formbook | 2e67fc9621c2da834965d57296fa32223b766d5a99f0aeae7b904f5d5a010529

General

Target

SWIFT MESAJI.exe
Size

295KB
MD5

6e61d20fbe58472cb648dd237d93292b
SHA1

f380ad86dd042ed393a4be7ff311b9b2800bc60d
SHA256

6067ef8eb25ca8f5d986b296550ed75294fd0f20fc795d23883f5884224632e4
SHA512

99ceca2853e70c55b74309d31309075cf0ab9c05d4786dfb5827d7fcb2b35d45b3274fe28292b5c24712ef07ae9f0eea9d718ff16074d262fe6c81ce2ef69777
SSDEEP

6144:lEa0Vp7O0FZ9d46iZ+D0iONVTqzLOvJK4rdOg:SzZ9dliZoNLOvJK4Ag

Score

10^/10

formbook nf35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nf35

Decoy

tBnrD3YKFOOZL5Y=

iDWqMmvFXWdPjwrVyg==

Mi+2XYdTddDZjOFylYbC75w=

0CngqOrR1wIPvRDlxffi5ow=

0A/A3EXbosXuAiXn0w==

B/vQ9VhlqkveYLN3WSyC9KhVaVLC

jDG6d+p8NVnbSKM3k9X49qKGmmA8rOg=

D0Ph2f5O/+Ubmg/nyg==

Virrs5Ryq0nmaeTXw9/T9JU=

B8l/lfoUXwS6/fvczt/T9JU=

bYcGzDhAixEnGR7zcO2JF79VaVLC

JwcApzyrhEtKIQ==

PS4USZ9kULjr4KpwpNEn8w==

jdV+IANzTFXuYOPgz/fi5ow=

Vv2tgOmx4lZlPybYj9hj

t+qr3Eq1TfBDC/nq1Q==

jKk21gjq81fDf3ll

o8tyfKj+n4Yu+y8hl+crD+W3WU/K

kO+vd4HbxIyEOg==

o3E0Q6S7+V9pV1E+rZ3LU//SfkWCOFS+Xw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

9 1736 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exe

pid process

824 tbpbhuaoah.exe
1420 tbpbhuaoah.exe

flow	pid	process
9	1736	wscript.exe

pid	process
824	tbpbhuaoah.exe
1420	tbpbhuaoah.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tbpbhuaoah.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	tbpbhuaoah.exe

Loads dropped DLL 3 IoCs

Processes:

SWIFT MESAJI.exetbpbhuaoah.exewscript.exe

pid process

1408 SWIFT MESAJI.exe
824 tbpbhuaoah.exe
1736 wscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1408	SWIFT MESAJI.exe
824	tbpbhuaoah.exe
1736	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exewscript.exe

description	pid	process	target process
PID 824 set thread context of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 1420 set thread context of 1272	1420	tbpbhuaoah.exe	Explorer.EXE
PID 1736 set thread context of 1272	1736	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tbpbhuaoah.exewscript.exe

pid	process
1420	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exewscript.exe

pid process

824 tbpbhuaoah.exe
1420 tbpbhuaoah.exe
1420 tbpbhuaoah.exe
1420 tbpbhuaoah.exe
1736 wscript.exe
1736 wscript.exe
1736 wscript.exe
1736 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tbpbhuaoah.exewscript.exe

description pid process

Token: SeDebugPrivilege 1420 tbpbhuaoah.exe
Token: SeDebugPrivilege 1736 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
824	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1420	tbpbhuaoah.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe
1736	wscript.exe

description	pid	process
Token: SeDebugPrivilege	1420	tbpbhuaoah.exe
Token: SeDebugPrivilege	1736	wscript.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SWIFT MESAJI.exetbpbhuaoah.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1408 wrote to memory of 824	1408	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 1408 wrote to memory of 824	1408	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 1408 wrote to memory of 824	1408	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 1408 wrote to memory of 824	1408	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 824 wrote to memory of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 824 wrote to memory of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 824 wrote to memory of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 824 wrote to memory of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 824 wrote to memory of 1420	824	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	wscript.exe
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	wscript.exe
PID 1736 wrote to memory of 1572	1736	wscript.exe	Firefox.exe
PID 1736 wrote to memory of 1572	1736	wscript.exe	Firefox.exe
PID 1736 wrote to memory of 1572	1736	wscript.exe	Firefox.exe
PID 1736 wrote to memory of 1572	1736	wscript.exe	Firefox.exe
PID 1736 wrote to memory of 1572	1736	wscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\SWIFT MESAJI.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT MESAJI.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
"C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe" C:\Users\Admin\AppData\Local\Temp\xblpkd.d
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
"C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe" C:\Users\Admin\AppData\Local\Temp\xblpkd.d
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jprekbxuw.a
Filesize
185KB

MD5
93dcc6e5b48a324d88eff81dcce34794

SHA1
6d831bb2980d1aa08c51a1617bda27c0d10aa77a

SHA256
52974d7ed1df0dfa99c06fb2778cddce952ee065d2520bd6e81ca24bc9edc474

SHA512
800eda6d0c604a6494af5eab169029aff15318014ca874c4b6927c8eb3cff353945871155917e41a5450b8bd1ecd16a655b2bef83ac755a530cf7455c21f6ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\xblpkd.d
Filesize
5KB

MD5
dbeed799cac90b193ab5a1dbc4a039ce

SHA1
b1ce09411903ed06ac21f55debaac5c257338cfd

SHA256
717bf990b3778c4d294a23217340bb7bae2bdaf7f5b144116a5561724ef40ff2

SHA512
05ad1963805a5ee2c8578d4630d675aa8ee4f9ebea809c4c369665188caf43123edec6b3c508c11d9086598aa31a19c8fc6abd30db0cc21d59961db5aa5cb1c3

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
949KB

MD5
38a3e021eb32c9976adaf0b3372080fc

SHA1
68e02803c646be21007d90bec841c176b82211fd

SHA256
8cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652

SHA512
b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18

Download Submit
\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
memory/824-56-0x0000000000000000-mapping.dmp

Download
memory/1272-69-0x0000000007510000-0x0000000007695000-memory.dmp

Filesize
1.5MB

Download
memory/1272-77-0x0000000003DF0000-0x0000000003EBE000-memory.dmp

Filesize
824KB

Download
memory/1272-75-0x0000000003DF0000-0x0000000003EBE000-memory.dmp

Filesize
824KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1420-67-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/1420-68-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1420-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1420-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-63-0x00000000004012B0-mapping.dmp

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1736-71-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/1736-73-0x0000000002150000-0x0000000002453000-memory.dmp

Filesize
3.0MB

Download
memory/1736-72-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1736-74-0x0000000000460000-0x00000000004EF000-memory.dmp

Filesize
572KB

Download
memory/1736-76-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads