formbook | 3d1672c7a51602f091b622285fbcce4aeec4522d428a1a2179b2f1033c94b3e3

General

Target

Product Specification.exe
Size

281KB
MD5

49b374a64015666e9ae51070c7df038e
SHA1

5cc61425c317ff5256811adc6ecd9e224ee7c3d4
SHA256

2d0bf404b71b81df2a8256b7adb927dfac1ed504c968f0c7e07dd3fea4213bb1
SHA512

c437cead3a461959791ff0fff852f3e5df34294af52a427fe0c2e81391a97f5fd25e97f0bddae292230775f49b1dd39cb4f1a873c876cb0f13aeb3a15e8f171d
SSDEEP

6144:MEa0NTHageXNHhxZt6EMw+XYWFGuZqdcKI+cCzSLXRt:XTHa9NPZt7Mw+oWF/GoLCzYXX

Score

10^/10

formbook xhnq rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

xhnq

Decoy

kkL8Pu8x+4S6wfoCcvftOA==

496LxjKjebwp3Q==

ZNpe1artufAiEvfm

4CIcGQGlfZxOWk0WfU+wmLwHYNU=

nCqrPAt3AVekKygjamfKlLwHYNU=

t3ppAKZhQHeDNIODv4HKmLwHYNU=

ELBzK0V6QboxkHETQPeEni+H

BrZstrXumvReu6Q5bGAp1idBRcBqdzIWBw==

yNispwXS2wJJ

WzKfqGFL2TuyZbWJfP922LwHYNU=

qOfvZB3ikBBe

02Ae6pxfJKIwxGUzLw==

MK5YMCnhqBH9LYpSyZFZ

P5ZeKBadM4fFMvxSyZFZ

2BhbGIIr3/bytfHx

1awWI9/MRYX7aEHQTgLHJQ==

n61fuJeFBWTZohooVyqYhrwHYNU=

DIoQj5nLfMg27S77/sOCFuzOkA==

X5tPEguDocp8lfoHcvftOA==

MK5fKQV570dBgQSTAfs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 2 IoCs

Processes:

wscript.exe

flow pid process

7 1096 wscript.exe
10 1096 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

ziuoaka.exeziuoaka.exe

pid process

272 ziuoaka.exe
1496 ziuoaka.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ziuoaka.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation ziuoaka.exe
Loads dropped DLL 3 IoCs

Processes:

Product Specification.exeziuoaka.exewscript.exe

pid process

2004 Product Specification.exe
272 ziuoaka.exe
1096 wscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1096	wscript.exe
10	1096	wscript.exe

pid	process
272	ziuoaka.exe
1496	ziuoaka.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	ziuoaka.exe

pid	process
2004	Product Specification.exe
272	ziuoaka.exe
1096	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ziuoaka.exeziuoaka.exewscript.exe

description	pid	process	target process
PID 272 set thread context of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 1496 set thread context of 1372	1496	ziuoaka.exe	Explorer.EXE
PID 1096 set thread context of 1372	1096	wscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

ziuoaka.exewscript.exe

pid	process
1496	ziuoaka.exe
1496	ziuoaka.exe
1496	ziuoaka.exe
1496	ziuoaka.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

ziuoaka.exeziuoaka.exewscript.exe

pid process

272 ziuoaka.exe
1496 ziuoaka.exe
1496 ziuoaka.exe
1496 ziuoaka.exe
1096 wscript.exe
1096 wscript.exe
1096 wscript.exe
1096 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ziuoaka.exewscript.exe

description pid process

Token: SeDebugPrivilege 1496 ziuoaka.exe
Token: SeDebugPrivilege 1096 wscript.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
272	ziuoaka.exe
1496	ziuoaka.exe
1496	ziuoaka.exe
1496	ziuoaka.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe
1096	wscript.exe

description	pid	process
Token: SeDebugPrivilege	1496	ziuoaka.exe
Token: SeDebugPrivilege	1096	wscript.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Product Specification.exeziuoaka.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2004 wrote to memory of 272	2004	Product Specification.exe	ziuoaka.exe
PID 2004 wrote to memory of 272	2004	Product Specification.exe	ziuoaka.exe
PID 2004 wrote to memory of 272	2004	Product Specification.exe	ziuoaka.exe
PID 2004 wrote to memory of 272	2004	Product Specification.exe	ziuoaka.exe
PID 272 wrote to memory of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 272 wrote to memory of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 272 wrote to memory of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 272 wrote to memory of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 272 wrote to memory of 1496	272	ziuoaka.exe	ziuoaka.exe
PID 1372 wrote to memory of 1096	1372	Explorer.EXE	wscript.exe
PID 1372 wrote to memory of 1096	1372	Explorer.EXE	wscript.exe
PID 1372 wrote to memory of 1096	1372	Explorer.EXE	wscript.exe
PID 1372 wrote to memory of 1096	1372	Explorer.EXE	wscript.exe
PID 1096 wrote to memory of 1952	1096	wscript.exe	Firefox.exe
PID 1096 wrote to memory of 1952	1096	wscript.exe	Firefox.exe
PID 1096 wrote to memory of 1952	1096	wscript.exe	Firefox.exe
PID 1096 wrote to memory of 1952	1096	wscript.exe	Firefox.exe
PID 1096 wrote to memory of 1952	1096	wscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\Product Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Product Specification.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe
"C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe
"C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\egkqxhtzcij.y

Filesize
5KB

MD5
b0adff9ae2bd5258748e73926a5e614d

SHA1
b824488de2dff798d94be9d3d9e0f1f151858993

SHA256
b704956d6723bafc37f26ff000dfff02e8b719bd67834f8e7e756ac61b4ffc05

SHA512
11a46981bd888cc2cb04c2417ebcaf57f1e6d3659f28005788a127195ae345be0e3d8af676367844942a57eab03f23a6d170261e436a763bb4c09820cec5e209

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyuikzirog.vex

Filesize
184KB

MD5
ff75e4533dd90111b2647781a3149e86

SHA1
449ec4b556e2be8cdd2d5b0a4191d0487199bd25

SHA256
457bd70df49716577d488f8e1b232d4c10eaf7990fcde0ac5eb95ef0b07d0489

SHA512
ab5f5c4fa845f370a7dd407562f58403d17d72810f20bfb60c7ddf3b82b95aa9242ae32211ea1f20b4ea5985dd9901d78eeeb35a137560f88290c763982f95e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe

Filesize
100KB

MD5
594a5e91f06b668a5f8790d59065f557

SHA1
5846ad6a18bf7449f0e9c0d5099288d7191579f4

SHA256
6d4ee5627ba6e6acf583c4c433b72281beb1acbb4c5cc9eaa4d0284539823c66

SHA512
25aaaf5398a43f3ac1ab3e6b9c30c268e7232149a82d7cff7a38bbc027c131603e9d914498c3c1b919bb32a3174bb7e7850cbd82fcbfb87ca35735b42b057cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe

Filesize
100KB

MD5
594a5e91f06b668a5f8790d59065f557

SHA1
5846ad6a18bf7449f0e9c0d5099288d7191579f4

SHA256
6d4ee5627ba6e6acf583c4c433b72281beb1acbb4c5cc9eaa4d0284539823c66

SHA512
25aaaf5398a43f3ac1ab3e6b9c30c268e7232149a82d7cff7a38bbc027c131603e9d914498c3c1b919bb32a3174bb7e7850cbd82fcbfb87ca35735b42b057cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ziuoaka.exe

Filesize
100KB

MD5
594a5e91f06b668a5f8790d59065f557

SHA1
5846ad6a18bf7449f0e9c0d5099288d7191579f4

SHA256
6d4ee5627ba6e6acf583c4c433b72281beb1acbb4c5cc9eaa4d0284539823c66

SHA512
25aaaf5398a43f3ac1ab3e6b9c30c268e7232149a82d7cff7a38bbc027c131603e9d914498c3c1b919bb32a3174bb7e7850cbd82fcbfb87ca35735b42b057cce

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
841KB

MD5
5fc6cd5d5ca1489d2a3c361717359a95

SHA1
5c630e232cd5761e7a611e41515be4afa3e7a141

SHA256
85c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81

SHA512
5f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792

Download Submit
\Users\Admin\AppData\Local\Temp\ziuoaka.exe

Filesize
100KB

MD5
594a5e91f06b668a5f8790d59065f557

SHA1
5846ad6a18bf7449f0e9c0d5099288d7191579f4

SHA256
6d4ee5627ba6e6acf583c4c433b72281beb1acbb4c5cc9eaa4d0284539823c66

SHA512
25aaaf5398a43f3ac1ab3e6b9c30c268e7232149a82d7cff7a38bbc027c131603e9d914498c3c1b919bb32a3174bb7e7850cbd82fcbfb87ca35735b42b057cce

Download Submit
\Users\Admin\AppData\Local\Temp\ziuoaka.exe

Filesize
100KB

MD5
594a5e91f06b668a5f8790d59065f557

SHA1
5846ad6a18bf7449f0e9c0d5099288d7191579f4

SHA256
6d4ee5627ba6e6acf583c4c433b72281beb1acbb4c5cc9eaa4d0284539823c66

SHA512
25aaaf5398a43f3ac1ab3e6b9c30c268e7232149a82d7cff7a38bbc027c131603e9d914498c3c1b919bb32a3174bb7e7850cbd82fcbfb87ca35735b42b057cce

Download Submit
memory/272-56-0x0000000000000000-mapping.dmp

Download
memory/1096-72-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/1096-73-0x0000000001E00000-0x0000000001E8F000-memory.dmp

Filesize
572KB

Download
memory/1096-75-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1096-71-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1096-70-0x00000000002D0000-0x00000000002F6000-memory.dmp

Filesize
152KB

Download
memory/1096-69-0x0000000000000000-mapping.dmp

Download
memory/1372-68-0x0000000006B60000-0x0000000006C35000-memory.dmp

Filesize
852KB

Download
memory/1372-74-0x00000000070D0000-0x0000000007256000-memory.dmp

Filesize
1.5MB

Download
memory/1372-77-0x00000000070D0000-0x0000000007256000-memory.dmp

Filesize
1.5MB

Download
memory/1496-67-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1496-66-0x0000000000CD0000-0x0000000000FD3000-memory.dmp

Filesize
3.0MB

Download
memory/1496-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1496-65-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1496-62-0x00000000004012B0-mapping.dmp

Download
memory/2004-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads