formbook | 3e3615ec6c5ef753c75fc1448d7e5a49136e3c7b5d2016e107107f17c4816aa6

General

Target

Order#6122-001.exe
Size

1.1MB
MD5

dee22604ff5c70b766d186f787dc6bfb
SHA1

77c102d3dad8675d05666f0738e9afe251ef23a3
SHA256

3e3615ec6c5ef753c75fc1448d7e5a49136e3c7b5d2016e107107f17c4816aa6
SHA512

e5447732ac879ddd70d747c4c395dc5d1f91f302c198046f2b1ad4a8ddd70469b15f56aaa2eeda777a54e2f699a70d7f1ea5ff2afa003b263483569462fe6299
SSDEEP

24576:t33GJYDtv4SSrA/40YyxTLLd7qK/PGm24EYPF8h0B1bqdOp:tGupvv2AhYC/B2Wr24VF8h0vbqdO

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order#6122-001.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	Order#6122-001.exe

Loads dropped DLL 1 IoCs

Processes:

NAPSTAT.EXE

pid process

1372 NAPSTAT.EXE

pid	process
1372	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order#6122-001.exeOrder#6122-001.exeNAPSTAT.EXE

description	pid	process	target process
PID 948 set thread context of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 688 set thread context of 1212	688	Order#6122-001.exe	Explorer.EXE
PID 1372 set thread context of 1212	1372	NAPSTAT.EXE	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NAPSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Order#6122-001.exeNAPSTAT.EXE

pid	process
688	Order#6122-001.exe
688	Order#6122-001.exe
688	Order#6122-001.exe
688	Order#6122-001.exe
1372	NAPSTAT.EXE
1372	NAPSTAT.EXE
1372	NAPSTAT.EXE
1372	NAPSTAT.EXE
1372	NAPSTAT.EXE
1372	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Order#6122-001.exeNAPSTAT.EXE

pid process

688 Order#6122-001.exe
688 Order#6122-001.exe
688 Order#6122-001.exe
1372 NAPSTAT.EXE
1372 NAPSTAT.EXE
1372 NAPSTAT.EXE
1372 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order#6122-001.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 688 Order#6122-001.exe
Token: SeDebugPrivilege 1372 NAPSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

pid	process
1212	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	688	Order#6122-001.exe
Token: SeDebugPrivilege	1372	NAPSTAT.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Order#6122-001.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 948 wrote to memory of 688	948	Order#6122-001.exe	Order#6122-001.exe
PID 1212 wrote to memory of 1372	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1372	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1372	1212	Explorer.EXE	NAPSTAT.EXE
PID 1212 wrote to memory of 1372	1212	Explorer.EXE	NAPSTAT.EXE
PID 1372 wrote to memory of 1868	1372	NAPSTAT.EXE	Firefox.exe
PID 1372 wrote to memory of 1868	1372	NAPSTAT.EXE	Firefox.exe
PID 1372 wrote to memory of 1868	1372	NAPSTAT.EXE	Firefox.exe
PID 1372 wrote to memory of 1868	1372	NAPSTAT.EXE	Firefox.exe
PID 1372 wrote to memory of 1868	1372	NAPSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe
"C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe
"C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/688-68-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/688-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-69-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/688-70-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/688-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-64-0x00000000004012B0-mapping.dmp

Download
memory/948-55-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/948-59-0x0000000005060000-0x00000000050D2000-memory.dmp

Filesize
456KB

Download
memory/948-58-0x00000000080E0000-0x000000000818C000-memory.dmp

Filesize
688KB

Download
memory/948-57-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/948-54-0x0000000000B80000-0x0000000000CA8000-memory.dmp

Filesize
1.2MB

Download
memory/1212-78-0x0000000004E20000-0x0000000004EB3000-memory.dmp

Filesize
588KB

Download
memory/1212-71-0x00000000049A0000-0x0000000004A92000-memory.dmp

Filesize
968KB

Download
memory/1212-80-0x0000000004E20000-0x0000000004EB3000-memory.dmp

Filesize
588KB

Download
memory/1372-79-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1372-75-0x0000000001E30000-0x0000000002133000-memory.dmp

Filesize
3.0MB

Download
memory/1372-77-0x0000000002140000-0x00000000021CF000-memory.dmp

Filesize
572KB

Download
memory/1372-74-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1372-73-0x0000000000070000-0x00000000000B6000-memory.dmp

Filesize
280KB

Download
memory/1372-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads