formbook | 2e67fc9621c2da834965d57296fa32223b766d5a99f0aeae7b904f5d5a010529

General

Target

SWIFT MESAJI.exe
Size

295KB
MD5

6e61d20fbe58472cb648dd237d93292b
SHA1

f380ad86dd042ed393a4be7ff311b9b2800bc60d
SHA256

6067ef8eb25ca8f5d986b296550ed75294fd0f20fc795d23883f5884224632e4
SHA512

99ceca2853e70c55b74309d31309075cf0ab9c05d4786dfb5827d7fcb2b35d45b3274fe28292b5c24712ef07ae9f0eea9d718ff16074d262fe6c81ce2ef69777
SSDEEP

6144:lEa0Vp7O0FZ9d46iZ+D0iONVTqzLOvJK4rdOg:SzZ9dliZoNLOvJK4Ag

Score

10^/10

formbook nf35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nf35

Decoy

tBnrD3YKFOOZL5Y=

iDWqMmvFXWdPjwrVyg==

Mi+2XYdTddDZjOFylYbC75w=

0CngqOrR1wIPvRDlxffi5ow=

0A/A3EXbosXuAiXn0w==

B/vQ9VhlqkveYLN3WSyC9KhVaVLC

jDG6d+p8NVnbSKM3k9X49qKGmmA8rOg=

D0Ph2f5O/+Ubmg/nyg==

Virrs5Ryq0nmaeTXw9/T9JU=

B8l/lfoUXwS6/fvczt/T9JU=

bYcGzDhAixEnGR7zcO2JF79VaVLC

JwcApzyrhEtKIQ==

PS4USZ9kULjr4KpwpNEn8w==

jdV+IANzTFXuYOPgz/fi5ow=

Vv2tgOmx4lZlPybYj9hj

t+qr3Eq1TfBDC/nq1Q==

jKk21gjq81fDf3ll

o8tyfKj+n4Yu+y8hl+crD+W3WU/K

kO+vd4HbxIyEOg==

o3E0Q6S7+V9pV1E+rZ3LU//SfkWCOFS+Xw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exe

pid process

4904 tbpbhuaoah.exe
4544 tbpbhuaoah.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tbpbhuaoah.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tbpbhuaoah.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exemstsc.exe

description	pid	process	target process
PID 4904 set thread context of 4544	4904	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 4544 set thread context of 3060	4544	tbpbhuaoah.exe	Explorer.EXE
PID 2092 set thread context of 3060	2092	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

tbpbhuaoah.exemstsc.exe

pid	process
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE

pid	process
3060	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

tbpbhuaoah.exetbpbhuaoah.exemstsc.exe

pid	process
4904	tbpbhuaoah.exe
4904	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
4544	tbpbhuaoah.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe
2092	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tbpbhuaoah.exemstsc.exe

description pid process

Token: SeDebugPrivilege 4544 tbpbhuaoah.exe
Token: SeDebugPrivilege 2092 mstsc.exe

description	pid	process
Token: SeDebugPrivilege	4544	tbpbhuaoah.exe
Token: SeDebugPrivilege	2092	mstsc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SWIFT MESAJI.exetbpbhuaoah.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 3040 wrote to memory of 4904	3040	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 3040 wrote to memory of 4904	3040	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 3040 wrote to memory of 4904	3040	SWIFT MESAJI.exe	tbpbhuaoah.exe
PID 4904 wrote to memory of 4544	4904	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 4904 wrote to memory of 4544	4904	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 4904 wrote to memory of 4544	4904	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 4904 wrote to memory of 4544	4904	tbpbhuaoah.exe	tbpbhuaoah.exe
PID 3060 wrote to memory of 2092	3060	Explorer.EXE	mstsc.exe
PID 3060 wrote to memory of 2092	3060	Explorer.EXE	mstsc.exe
PID 3060 wrote to memory of 2092	3060	Explorer.EXE	mstsc.exe
PID 2092 wrote to memory of 4780	2092	mstsc.exe	Firefox.exe
PID 2092 wrote to memory of 4780	2092	mstsc.exe	Firefox.exe
PID 2092 wrote to memory of 4780	2092	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\SWIFT MESAJI.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT MESAJI.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
"C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe" C:\Users\Admin\AppData\Local\Temp\xblpkd.d
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
"C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe" C:\Users\Admin\AppData\Local\Temp\xblpkd.d
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jprekbxuw.a
Filesize
185KB

MD5
93dcc6e5b48a324d88eff81dcce34794

SHA1
6d831bb2980d1aa08c51a1617bda27c0d10aa77a

SHA256
52974d7ed1df0dfa99c06fb2778cddce952ee065d2520bd6e81ca24bc9edc474

SHA512
800eda6d0c604a6494af5eab169029aff15318014ca874c4b6927c8eb3cff353945871155917e41a5450b8bd1ecd16a655b2bef83ac755a530cf7455c21f6ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbpbhuaoah.exe
Filesize
30KB

MD5
fc7bad02c3a8a59340f1c3df10281d7f

SHA1
e67f0d687704613010e65766dd23d1b399071ead

SHA256
60b24331063f7b867d7e44212648d6e8ea0b7c21ba9f2a9d14c1fdf7ddaa406b

SHA512
035c12a8cd82942baea6f4da47b97a7680a133bdfb70020e4105ed2f4682962e55899cf26dc409cf8f32521deb71676d44858c6b0878b06e8007e666b43cac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\xblpkd.d
Filesize
5KB

MD5
dbeed799cac90b193ab5a1dbc4a039ce

SHA1
b1ce09411903ed06ac21f55debaac5c257338cfd

SHA256
717bf990b3778c4d294a23217340bb7bae2bdaf7f5b144116a5561724ef40ff2

SHA512
05ad1963805a5ee2c8578d4630d675aa8ee4f9ebea809c4c369665188caf43123edec6b3c508c11d9086598aa31a19c8fc6abd30db0cc21d59961db5aa5cb1c3

Download Submit
memory/2092-144-0x0000000000C60000-0x0000000000D9A000-memory.dmp

Filesize
1.2MB

Download
memory/2092-146-0x0000000002FB0000-0x00000000032FA000-memory.dmp

Filesize
3.3MB

Download
memory/2092-149-0x00000000010A0000-0x00000000010CD000-memory.dmp

Filesize
180KB

Download
memory/2092-147-0x0000000002E40000-0x0000000002ECF000-memory.dmp

Filesize
572KB

Download
memory/2092-143-0x0000000000000000-mapping.dmp

Download
memory/2092-145-0x00000000010A0000-0x00000000010CD000-memory.dmp

Filesize
180KB

Download
memory/3060-150-0x00000000027E0000-0x0000000002894000-memory.dmp

Filesize
720KB

Download
memory/3060-142-0x0000000002BE0000-0x0000000002D16000-memory.dmp

Filesize
1.2MB

Download
memory/3060-148-0x00000000027E0000-0x0000000002894000-memory.dmp

Filesize
720KB

Download
memory/4544-141-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/4544-137-0x0000000000000000-mapping.dmp

Download
memory/4544-140-0x0000000000F50000-0x000000000129A000-memory.dmp

Filesize
3.3MB

Download
memory/4544-139-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download
memory/4904-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads