formbook | 987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b

General

Target

SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
Size

643KB
MD5

fcd6f1cc2f300673b3940b9623f4267f
SHA1

d8f8e1b07996ba6d8d3f482c2ab710853ee91f8b
SHA256

987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
SHA512

d31c8238e17de73f352e6a7bb62449e7de951b6d5a9e3cc7ebb47403c1b22ffa8e504a979f915fa28f25d3bdf6be7471f72d19d57567a86ff79892a77c094c50
SSDEEP

12288:dec3pbKbflZUMvkEN2KMK+SknwYDZD5BUUEwcfJZSpH+:d1ZbKbUM7MKJYVEEbp

Score

10^/10

formbook q4k5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

ZXN4RZ1db9JIzC7mhQ==

5+KpXZWys/DewpGQbChh6uPT5SNzFQ==

A8YuEKESXrzBhw==

uYH/9+Amwe1ZMkaR

KAusoWlA4I1Rt0P0jA==

AgIBy9IHiq8cdo4h47hB

PsX/0DrQRr+0hQ==

3z4v9UwXBjNTf48h47hB

bySPUkT+SFuT

VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==

3+DcnQWuXG84sOphj5LEHIv/hA==

TOZXSDkjSHDoLk/pl2HYpOXJ

q7GGZ9KJrss/oTNwyxI=

2+O/k7y22Qo=

Joatk/qnSoO3q48h47hB

KT1UQcQ9yxWFQzCI

onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==

a8IY/+/oCDOj2TuM4Ohc

UlIOzyniF1sRnTNwyxI=

8UJiR6gijbvt+exXo7oCvdNV4BE=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

description	pid	process	target process
PID 4588 set thread context of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4840 schtasks.exe

pid	process
4840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeSecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

pid	process
2724	powershell.exe
3752	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
3752	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
2724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2724 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

description	pid	process	target process
PID 4588 wrote to memory of 2724	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	powershell.exe
PID 4588 wrote to memory of 2724	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	powershell.exe
PID 4588 wrote to memory of 2724	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	powershell.exe
PID 4588 wrote to memory of 4840	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	schtasks.exe
PID 4588 wrote to memory of 4840	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	schtasks.exe
PID 4588 wrote to memory of 4840	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	schtasks.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
PID 4588 wrote to memory of 3752	4588	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe	SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdTjnguQflTNNq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdTjnguQflTNNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp450.tmp"
2⤵
- Creates scheduled task(s)
PID:4840

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.21875.15886.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp450.tmp
Filesize
1KB

MD5
8de0779587df1d83dbdba3609e6644e3

SHA1
e1965942660ac0d08134890550e77ab231a727b3

SHA256
ffdcdc9a0caae9fe43a18eaae13b67900b5f9f23f56c3a2053c45fd613207453

SHA512
99c929dc53dc1048e84d2aa2e79ebc3a5ce503f055b6b6de78c38d24720e77b3080a7a95932f4e95206378a61400089de0a9a5784308d7b21cbed7a94ff13fca

Download Submit
memory/2724-147-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

Filesize
136KB

Download
memory/2724-153-0x0000000071690000-0x00000000716DC000-memory.dmp

Filesize
304KB

Download
memory/2724-160-0x0000000007720000-0x000000000773A000-memory.dmp

Filesize
104KB

Download
memory/2724-158-0x0000000007680000-0x0000000007716000-memory.dmp

Filesize
600KB

Download
memory/2724-137-0x0000000000000000-mapping.dmp

Download
memory/2724-157-0x00000000073C0000-0x00000000073CA000-memory.dmp

Filesize
40KB

Download
memory/2724-139-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/2724-156-0x0000000006080000-0x000000000609A000-memory.dmp

Filesize
104KB

Download
memory/2724-155-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/2724-154-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/2724-144-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/2724-148-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/2724-161-0x0000000007670000-0x0000000007678000-memory.dmp

Filesize
32KB

Download
memory/2724-159-0x0000000007630000-0x000000000763E000-memory.dmp

Filesize
56KB

Download
memory/2724-152-0x0000000006630000-0x0000000006662000-memory.dmp

Filesize
200KB

Download
memory/2724-149-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/2724-151-0x0000000004E40000-0x0000000004E5E000-memory.dmp

Filesize
120KB

Download
memory/3752-150-0x0000000001130000-0x000000000147A000-memory.dmp

Filesize
3.3MB

Download
memory/3752-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-141-0x0000000000000000-mapping.dmp

Download
memory/3752-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4588-134-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4588-133-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/4588-136-0x00000000011C0000-0x000000000125C000-memory.dmp

Filesize
624KB

Download
memory/4588-132-0x00000000009A0000-0x0000000000A46000-memory.dmp

Filesize
664KB

Download
memory/4588-135-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/4840-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads