formbook | 4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529

General

Target

PO NO. 6COS2214634.exe
Size

1.1MB
MD5

5a3f411d3149c56950e8c9d54f29330e
SHA1

587ebc690239bb64b910469515f1ce3639b3f9e7
SHA256

4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529
SHA512

2e4148c888910dee29617ab4bfa3fa4a52accf14a32f7f72f16ab085f536ec31859b27e59a7bf29b60f0c17bed25f5cf5ba4bf1d53f6acee17cd8699dad22e2e
SSDEEP

24576:ezeKBgh/aweUeij4GDXXxfOaHc0l9ST5mkSBmHfI43BCs2Dz:ezeKSh/desZDXXlOaHBlYd0B74RCH

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO NO. 6COS2214634.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	PO NO. 6COS2214634.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO NO. 6COS2214634.exePO NO. 6COS2214634.exeWWAHost.exe

description	pid	process	target process
PID 4312 set thread context of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4844 set thread context of 2832	4844	PO NO. 6COS2214634.exe	Explorer.EXE
PID 3372 set thread context of 2832	3372	WWAHost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

PO NO. 6COS2214634.exeWWAHost.exe

pid	process
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
4844	PO NO. 6COS2214634.exe
3372	WWAHost.exe
3372	WWAHost.exe
3372	WWAHost.exe
3372	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO NO. 6COS2214634.exeWWAHost.exe

pid process

4844 PO NO. 6COS2214634.exe
4844 PO NO. 6COS2214634.exe
4844 PO NO. 6COS2214634.exe
3372 WWAHost.exe
3372 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO NO. 6COS2214634.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 4844 PO NO. 6COS2214634.exe
Token: SeDebugPrivilege 3372 WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	4844	PO NO. 6COS2214634.exe
Token: SeDebugPrivilege	3372	WWAHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO NO. 6COS2214634.exeExplorer.EXE

description	pid	process	target process
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 4312 wrote to memory of 4844	4312	PO NO. 6COS2214634.exe	PO NO. 6COS2214634.exe
PID 2832 wrote to memory of 3372	2832	Explorer.EXE	WWAHost.exe
PID 2832 wrote to memory of 3372	2832	Explorer.EXE	WWAHost.exe
PID 2832 wrote to memory of 3372	2832	Explorer.EXE	WWAHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\PO NO. 6COS2214634.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO. 6COS2214634.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\PO NO. 6COS2214634.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO. 6COS2214634.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4384

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2832-154-0x0000000002A50000-0x0000000002AEF000-memory.dmp

Filesize
636KB

Download
memory/2832-145-0x0000000002940000-0x0000000002A47000-memory.dmp

Filesize
1.0MB

Download
memory/2832-150-0x0000000002940000-0x0000000002A47000-memory.dmp

Filesize
1.0MB

Download
memory/2832-153-0x0000000002A50000-0x0000000002AEF000-memory.dmp

Filesize
636KB

Download
memory/3372-151-0x00000000008C0000-0x00000000008ED000-memory.dmp

Filesize
180KB

Download
memory/3372-152-0x0000000001620000-0x00000000016AF000-memory.dmp

Filesize
572KB

Download
memory/3372-148-0x00000000008C0000-0x00000000008ED000-memory.dmp

Filesize
180KB

Download
memory/3372-149-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/3372-146-0x0000000000000000-mapping.dmp

Download
memory/3372-147-0x0000000000E80000-0x0000000000F5C000-memory.dmp

Filesize
880KB

Download
memory/4312-132-0x0000000000190000-0x00000000002A8000-memory.dmp

Filesize
1.1MB

Download
memory/4312-136-0x0000000007100000-0x000000000719C000-memory.dmp

Filesize
624KB

Download
memory/4312-135-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/4312-134-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4312-133-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/4844-137-0x0000000000000000-mapping.dmp

Download
memory/4844-144-0x0000000001490000-0x00000000014A0000-memory.dmp

Filesize
64KB

Download
memory/4844-143-0x0000000001A30000-0x0000000001D7A000-memory.dmp

Filesize
3.3MB

Download
memory/4844-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4844-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads