formbook | 502751e0b4a8acff074def25e8bf46495cc258100652ae11194aea84b5278fcf

General

Target

formbook4.exe
Size

1.0MB
MD5

e434c99075bb1cc365706ac25bc1c53a
SHA1

4cbc665703ef6c5eb46608aa5b8fef42c6afe6f5
SHA256

f50fd444e689593c2b29b62961986f31fe2b61f28850d23680aab7671add1365
SHA512

a6de56271d64f1ec3c4049faaeb99b7822f22b0acb6716a5ac52f7726d6278724d3110361cf13b63d441af01c3668dcde727a3ba322af17e00b33b0b0abb4610
SSDEEP

24576:bpxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNuss8gPkS3k:23cj+/ZEFdj

Score

10^/10

formbook 5pdf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

5pdf

Decoy

cnoOEQHsI9ejYIEif1HquIlIogYo8Ow=

+pAzTzDtpZpp

djD/KBrcDAYQyOGt+Us+fA==

EJM2X0tTvNKodx36

86lMWj8hSQvtqtamtDE6kbKCy3c=

/ywYVB9fxjhRAg==

0OZ0eaYoArZ0

Kl0MifS5n1TXmIQBZLE=

2eN+GpZbBAJDAg==

E8OdZbo7E5cuJgSu2JNUfg==

wXQeNSUaXiXts3xLPw==

PzLRe+HePPeJJB8PJw==

BPaaT7LANzqtcROc+Us+fA==

/vB5AHAzcWtvN1TtGCkZ2L47OjGmU8RrWQ==

gwSl0rcfM/O7hCE=

NrtIzTsH96xB8a3HBhbfMkCs

bxu1vLuDaipA5w0OVuBc8Mw=

2IRJAE05bSVR4Oj7UeBc8Mw=

kQuq4sSpB/7gs3xLPw==

iqhd2Ea725sBlSE=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

formbook4.exeformbook4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	formbook4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	formbook4.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

formbook4.exeformbook4.exesvchost.exe

description	pid	process	target process
PID 4904 set thread context of 4756	4904	formbook4.exe	formbook4.exe
PID 4756 set thread context of 2804	4756	formbook4.exe	Explorer.EXE
PID 3852 set thread context of 2804	3852	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3512 schtasks.exe

pid	process
3512	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

formbook4.exepowershell.exeformbook4.exesvchost.exe

pid	process
4904	formbook4.exe
4904	formbook4.exe
3168	powershell.exe
4904	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
3168	powershell.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2804 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

formbook4.exesvchost.exe

pid process

4756 formbook4.exe
4756 formbook4.exe
4756 formbook4.exe
3852 svchost.exe
3852 svchost.exe
3852 svchost.exe
3852 svchost.exe

pid	process
2804	Explorer.EXE

pid	process
4756	formbook4.exe
4756	formbook4.exe
4756	formbook4.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe
3852	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

formbook4.exepowershell.exeformbook4.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4904	formbook4.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4756	formbook4.exe
Token: SeDebugPrivilege	3852	svchost.exe
Token: SeShutdownPrivilege	2804	Explorer.EXE
Token: SeCreatePagefilePrivilege	2804	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

formbook4.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4904 wrote to memory of 3168	4904	formbook4.exe	powershell.exe
PID 4904 wrote to memory of 3168	4904	formbook4.exe	powershell.exe
PID 4904 wrote to memory of 3168	4904	formbook4.exe	powershell.exe
PID 4904 wrote to memory of 3512	4904	formbook4.exe	schtasks.exe
PID 4904 wrote to memory of 3512	4904	formbook4.exe	schtasks.exe
PID 4904 wrote to memory of 3512	4904	formbook4.exe	schtasks.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 4904 wrote to memory of 4756	4904	formbook4.exe	formbook4.exe
PID 2804 wrote to memory of 3852	2804	Explorer.EXE	svchost.exe
PID 2804 wrote to memory of 3852	2804	Explorer.EXE	svchost.exe
PID 2804 wrote to memory of 3852	2804	Explorer.EXE	svchost.exe
PID 3852 wrote to memory of 1248	3852	svchost.exe	Firefox.exe
PID 3852 wrote to memory of 1248	3852	svchost.exe	Firefox.exe
PID 3852 wrote to memory of 1248	3852	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vwzBruALhhNkob.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vwzBruALhhNkob" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE60.tmp"
3⤵
- Creates scheduled task(s)
PID:3512

C:\Users\Admin\AppData\Local\Temp\formbook4.exe
"C:\Users\Admin\AppData\Local\Temp\formbook4.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE60.tmp
Filesize
1KB

MD5
6ced4a7343d6af2178091c20d067b09b

SHA1
089d25918bd416d4157d4bb6f279db727b4a5110

SHA256
3f19d6477e7d50dd7f058cd1c4b2095ad6c842a7814fab9653765fd202873e35

SHA512
e93d3c7a7ae33f82e55d66ba8549fdc070999bf8c82ba77853c45a032840367cd280e6877469054fe4baeacba43100cc228827777aa6af48f7d4599a46ff97fb

Download Submit
memory/2804-170-0x0000000008200000-0x0000000008325000-memory.dmp

Filesize
1.1MB

Download
memory/2804-162-0x0000000008200000-0x0000000008325000-memory.dmp

Filesize
1.1MB

Download
memory/2804-153-0x00000000028D0000-0x0000000002995000-memory.dmp

Filesize
788KB

Download
memory/3168-163-0x0000000006C40000-0x0000000006C72000-memory.dmp

Filesize
200KB

Download
memory/3168-146-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/3168-138-0x0000000000000000-mapping.dmp

Download
memory/3168-173-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/3168-140-0x0000000002300000-0x0000000002336000-memory.dmp

Filesize
216KB

Download
memory/3168-174-0x0000000007220000-0x0000000007228000-memory.dmp

Filesize
32KB

Download
memory/3168-142-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/3168-172-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/3168-171-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/3168-154-0x00000000049D0000-0x00000000049EE000-memory.dmp

Filesize
120KB

Download
memory/3168-169-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/3168-148-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/3168-168-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/3168-167-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/3168-166-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/3168-164-0x0000000070F10000-0x0000000070F5C000-memory.dmp

Filesize
304KB

Download
memory/3512-139-0x0000000000000000-mapping.dmp

Download
memory/3852-165-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Filesize
180KB

Download
memory/3852-161-0x00000000018E0000-0x000000000196F000-memory.dmp

Filesize
572KB

Download
memory/3852-155-0x0000000000000000-mapping.dmp

Download
memory/3852-160-0x0000000000A20000-0x0000000000A4D000-memory.dmp

Filesize
180KB

Download
memory/3852-159-0x00000000000E0000-0x00000000000EE000-memory.dmp

Filesize
56KB

Download
memory/3852-158-0x0000000001500000-0x000000000184A000-memory.dmp

Filesize
3.3MB

Download
memory/4756-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-157-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4756-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-152-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/4756-143-0x0000000000000000-mapping.dmp

Download
memory/4756-151-0x00000000011D0000-0x000000000151A000-memory.dmp

Filesize
3.3MB

Download
memory/4756-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-149-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4904-137-0x000000000C610000-0x000000000C676000-memory.dmp

Filesize
408KB

Download
memory/4904-133-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/4904-135-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/4904-132-0x0000000000BF0000-0x0000000000CFC000-memory.dmp

Filesize
1.0MB

Download
memory/4904-134-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4904-136-0x000000000C570000-0x000000000C60C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads