formbook | 3e3615ec6c5ef753c75fc1448d7e5a49136e3c7b5d2016e107107f17c4816aa6

General

Target

Order#6122-001.exe
Size

1.1MB
MD5

dee22604ff5c70b766d186f787dc6bfb
SHA1

77c102d3dad8675d05666f0738e9afe251ef23a3
SHA256

3e3615ec6c5ef753c75fc1448d7e5a49136e3c7b5d2016e107107f17c4816aa6
SHA512

e5447732ac879ddd70d747c4c395dc5d1f91f302c198046f2b1ad4a8ddd70469b15f56aaa2eeda777a54e2f699a70d7f1ea5ff2afa003b263483569462fe6299
SSDEEP

24576:t33GJYDtv4SSrA/40YyxTLLd7qK/PGm24EYPF8h0B1bqdOp:tGupvv2AhYC/B2Wr24VF8h0vbqdO

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order#6122-001.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Order#6122-001.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order#6122-001.exeOrder#6122-001.execontrol.exe

description	pid	process	target process
PID 536 set thread context of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 1908 set thread context of 2632	1908	Order#6122-001.exe	Explorer.EXE
PID 4508 set thread context of 2632	4508	control.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Order#6122-001.exeOrder#6122-001.execontrol.exe

pid	process
536	Order#6122-001.exe
536	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2632 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Order#6122-001.execontrol.exe

pid process

1908 Order#6122-001.exe
1908 Order#6122-001.exe
1908 Order#6122-001.exe
4508 control.exe
4508 control.exe
4508 control.exe
4508 control.exe

pid	process
2632	Explorer.EXE

pid	process
1908	Order#6122-001.exe
1908	Order#6122-001.exe
1908	Order#6122-001.exe
4508	control.exe
4508	control.exe
4508	control.exe
4508	control.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Order#6122-001.exeOrder#6122-001.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	536	Order#6122-001.exe
Token: SeDebugPrivilege	1908	Order#6122-001.exe
Token: SeDebugPrivilege	4508	control.exe
Token: SeShutdownPrivilege	2632	Explorer.EXE
Token: SeCreatePagefilePrivilege	2632	Explorer.EXE
Token: SeShutdownPrivilege	2632	Explorer.EXE
Token: SeCreatePagefilePrivilege	2632	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2632 Explorer.EXE
2632 Explorer.EXE

pid	process
2632	Explorer.EXE
2632	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order#6122-001.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 536 wrote to memory of 4416	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 4416	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 4416	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 536 wrote to memory of 1908	536	Order#6122-001.exe	Order#6122-001.exe
PID 2632 wrote to memory of 4508	2632	Explorer.EXE	control.exe
PID 2632 wrote to memory of 4508	2632	Explorer.EXE	control.exe
PID 2632 wrote to memory of 4508	2632	Explorer.EXE	control.exe
PID 4508 wrote to memory of 3608	4508	control.exe	Firefox.exe
PID 4508 wrote to memory of 3608	4508	control.exe	Firefox.exe
PID 4508 wrote to memory of 3608	4508	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe
"C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe
"C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe"
3⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe
"C:\Users\Admin\AppData\Local\Temp\Order#6122-001.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-132-0x0000000000940000-0x0000000000A68000-memory.dmp

Filesize
1.2MB

Download
memory/536-133-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/536-134-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/536-135-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/536-136-0x00000000093B0000-0x000000000944C000-memory.dmp

Filesize
624KB

Download
memory/1908-138-0x0000000000000000-mapping.dmp

Download
memory/1908-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-143-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1908-144-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/1908-145-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2632-152-0x0000000002CD0000-0x0000000002D92000-memory.dmp

Filesize
776KB

Download
memory/2632-146-0x00000000029D0000-0x0000000002A8A000-memory.dmp

Filesize
744KB

Download
memory/2632-154-0x0000000002CD0000-0x0000000002D92000-memory.dmp

Filesize
776KB

Download
memory/4416-137-0x0000000000000000-mapping.dmp

Download
memory/4508-148-0x0000000000C90000-0x0000000000CB7000-memory.dmp

Filesize
156KB

Download
memory/4508-150-0x0000000002640000-0x000000000298A000-memory.dmp

Filesize
3.3MB

Download
memory/4508-151-0x0000000002990000-0x0000000002A1F000-memory.dmp

Filesize
572KB

Download
memory/4508-149-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/4508-153-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/4508-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads