formbook | 7fbaccd563b14340ac6f740cdfa6c0d83baceb824f11b6f27a393a1c9f2e2ed4

General

Target

OCT-NOV SOA2022.exe
Size

1.0MB
MD5

375cce397a6041917dbb29a8dd6bccf9
SHA1

c7e69aaed7928aa97611466a07175d7732f27f3a
SHA256

7fbaccd563b14340ac6f740cdfa6c0d83baceb824f11b6f27a393a1c9f2e2ed4
SHA512

58bba3144e21cd5e16e628b969be4c36fbe9e166770a0f8a37e91a665032b992fff7db788adf2bceccdc1acbbc1b780d89a443ade91b433a95a3e18e18b19eb4
SSDEEP

24576:yz4agh/awmjzQ1J7+tjdWbrk00j/UQ7tIihB52Dz:yz49h/dGE7KjdW/Kj/UBiE

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OCT-NOV SOA2022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	OCT-NOV SOA2022.exe

Loads dropped DLL 1 IoCs

Processes:

ipconfig.exe

pid process

1968 ipconfig.exe

pid	process
1968	ipconfig.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

OCT-NOV SOA2022.exeOCT-NOV SOA2022.exeipconfig.exe

description	pid	process	target process
PID 108 set thread context of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 1552 set thread context of 1360	1552	OCT-NOV SOA2022.exe	Explorer.EXE
PID 1968 set thread context of 1360	1968	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1968 ipconfig.exe

pid	process
1968	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

OCT-NOV SOA2022.exeipconfig.exe

pid	process
1552	OCT-NOV SOA2022.exe
1552	OCT-NOV SOA2022.exe
1552	OCT-NOV SOA2022.exe
1552	OCT-NOV SOA2022.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe
1968	ipconfig.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

OCT-NOV SOA2022.exeipconfig.exe

pid process

1552 OCT-NOV SOA2022.exe
1552 OCT-NOV SOA2022.exe
1552 OCT-NOV SOA2022.exe
1968 ipconfig.exe
1968 ipconfig.exe
1968 ipconfig.exe
1968 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OCT-NOV SOA2022.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 1552 OCT-NOV SOA2022.exe
Token: SeDebugPrivilege 1968 ipconfig.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1552	OCT-NOV SOA2022.exe
Token: SeDebugPrivilege	1968	ipconfig.exe

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

OCT-NOV SOA2022.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 108 wrote to memory of 1552	108	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 1360 wrote to memory of 1968	1360	Explorer.EXE	ipconfig.exe
PID 1360 wrote to memory of 1968	1360	Explorer.EXE	ipconfig.exe
PID 1360 wrote to memory of 1968	1360	Explorer.EXE	ipconfig.exe
PID 1360 wrote to memory of 1968	1360	Explorer.EXE	ipconfig.exe
PID 1968 wrote to memory of 2040	1968	ipconfig.exe	Firefox.exe
PID 1968 wrote to memory of 2040	1968	ipconfig.exe	Firefox.exe
PID 1968 wrote to memory of 2040	1968	ipconfig.exe	Firefox.exe
PID 1968 wrote to memory of 2040	1968	ipconfig.exe	Firefox.exe
PID 1968 wrote to memory of 2040	1968	ipconfig.exe	Firefox.exe

C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe
"C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe
  "C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/108-54-0x00000000002A0000-0x00000000003B2000-memory.dmp

Filesize
1.1MB

Download
memory/108-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/108-56-0x0000000000700000-0x0000000000718000-memory.dmp

Filesize
96KB

Download
memory/108-57-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/108-58-0x0000000007E00000-0x0000000007EA4000-memory.dmp

Filesize
656KB

Download
memory/108-59-0x0000000007FD0000-0x000000000803A000-memory.dmp

Filesize
424KB

Download
memory/1360-82-0x00000000049F0000-0x0000000004A97000-memory.dmp

Filesize
668KB

Download
memory/1360-80-0x00000000049F0000-0x0000000004A97000-memory.dmp

Filesize
668KB

Download
memory/1360-71-0x0000000006D40000-0x0000000006EDE000-memory.dmp

Filesize
1.6MB

Download
memory/1552-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-64-0x00000000004012B0-mapping.dmp

Download
memory/1552-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-69-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1552-70-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1552-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-74-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1552-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1968-78-0x0000000002100000-0x0000000002403000-memory.dmp

Filesize
3.0MB

Download
memory/1968-79-0x0000000000420000-0x00000000004AF000-memory.dmp

Filesize
572KB

Download
memory/1968-77-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1968-81-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1968-76-0x0000000000B60000-0x0000000000B6A000-memory.dmp

Filesize
40KB

Download
memory/1968-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads