formbook | 881cfae1ae88de7cd88f87fa2c2d7aeff02ab8f3d2c7381d000cd9097e71b196

General

Target

SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe
Size

444KB
MD5

4119ce4cfd3874a04575d0147614ec77
SHA1

edb660a647b5e7c736aa0b8151b19ff300d3fdd9
SHA256

881cfae1ae88de7cd88f87fa2c2d7aeff02ab8f3d2c7381d000cd9097e71b196
SHA512

36524564ea475e0c6b0345a1664997669d19b3907443195a42527721340ee8ab3a4bbd4d7ee9169228bef6f6747f2d2f65aea0305d27dd7bc7dace92a3257dbf
SSDEEP

6144:/3I4oKkdQlULYvLLWqY3FAssinEeOgmczeOmM3rdNwgLrlCfnEnsGAc82Hn0QIb:+KkMFLmes2OzvmM3Lwg/4fEnJg2H

Score

10^/10

formbook t5ez rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

t5ez

Decoy

v+YaDdg/udazyV4Iyw==

MXDNPIhw1/8BP0Ud2fguBRZ/8nF6wQ==

WsTRjsGfK1Wt+wjFRn9mBQ==

TrAv42rPyfBfhpI=

2FrznhJCG6bpCgm9+n/Xq0cr

phy0dqeRgaeZzcuciHGgrkeVQw==

DIYHd2O24QEB

wVbxr0eqbQZMc4xwQF1W3NdmR2Xc

ncsN3VitpSp18jvXswKeJeQKA1DW

n/FT0RVVULr7fMV0Ykb8ztU=

OET6wvfsbaGp6O2/Rn9mBQ==

2Rb8gNoGR5GEwAeUhcs=

wR8Fc7imd8/3cQeUhcs=

rMZ/VOtX0kR/yV4Iyw==

9YIUqO7RR4iL5Cffi994

03AHmeAX+2F85Cnfi994

9QbOseAK0/c4SGJW

S1EDywDiYofETA==

ivZm1wDWR2hgAEFURn9mBQ==

D2pe4DygKUJKoLidIuwJo4PiKGhyZLPc

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exeCasPol.exewlanext.exe

description	pid	process	target process
PID 2368 set thread context of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 4784 set thread context of 3020	4784	CasPol.exe	Explorer.EXE
PID 208 set thread context of 3020	208	wlanext.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

CasPol.exewlanext.exe

pid	process
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
4784	CasPol.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe
208	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CasPol.exewlanext.exe

pid process

4784 CasPol.exe
4784 CasPol.exe
4784 CasPol.exe
208 wlanext.exe
208 wlanext.exe
208 wlanext.exe
208 wlanext.exe

pid	process
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

CasPol.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4784	CasPol.exe
Token: SeDebugPrivilege	208	wlanext.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 2368 wrote to memory of 4784	2368	SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe	CasPol.exe
PID 3020 wrote to memory of 208	3020	Explorer.EXE	wlanext.exe
PID 3020 wrote to memory of 208	3020	Explorer.EXE	wlanext.exe
PID 3020 wrote to memory of 208	3020	Explorer.EXE	wlanext.exe
PID 208 wrote to memory of 3060	208	wlanext.exe	Firefox.exe
PID 208 wrote to memory of 3060	208	wlanext.exe	Firefox.exe
PID 208 wrote to memory of 3060	208	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W64.Agent.FIC.gen.Eldorado.29075.6786.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-149-0x0000000001130000-0x000000000147A000-memory.dmp

Filesize
3.3MB

Download
memory/208-147-0x0000000000730000-0x0000000000747000-memory.dmp

Filesize
92KB

Download
memory/208-152-0x0000000000A80000-0x0000000000AAD000-memory.dmp

Filesize
180KB

Download
memory/208-148-0x0000000000A80000-0x0000000000AAD000-memory.dmp

Filesize
180KB

Download
memory/208-150-0x0000000001000000-0x000000000108F000-memory.dmp

Filesize
572KB

Download
memory/208-144-0x0000000000000000-mapping.dmp

Download
memory/2368-133-0x00007FFA778F0000-0x00007FFA783B1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-136-0x00007FFA778F0000-0x00007FFA783B1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-132-0x0000017BBAA20000-0x0000017BBAA94000-memory.dmp

Filesize
464KB

Download
memory/3020-151-0x0000000007800000-0x0000000007976000-memory.dmp

Filesize
1.5MB

Download
memory/3020-153-0x0000000007800000-0x0000000007976000-memory.dmp

Filesize
1.5MB

Download
memory/3020-143-0x0000000002530000-0x0000000002663000-memory.dmp

Filesize
1.2MB

Download
memory/4784-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4784-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-139-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4784-135-0x00000000004012B0-mapping.dmp

Download
memory/4784-141-0x0000000001920000-0x0000000001C6A000-memory.dmp

Filesize
3.3MB

Download
memory/4784-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-142-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads