formbook | 7fbaccd563b14340ac6f740cdfa6c0d83baceb824f11b6f27a393a1c9f2e2ed4

General

Target

OCT-NOV SOA2022.exe
Size

1.0MB
MD5

375cce397a6041917dbb29a8dd6bccf9
SHA1

c7e69aaed7928aa97611466a07175d7732f27f3a
SHA256

7fbaccd563b14340ac6f740cdfa6c0d83baceb824f11b6f27a393a1c9f2e2ed4
SHA512

58bba3144e21cd5e16e628b969be4c36fbe9e166770a0f8a37e91a665032b992fff7db788adf2bceccdc1acbbc1b780d89a443ade91b433a95a3e18e18b19eb4
SSDEEP

24576:yz4agh/awmjzQ1J7+tjdWbrk00j/UQ7tIihB52Dz:yz49h/dGE7KjdW/Kj/UBiE

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OCT-NOV SOA2022.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OCT-NOV SOA2022.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

OCT-NOV SOA2022.exeOCT-NOV SOA2022.exehelp.exe

description	pid	process	target process
PID 444 set thread context of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 4632 set thread context of 2644	4632	OCT-NOV SOA2022.exe	Explorer.EXE
PID 4632 set thread context of 2644	4632	OCT-NOV SOA2022.exe	Explorer.EXE
PID 4936 set thread context of 2644	4936	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

OCT-NOV SOA2022.exehelp.exe

pid	process
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4632	OCT-NOV SOA2022.exe
4936	help.exe
4936	help.exe
4936	help.exe
4936	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

OCT-NOV SOA2022.exehelp.exe

pid process

4632 OCT-NOV SOA2022.exe
4632 OCT-NOV SOA2022.exe
4632 OCT-NOV SOA2022.exe
4632 OCT-NOV SOA2022.exe
4936 help.exe
4936 help.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

OCT-NOV SOA2022.exeExplorer.EXEhelp.exe

description	pid	process
Token: SeDebugPrivilege	4632	OCT-NOV SOA2022.exe
Token: SeShutdownPrivilege	2644	Explorer.EXE
Token: SeCreatePagefilePrivilege	2644	Explorer.EXE
Token: SeDebugPrivilege	4936	help.exe
Token: SeShutdownPrivilege	2644	Explorer.EXE
Token: SeCreatePagefilePrivilege	2644	Explorer.EXE
Token: SeShutdownPrivilege	2644	Explorer.EXE
Token: SeCreatePagefilePrivilege	2644	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

OCT-NOV SOA2022.exeExplorer.EXEOCT-NOV SOA2022.exe

description	pid	process	target process
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 444 wrote to memory of 4632	444	OCT-NOV SOA2022.exe	OCT-NOV SOA2022.exe
PID 2644 wrote to memory of 3648	2644	Explorer.EXE	cscript.exe
PID 2644 wrote to memory of 3648	2644	Explorer.EXE	cscript.exe
PID 2644 wrote to memory of 3648	2644	Explorer.EXE	cscript.exe
PID 4632 wrote to memory of 4936	4632	OCT-NOV SOA2022.exe	help.exe
PID 4632 wrote to memory of 4936	4632	OCT-NOV SOA2022.exe	help.exe
PID 4632 wrote to memory of 4936	4632	OCT-NOV SOA2022.exe	help.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe
"C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe
"C:\Users\Admin\AppData\Local\Temp\OCT-NOV SOA2022.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-132-0x0000000000480000-0x0000000000592000-memory.dmp

Filesize
1.1MB

Download
memory/444-133-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/444-135-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/444-134-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/444-136-0x0000000007500000-0x000000000759C000-memory.dmp

Filesize
624KB

Download
memory/2644-167-0x00000000033E0000-0x0000000003479000-memory.dmp

Filesize
612KB

Download
memory/2644-166-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-165-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-157-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-163-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2644-164-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-161-0x00000000033E0000-0x0000000003479000-memory.dmp

Filesize
612KB

Download
memory/2644-145-0x0000000003320000-0x00000000033DD000-memory.dmp

Filesize
756KB

Download
memory/2644-159-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-148-0x0000000008560000-0x0000000008676000-memory.dmp

Filesize
1.1MB

Download
memory/2644-158-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/2644-156-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/2644-155-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4632-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4632-143-0x0000000001680000-0x00000000019CA000-memory.dmp

Filesize
3.3MB

Download
memory/4632-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-137-0x0000000000000000-mapping.dmp

Download
memory/4632-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4632-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-147-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/4632-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-144-0x0000000001210000-0x0000000001220000-memory.dmp

Filesize
64KB

Download
memory/4936-151-0x0000000000000000-mapping.dmp

Download
memory/4936-162-0x0000000000130000-0x000000000015D000-memory.dmp

Filesize
180KB

Download
memory/4936-160-0x0000000000A20000-0x0000000000AAF000-memory.dmp

Filesize
572KB

Download
memory/4936-153-0x0000000000BE0000-0x0000000000F2A000-memory.dmp

Filesize
3.3MB

Download
memory/4936-152-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/4936-154-0x0000000000130000-0x000000000015D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads