formbook | f93b6e5f1a11efa6dbf05ab7b4bfa26247bfcc7b467aba7de2fab6267de11623

General

Target

MCS-DECEMBER ORDER-PROJECT PDF.exe
Size

1022KB
MD5

4eadf0e3ae844d2373c7fd8e101dfc57
SHA1

637e2495fa2d0e3664e0d10f3440572a5cea61f6
SHA256

f93b6e5f1a11efa6dbf05ab7b4bfa26247bfcc7b467aba7de2fab6267de11623
SHA512

6c2241ef9a45e0a7aaf043075898ce1bd331b9b41dd09211c56c0de9729e4919de76d62326363fb948a931bb72a96e97d83459eeb5cfbf859b59f1f6753bd128
SSDEEP

24576:P5/KwaPGlttTfekpsPBQSBFpSiLl8scS6R:PJOGzJffpuBByiLuso

Score

10^/10

formbook 54ut rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

54ut

Decoy

1DeiXmzDLw+mW17NwLBXpXM=

Nouf/qArBV5GAPfIhxWPkDFrVQ==

9OCYganx4VaCX1EY/sUSfRDLx6s=

xh8rlilJ/SGckKI=

HGyA64YZyhUs3jvzno2F

yx7/XhxTuRiTcnLKrrOOXTrpW60=

ZYI6IbtcBFx+OpnLU0nXmw==

MhgenS1xYWYThQgS+A==

s0ada4bHHvtWWbYb

2/4IbaW+Ljsy6Ujzno2F

Z5WdKMj5YLgpH0ypdTEcLe2W/lf7j6Io

xXTmzNjzpvUMwTAHwYv2kw==

kcbnSAS0pkV2G1fXsFktVxiXmLTktXY=

PU0V5f0rnqjEhQgS+A==

Z8aNX4Sm/dbGhQgS+A==

s4bq4W4D4UJdYqqvU0nXmw==

a56Z6W0Asvwh3jzzno2F

Qmhm+fY3o6bEhQgS+A==

WIFCKZ/ZO+dCwTAHwYv2kw==

Nqjne5GxXbzY1f3Qp2rBkDFrVQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 2 IoCs

pid	Process
2040	hlincgos.exe
3196	hlincgos.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	hlincgos.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 3196	2040	hlincgos.exe	84
PID 3196 set thread context of 784	3196	hlincgos.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2040	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe
3196	hlincgos.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	hlincgos.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2040	hlincgos.exe
2040	hlincgos.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2040	hlincgos.exe
2040	hlincgos.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2040	4152	MCS-DECEMBER ORDER-PROJECT PDF.exe	81
PID 4152 wrote to memory of 2040	4152	MCS-DECEMBER ORDER-PROJECT PDF.exe	81
PID 4152 wrote to memory of 2040	4152	MCS-DECEMBER ORDER-PROJECT PDF.exe	81
PID 2040 wrote to memory of 3196	2040	hlincgos.exe	84
PID 2040 wrote to memory of 3196	2040	hlincgos.exe	84
PID 2040 wrote to memory of 3196	2040	hlincgos.exe	84
PID 2040 wrote to memory of 3196	2040	hlincgos.exe	84
PID 784 wrote to memory of 2496	784	Explorer.EXE	87
PID 784 wrote to memory of 2496	784	Explorer.EXE	87
PID 784 wrote to memory of 2496	784	Explorer.EXE	87

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\MCS-DECEMBER ORDER-PROJECT PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\MCS-DECEMBER ORDER-PROJECT PDF.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\hlincgos.exe
    "C:\Users\Admin\AppData\Local\Temp\hlincgos.exe" "C:\Users\Admin\AppData\Local\Temp\mqtlieogj.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\hlincgos.exe
      "C:\Users\Admin\AppData\Local\Temp\hlincgos.exe" "C:\Users\Admin\AppData\Local\Temp\mqtlieogj.au3"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3196
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:2496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hlincgos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlincgos.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqatgenw.iq

Filesize
185KB

MD5
aff58235236e1922b12e5f2902ab5910

SHA1
10e3554734d9c07306801b3c67f883b9e0f655c5

SHA256
98345338c58e236ba9db003a5b0adf37494c6675eeb00b273a8ae27e4950baf9

SHA512
a5a61c47eb78c1d08e5fd1ed5500b5ffebd6f17120adae42d38277d7e82c1ab2776679e988ea5ae67522a5ee9f549edb4e3c35c0ad8395309f432114c4f02e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqtlieogj.au3

Filesize
5KB

MD5
bfe4c91ab54b5c385342a87bb2882e64

SHA1
5ece1913ca4238c8bb15703d09919cef1b9c5d00

SHA256
b5d3582fa1caa78e6e7fe3e5624ecb1c681cb0c026629fc9f81ec1d6a7d72d57

SHA512
3628098da8591d3f21fb873b468556f884223a58f7843cc09e478274d68b64fcbf37912268503d64006ef9df562b277af132c24d7d35d675560a272f70d26339

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjwhrgegdjv.je

Filesize
38KB

MD5
4e7e68e94c3533be70f9d24842380bc5

SHA1
ced6f1e1923a9c9e10192ba633ee559408734a72

SHA256
3bcefbc8167e8709bf3fef1e1b118221962375abbdbf3d3f853bd0781f748507

SHA512
849e594ca0c6fe71020297ed6f65a95007abc46a2386f97729710227176cab3802f9ca900218d9d91d5b089e69a1f4382bd718279839e8573ae20857b8d29351

Download Submit
memory/784-143-0x0000000007210000-0x00000000072E7000-memory.dmp

Filesize
860KB

Download
memory/3196-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3196-141-0x00000000016B0000-0x00000000019FA000-memory.dmp

Filesize
3.3MB

Download
memory/3196-142-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/3196-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3196-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing