formbook | 31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2

General

Target

Scan AR441 SHEETS.exe
Size

483KB
MD5

ae6e5c25ef61b57b0474c12fb74b9880
SHA1

feb3c0ced829b8ab62d94267f4ec0578ede5e58a
SHA256

31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
SHA512

0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
SSDEEP

12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas

Score

10^/10

formbook pfgc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pfgc

Decoy

hBGNx7LOg1/1V9He6Lr1odiL8A==

JUtMWPUI+jYE3h2D0VXJrkViyWlklw==

9Onb+iNxE//TbnVsww==

+zlULMoiC8l+8Tev2wK6Xpt3qkQ2

vv/ckxYzTsV3W3KwMKjDf1rK+A==

fiNtn8AUmEDcSGooP0OzpNX0

Vo+DIT5uE/PEbnVsww==

JzMzXJDojoBk5EcxFTKznOD+

hxRyvNTzW6eTCQ==

/CcTv23E93dcQXf9RUb+

n6ODTfEg31QE9F0=

V9k3j8Pew4FJqasspfOBQNk=

mq+vfSOVMzCmhwN1wUeUUME41Pw=

1frRhiXBVRSqDTLo46vXXNc=

WP9xcxRKdPLGtCeZ8VMcCsA=

dIBJ53JHoTO5

tlakzPSKiYl02hJYqJQdC8I=

EiPtnEnwhz/bMaJp+a0cj8g=

s7mOSbbN8GbPM3von61MR8E41Pw=

HFhN1/bX7Umz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Scan AR441 SHEETS.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Scan AR441 SHEETS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Scan AR441 SHEETS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	Scan AR441 SHEETS.exe

Loads dropped DLL 1 IoCs

Processes:

Scan AR441 SHEETS.exe

pid process

944 Scan AR441 SHEETS.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

Scan AR441 SHEETS.exe

pid process

1608 Scan AR441 SHEETS.exe
1608 Scan AR441 SHEETS.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exe

pid process

944 Scan AR441 SHEETS.exe
1608 Scan AR441 SHEETS.exe

pid	process
944	Scan AR441 SHEETS.exe

pid	process
944	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exeexplorer.exe

description	pid	process	target process
PID 944 set thread context of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 1608 set thread context of 1268	1608	Scan AR441 SHEETS.exe	Explorer.EXE
PID 2044 set thread context of 1268	2044	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Scan AR441 SHEETS.exeexplorer.exe

pid	process
1608	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
2044	explorer.exe
2044	explorer.exe
2044	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Scan AR441 SHEETS.exe

pid process

944 Scan AR441 SHEETS.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exeexplorer.exe

pid process

944 Scan AR441 SHEETS.exe
1608 Scan AR441 SHEETS.exe
1608 Scan AR441 SHEETS.exe
1608 Scan AR441 SHEETS.exe
2044 explorer.exe
2044 explorer.exe

pid	process
944	Scan AR441 SHEETS.exe

pid	process
944	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
1608	Scan AR441 SHEETS.exe
2044	explorer.exe
2044	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Scan AR441 SHEETS.exeExplorer.EXEexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1608	Scan AR441 SHEETS.exe
Token: SeShutdownPrivilege	1268	Explorer.EXE
Token: SeDebugPrivilege	2044	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Scan AR441 SHEETS.exeExplorer.EXE

description	pid	process	target process
PID 944 wrote to memory of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 944 wrote to memory of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 944 wrote to memory of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 944 wrote to memory of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 944 wrote to memory of 1608	944	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 1268 wrote to memory of 2044	1268	Explorer.EXE	explorer.exe
PID 1268 wrote to memory of 2044	1268	Explorer.EXE	explorer.exe
PID 1268 wrote to memory of 2044	1268	Explorer.EXE	explorer.exe
PID 1268 wrote to memory of 2044	1268	Explorer.EXE	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe
"C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe
"C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe"
3⤵
- Checks QEMU agent file
- Checks computer location settings
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj89EC.tmp\System.dll
Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/944-65-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/944-66-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/944-57-0x0000000002460000-0x0000000002561000-memory.dmp

Filesize
1.0MB

Download
memory/944-58-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/944-60-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/944-78-0x0000000002460000-0x0000000002561000-memory.dmp

Filesize
1.0MB

Download
memory/944-79-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/944-56-0x0000000002460000-0x0000000002561000-memory.dmp

Filesize
1.0MB

Download
memory/944-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/1268-91-0x0000000003CE0000-0x0000000003DD4000-memory.dmp

Filesize
976KB

Download
memory/1268-89-0x0000000003CE0000-0x0000000003DD4000-memory.dmp

Filesize
976KB

Download
memory/1268-92-0x000007FEF5C50000-0x000007FEF5D93000-memory.dmp

Filesize
1.3MB

Download
memory/1268-93-0x000007FEB1630000-0x000007FEB163A000-memory.dmp

Filesize
40KB

Download
memory/1268-77-0x0000000006D40000-0x0000000006E98000-memory.dmp

Filesize
1.3MB

Download
memory/1608-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1608-83-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1608-75-0x000000001D4C0000-0x000000001D7C3000-memory.dmp

Filesize
3.0MB

Download
memory/1608-76-0x000000001D3A0000-0x000000001D3B0000-memory.dmp

Filesize
64KB

Download
memory/1608-72-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1608-71-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-68-0x0000000077160000-0x0000000077309000-memory.dmp

Filesize
1.7MB

Download
memory/1608-62-0x0000000000403358-mapping.dmp

Download
memory/1608-63-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1608-73-0x0000000000401000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1608-84-0x0000000077340000-0x00000000774C0000-memory.dmp

Filesize
1.5MB

Download
memory/1608-64-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1608-67-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/2044-86-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2044-88-0x0000000002040000-0x00000000020CF000-memory.dmp

Filesize
572KB

Download
memory/2044-87-0x0000000002280000-0x0000000002583000-memory.dmp

Filesize
3.0MB

Download
memory/2044-90-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/2044-85-0x0000000000820000-0x0000000000AA1000-memory.dmp

Filesize
2.5MB

Download
memory/2044-82-0x0000000073E31000-0x0000000073E33000-memory.dmp

Filesize
8KB

Download
memory/2044-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads