcS0fhr8w

Score

10^/10

formbook pgnt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc(1).exeregsvcs.exeraserver.exe

description	pid	process	target process
PID 1296 set thread context of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1676 set thread context of 2424	1676	regsvcs.exe	Explorer.EXE
PID 3332 set thread context of 2424	3332	raserver.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbc(1).exeregsvcs.exeraserver.exe

pid	process
1296	vbc(1).exe
1296	vbc(1).exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2424 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

regsvcs.exeraserver.exe

pid process

1676 regsvcs.exe
1676 regsvcs.exe
1676 regsvcs.exe
3332 raserver.exe
3332 raserver.exe
3332 raserver.exe
3332 raserver.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc(1).exeregsvcs.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1296 vbc(1).exe
Token: SeDebugPrivilege 1676 regsvcs.exe
Token: SeDebugPrivilege 3332 raserver.exe

pid	process
2424	Explorer.EXE

pid	process
1676	regsvcs.exe
1676	regsvcs.exe
1676	regsvcs.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe
3332	raserver.exe

description	pid	process
Token: SeDebugPrivilege	1296	vbc(1).exe
Token: SeDebugPrivilege	1676	regsvcs.exe
Token: SeDebugPrivilege	3332	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

vbc(1).exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1296 wrote to memory of 3500	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 3500	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 3500	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 1296 wrote to memory of 1676	1296	vbc(1).exe	regsvcs.exe
PID 2424 wrote to memory of 3332	2424	Explorer.EXE	raserver.exe
PID 2424 wrote to memory of 3332	2424	Explorer.EXE	raserver.exe
PID 2424 wrote to memory of 3332	2424	Explorer.EXE	raserver.exe
PID 3332 wrote to memory of 4316	3332	raserver.exe	Firefox.exe
PID 3332 wrote to memory of 4316	3332	raserver.exe	Firefox.exe
PID 3332 wrote to memory of 4316	3332	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\vbc(1).exe
"C:\Users\Admin\AppData\Local\Temp\vbc(1).exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-132-0x00000000005B0000-0x0000000000602000-memory.dmp

Filesize
328KB

Download
memory/1676-140-0x0000000000FC0000-0x000000000130A000-memory.dmp

Filesize
3.3MB

Download
memory/1676-134-0x0000000000000000-mapping.dmp

Download
memory/1676-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-138-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1676-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-141-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1676-142-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/1676-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2424-151-0x0000000007BA0000-0x0000000007C42000-memory.dmp

Filesize
648KB

Download
memory/2424-143-0x00000000034C0000-0x0000000003574000-memory.dmp

Filesize
720KB

Download
memory/2424-153-0x0000000007BA0000-0x0000000007C42000-memory.dmp

Filesize
648KB

Download
memory/3332-144-0x0000000000000000-mapping.dmp

Download
memory/3332-148-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/3332-149-0x0000000002B70000-0x0000000002EBA000-memory.dmp

Filesize
3.3MB

Download
memory/3332-150-0x0000000002900000-0x000000000298F000-memory.dmp

Filesize
572KB

Download
memory/3332-147-0x0000000000750000-0x000000000076F000-memory.dmp

Filesize
124KB

Download
memory/3332-152-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/3500-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads