formbook | cb51a857dc33e532754e21259545e94dd518baff0783b8dd0623a20621af3a28

General

Target

639b8c7c6c073dba732b3bf637198ef8.exe
Size

1.1MB
MD5

639b8c7c6c073dba732b3bf637198ef8
SHA1

678981a9dd87757102383c8179213e4fdb50f981
SHA256

cb51a857dc33e532754e21259545e94dd518baff0783b8dd0623a20621af3a28
SHA512

c6d5ffffe53e6472dfe7cb12380ee2619cc353994ab7aee682ca5b97a7dfc2b7cd0e9d0ea49d38626ed82256bb391860e3ac3ae67b07150a15711a5de8dd75a9
SSDEEP

12288:NQnk3GDYKGcblOOO8veSJJ9F5qhBWX7riHB7BF7M9VVRyF/2gLrQ8H5Z/wwC+r1Q:XAOcZPOeJ9FEeHiT7MdIF/2gzf3hL69p

Score

10^/10

formbook nurs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nurs

Decoy

caixinhascomcarinho.com

abinotools.com

oporto-tours.com

iruos.com

yesmamawinebar.com

wwwscu.com

habit2impact.com

antigenresearch.com

ux4space.com

diarypisces.com

cryptopers.com

lovingmoreband.com

beerwars.net

ascariproject.site

livesoccerhd.info

bluestardivingschool.com

pluik.com

snorrky.space

lcoi9.com

phantomxr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1828-141-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1828-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1828-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3708-150-0x0000000000C40000-0x0000000000C6F000-memory.dmp	formbook
behavioral2/memory/3708-155-0x0000000000C40000-0x0000000000C6F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

sqia.exe

pid process

2284 sqia.exe

pid	process
2284	sqia.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

639b8c7c6c073dba732b3bf637198ef8.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	639b8c7c6c073dba732b3bf637198ef8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

sqia.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 2284 set thread context of 1828	2284	sqia.exe	RegSvcs.exe
PID 1828 set thread context of 3052	1828	RegSvcs.exe	Explorer.EXE
PID 3708 set thread context of 3052	3708	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3708 NETSTAT.EXE

pid	process
3708	NETSTAT.EXE

Modifies registry class 2 IoCs

Processes:

WScript.exe639b8c7c6c073dba732b3bf637198ef8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	639b8c7c6c073dba732b3bf637198ef8.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid	process
1828	RegSvcs.exe
1828	RegSvcs.exe
1828	RegSvcs.exe
1828	RegSvcs.exe
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE
3708	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

1828 RegSvcs.exe
1828 RegSvcs.exe
1828 RegSvcs.exe
3708 NETSTAT.EXE
3708 NETSTAT.EXE

pid	process
3052	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegSvcs.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1828	RegSvcs.exe
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeShutdownPrivilege	3052	Explorer.EXE
Token: SeCreatePagefilePrivilege	3052	Explorer.EXE
Token: SeDebugPrivilege	3708	NETSTAT.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

639b8c7c6c073dba732b3bf637198ef8.exeWScript.exesqia.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1752 wrote to memory of 2368	1752	639b8c7c6c073dba732b3bf637198ef8.exe	WScript.exe
PID 1752 wrote to memory of 2368	1752	639b8c7c6c073dba732b3bf637198ef8.exe	WScript.exe
PID 1752 wrote to memory of 2368	1752	639b8c7c6c073dba732b3bf637198ef8.exe	WScript.exe
PID 2368 wrote to memory of 2284	2368	WScript.exe	sqia.exe
PID 2368 wrote to memory of 2284	2368	WScript.exe	sqia.exe
PID 2368 wrote to memory of 2284	2368	WScript.exe	sqia.exe
PID 2284 wrote to memory of 1392	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1392	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1392	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 2284 wrote to memory of 1828	2284	sqia.exe	RegSvcs.exe
PID 3052 wrote to memory of 3708	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3708	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3708	3052	Explorer.EXE	NETSTAT.EXE
PID 3708 wrote to memory of 1008	3708	NETSTAT.EXE	cmd.exe
PID 3708 wrote to memory of 1008	3708	NETSTAT.EXE	cmd.exe
PID 3708 wrote to memory of 1008	3708	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe
"C:\Users\Admin\AppData\Local\Temp\639b8c7c6c073dba732b3bf637198ef8.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbe"
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
"C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe" obhixptvt.sdb
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1_25\EWVDXV~1.UWT
Filesize
370KB

MD5
475aeaa2f299104829cf51855f967732

SHA1
2d0a6a9354352de037ba138eaa396a555e81f2fc

SHA256
1fccb373d0874ca7b1724be22c92c0d43e57bacd7b63fc8d941c7547547e42cc

SHA512
a08cc7830b9c3871206614f9c2b5561924213677098c0540833ffdb34d1ae18131aae73a14c507b0a4f29866f0297928428649b761488855d08c58d3e65ab739

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_25\kwveqml.xls
Filesize
46KB

MD5
7019bcd3fb865e3a8e2da1b516c564a3

SHA1
3262d4ee592347d82a8fd2140d93bb6910d00075

SHA256
d681907c61f968ace305acd2ea934a4435fc3cb8da56e0344aba8bea454b4218

SHA512
0bd7d208720e6b079e1cf4068e005e52bc270b571688f7a8e1f254c4c79c166b8aa9607e42f399960aa17accc03df7f51cba425a0f51b03908c06a8b47e809cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_25\obhixptvt.sdb
Filesize
175.1MB

MD5
082a1acafdf54eb080f1d2e7283c4ae7

SHA1
051cbe21e76e4e0204a1ca8e6f84a3f2552d9f0f

SHA256
358e471f362945f7fe80c899ae57ccc310ebf5b8a4f397cea470074bd6ab9f9b

SHA512
d227860690ed097dff52abdd5d24b128cc594d300a48cfea590b536b8e48a8b5c2b4edb21ed95927de3a553ba563bedd3146e7bf3a54f35efbded687761572ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
Filesize
887KB

MD5
9cb747e90a356ba69be4204d8bfd200e

SHA1
68346ca6bcbef5ed66845b607213483fb16eba89

SHA256
f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb

SHA512
c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129

Download Submit
C:\Users\Admin\AppData\Local\Temp\1_25\sqia.exe
Filesize
887KB

MD5
9cb747e90a356ba69be4204d8bfd200e

SHA1
68346ca6bcbef5ed66845b607213483fb16eba89

SHA256
f06ee32abde9a559f10f7f94bc75b735b969774f532a09f6688b34ab3575d5eb

SHA512
c67f175455144a52597912fb80aeb6da440a4fa9065c16f69f49c9f4c1ca5b8bc53ee4422dbea157adaca893636cdc95e2262212eb394ccb90577d605a0e5129

Download Submit
C:\Users\Admin\AppData\Local\temp\1_25\sacoeskrb.vbe
Filesize
21KB

MD5
86585175a5cea2d2e40f4d6bf8a7f2a2

SHA1
1bfa7cf0e59e91aade5843e7781e8b6020a83103

SHA256
a28850acd2150df85cf31643b282637a089c5a38a9499bc4f3133bfbbfb54aba

SHA512
dedbffde74768669456b847deb5299e9870df0c3e362180afddae5804b95d82b47508735168e7b1744d16a0b9ddb82bde29ba723f57e71647cd73f3265f690d1

Download Submit
memory/1008-151-0x0000000000000000-mapping.dmp

Download
memory/1392-140-0x0000000000000000-mapping.dmp

Download
memory/1828-141-0x0000000000000000-mapping.dmp

Download
memory/1828-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-145-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/1828-146-0x00000000010F0000-0x0000000001104000-memory.dmp

Filesize
80KB

Download
memory/2284-135-0x0000000000000000-mapping.dmp

Download
memory/2368-132-0x0000000000000000-mapping.dmp

Download
memory/3052-147-0x0000000007EF0000-0x0000000007FDB000-memory.dmp

Filesize
940KB

Download
memory/3052-156-0x0000000007FE0000-0x000000000815F000-memory.dmp

Filesize
1.5MB

Download
memory/3052-154-0x0000000007FE0000-0x000000000815F000-memory.dmp

Filesize
1.5MB

Download
memory/3708-148-0x0000000000000000-mapping.dmp

Download
memory/3708-152-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download
memory/3708-153-0x00000000011B0000-0x0000000001243000-memory.dmp

Filesize
588KB

Download
memory/3708-150-0x0000000000C40000-0x0000000000C6F000-memory.dmp

Filesize
188KB

Download
memory/3708-155-0x0000000000C40000-0x0000000000C6F000-memory.dmp

Filesize
188KB

Download
memory/3708-149-0x0000000000C20000-0x0000000000C2B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads