formbook | b1a7f40f3e1a87d3db5daa508219e315d1d6ce77d772a7256eaa16d880359a90

General

Target

output(1)(1).js
Size

9KB
MD5

457ddfc8f22d62496b18842824d69fe1
SHA1

7dbcf4a549128f0a108a40057c1b4a1c34a1023d
SHA256

b1a7f40f3e1a87d3db5daa508219e315d1d6ce77d772a7256eaa16d880359a90
SHA512

ae5c5176e164d5610c37a2950310b13735de175d0976809f4fa4fe4bf1bd19d87d4f5aa0ca453afe57512848cea80fe6432274c68da39a559e451a66d1d036ee
SSDEEP

192:ZblVH3Ye8iGlyi5K3hAwhB7VBOHwI+0eM1gr2JhEKyhOhr7kGLgIY9NhAAbmx:ZbciGlygwhBDOQI+EWwSLhOhX7gIY9N8

Score

10^/10

formbook tu7g rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

tu7g

Decoy

fbbktzFKN8MB1h8=

FPidEXGfkl0WqgXoVhHehw==

iHEjIL7XwJdpN6Er4Evhu03o

fHQTMsjqD3cPpQ==

VDXmCsr22oYhshz/Fg305nF21Q==

j4ZHfk5rRf6tVtwbMRU=

AORqAXKWy4R+//VwFdB6VVk=

9PW0Yw9RkIfer5+/bum7nlxwy1QfDQ==

ZU8mUjRgSOn3d0eFD3puQgVpnaAj

nlHgT2aJaMMB1h8=

+qc6XcgwdjVsEgKQ2zT+

/gCHJbBZrWjx1OZN40Hhu03o

48dX+WeLWAjFZMR2lItP8bJ87X4=

+N6H9VVzix7uogI=

Jf/NAPQe+8we7uftVhHehw==

YmANk8T+ix7uogI=

GTKxpLAYsJTl

pT8FM/QacYAV/+VInxn0

8JAnF9PnyZA29xH3Iw==

8ZdFPhCvGxYBxRCTqtB6VVk=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exe

flow pid process

26 4256 wscript.exe
27 4256 wscript.exe
34 4256 wscript.exe
41 4256 wscript.exe
43 4256 wscript.exe
48 4256 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

zz.exe

pid process

4352 zz.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation wscript.exe

flow	pid	process
26	4256	wscript.exe
27	4256	wscript.exe
34	4256	wscript.exe
41	4256	wscript.exe
43	4256	wscript.exe
48	4256	wscript.exe

pid	process
4352	zz.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zz.exeRegsvcs.exe

description	pid	process	target process
PID 4352 set thread context of 4136	4352	zz.exe	Regsvcs.exe
PID 4136 set thread context of 676	4136	Regsvcs.exe	Explorer.EXE
PID 4136 set thread context of 676	4136	Regsvcs.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Regsvcs.exe

pid	process
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe
4136	Regsvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Regsvcs.exe

pid process

4136 Regsvcs.exe
4136 Regsvcs.exe
4136 Regsvcs.exe
4136 Regsvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Regsvcs.exe

description pid process

Token: SeDebugPrivilege 4136 Regsvcs.exe

description	pid	process
Token: SeDebugPrivilege	4136	Regsvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wscript.exezz.exeExplorer.EXE

description	pid	process	target process
PID 4256 wrote to memory of 4352	4256	wscript.exe	zz.exe
PID 4256 wrote to memory of 4352	4256	wscript.exe	zz.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 4352 wrote to memory of 4136	4352	zz.exe	Regsvcs.exe
PID 676 wrote to memory of 2920	676	Explorer.EXE	msiexec.exe
PID 676 wrote to memory of 2920	676	Explorer.EXE	msiexec.exe
PID 676 wrote to memory of 2920	676	Explorer.EXE	msiexec.exe
PID 676 wrote to memory of 2240	676	Explorer.EXE	explorer.exe
PID 676 wrote to memory of 2240	676	Explorer.EXE	explorer.exe
PID 676 wrote to memory of 2240	676	Explorer.EXE	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\output(1)(1).js
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\zz.exe
"C:\Users\Admin\AppData\Local\Temp\zz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2240

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4336

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zz.exe
Filesize
260KB

MD5
31319144a917439aa8e961cce95f82ee

SHA1
eaea6b758bdba74243099d60e8dd65dcbb524351

SHA256
b4455821387f7c5571cf3aa28abde41c188593a4cb5f59d0f1e9c368db49348b

SHA512
0d28854203e99f9d35fbbb920a23d9829cfad3a2583d42c77515709963c347282737b7ac545673a3b7951c4e44e4c4c37209780ef9a498eeca1ac81948dccf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zz.exe
Filesize
260KB

MD5
31319144a917439aa8e961cce95f82ee

SHA1
eaea6b758bdba74243099d60e8dd65dcbb524351

SHA256
b4455821387f7c5571cf3aa28abde41c188593a4cb5f59d0f1e9c368db49348b

SHA512
0d28854203e99f9d35fbbb920a23d9829cfad3a2583d42c77515709963c347282737b7ac545673a3b7951c4e44e4c4c37209780ef9a498eeca1ac81948dccf62

Download Submit
memory/676-146-0x00000000084A0000-0x000000000863C000-memory.dmp

Filesize
1.6MB

Download
memory/676-153-0x0000000008640000-0x0000000008725000-memory.dmp

Filesize
916KB

Download
memory/676-152-0x00000000084A0000-0x000000000863C000-memory.dmp

Filesize
1.6MB

Download
memory/676-151-0x0000000008640000-0x0000000008725000-memory.dmp

Filesize
916KB

Download
memory/2920-154-0x0000000000000000-mapping.dmp

Download
memory/4136-143-0x00000000017C0000-0x0000000001B0A000-memory.dmp

Filesize
3.3MB

Download
memory/4136-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4136-145-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/4136-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-148-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4136-150-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/4136-138-0x00000000004012B0-mapping.dmp

Download
memory/4136-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-132-0x0000000000000000-mapping.dmp

Download
memory/4352-139-0x00007FF8096F0000-0x00007FF80A1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-136-0x00007FF8096F0000-0x00007FF80A1B1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-135-0x000002D5D7D50000-0x000002D5D7D94000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads