formbook | bab8c0c9b3c3cebaa6f32565eadd1733308973fade84142c07bb1d5608fc6a0c

General

Target

ewe.exe
Size

947KB
MD5

b39bb6d5236d059f15e0c303119ac2ac
SHA1

169bbde66c91ec403e5378e3af49b7e038739a59
SHA256

bab8c0c9b3c3cebaa6f32565eadd1733308973fade84142c07bb1d5608fc6a0c
SHA512

c64992edf997a67981a1a8fa59176c1b8430668f31f86af546196e2944e477e8ff89ea298ccbc9b0cd4e7e5b5fd40f4f616b838c6e75e493854c5af6a545183c
SSDEEP

6144:CE0WCLnQX46PiAdNF5miUfnKk7gDaKIUzjmVqJE9/UxaGHXvI1N7nRl3kgbIpxC3:8WCLQIClF5mHKQSdiqosaG/8NpDAds

Score

10^/10

formbook dcn0 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Mircca\\ogaru.exe,"	reg.exe

Executes dropped EXE 1 IoCs

Processes:

ogaru.exe

pid process

1632 ogaru.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

520 cmd.exe

pid	process
1632	ogaru.exe

pid	process
520	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ogaru.exeAddInProcess32.execmmon32.exe

description	pid	process	target process
PID 1632 set thread context of 572	1632	ogaru.exe	AddInProcess32.exe
PID 572 set thread context of 1220	572	AddInProcess32.exe	Explorer.EXE
PID 572 set thread context of 1220	572	AddInProcess32.exe	Explorer.EXE
PID 1664 set thread context of 1220	1664	cmmon32.exe	Explorer.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1240 PING.EXE
976 PING.EXE
980 PING.EXE

pid	process
1240	PING.EXE
976	PING.EXE
980	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ewe.exeogaru.exeAddInProcess32.execmmon32.exe

pid	process
1324	ewe.exe
1324	ewe.exe
1324	ewe.exe
1632	ogaru.exe
1632	ogaru.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe
1664	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.execmmon32.exe

pid process

572 AddInProcess32.exe
572 AddInProcess32.exe
572 AddInProcess32.exe
572 AddInProcess32.exe
1664 cmmon32.exe
1664 cmmon32.exe

pid	process
572	AddInProcess32.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
572	AddInProcess32.exe
1664	cmmon32.exe
1664	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

ewe.exeogaru.exeAddInProcess32.execmmon32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1324	ewe.exe
Token: SeDebugPrivilege	1632	ogaru.exe
Token: SeDebugPrivilege	572	AddInProcess32.exe
Token: SeDebugPrivilege	1664	cmmon32.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

ewe.execmd.execmd.exeogaru.exeExplorer.EXE

description	pid	process	target process
PID 1324 wrote to memory of 1580	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 1580	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 1580	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 1580	1324	ewe.exe	cmd.exe
PID 1580 wrote to memory of 1240	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1240	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1240	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1240	1580	cmd.exe	PING.EXE
PID 1324 wrote to memory of 520	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 520	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 520	1324	ewe.exe	cmd.exe
PID 1324 wrote to memory of 520	1324	ewe.exe	cmd.exe
PID 520 wrote to memory of 976	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 976	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 976	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 976	520	cmd.exe	PING.EXE
PID 1580 wrote to memory of 840	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 840	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 840	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 840	1580	cmd.exe	reg.exe
PID 520 wrote to memory of 980	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 980	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 980	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 980	520	cmd.exe	PING.EXE
PID 520 wrote to memory of 1632	520	cmd.exe	ogaru.exe
PID 520 wrote to memory of 1632	520	cmd.exe	ogaru.exe
PID 520 wrote to memory of 1632	520	cmd.exe	ogaru.exe
PID 520 wrote to memory of 1632	520	cmd.exe	ogaru.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1632 wrote to memory of 572	1632	ogaru.exe	AddInProcess32.exe
PID 1220 wrote to memory of 1664	1220	Explorer.EXE	cmmon32.exe
PID 1220 wrote to memory of 1664	1220	Explorer.EXE	cmmon32.exe
PID 1220 wrote to memory of 1664	1220	Explorer.EXE	cmmon32.exe
PID 1220 wrote to memory of 1664	1220	Explorer.EXE	cmmon32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\ewe.exe
"C:\Users\Admin\AppData\Local\Temp\ewe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe,"
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 39
4⤵
- Runs ping.exe
PID:1240

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe,"
4⤵
- Modifies WinLogon for persistence
PID:840

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 44 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ewe.exe" "C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe" && ping 127.0.0.1 -n 44 > nul && "C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 44
4⤵
- Runs ping.exe
PID:976

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 44
4⤵
- Runs ping.exe
PID:980

C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe
"C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1664

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe
Filesize
947KB

MD5
b39bb6d5236d059f15e0c303119ac2ac

SHA1
169bbde66c91ec403e5378e3af49b7e038739a59

SHA256
bab8c0c9b3c3cebaa6f32565eadd1733308973fade84142c07bb1d5608fc6a0c

SHA512
c64992edf997a67981a1a8fa59176c1b8430668f31f86af546196e2944e477e8ff89ea298ccbc9b0cd4e7e5b5fd40f4f616b838c6e75e493854c5af6a545183c

Download Submit
C:\Users\Admin\AppData\Roaming\Mircca\ogaru.exe
Filesize
947KB

MD5
b39bb6d5236d059f15e0c303119ac2ac

SHA1
169bbde66c91ec403e5378e3af49b7e038739a59

SHA256
bab8c0c9b3c3cebaa6f32565eadd1733308973fade84142c07bb1d5608fc6a0c

SHA512
c64992edf997a67981a1a8fa59176c1b8430668f31f86af546196e2944e477e8ff89ea298ccbc9b0cd4e7e5b5fd40f4f616b838c6e75e493854c5af6a545183c

Download Submit
\Users\Admin\AppData\Roaming\Mircca\ogaru.exe
Filesize
947KB

MD5
b39bb6d5236d059f15e0c303119ac2ac

SHA1
169bbde66c91ec403e5378e3af49b7e038739a59

SHA256
bab8c0c9b3c3cebaa6f32565eadd1733308973fade84142c07bb1d5608fc6a0c

SHA512
c64992edf997a67981a1a8fa59176c1b8430668f31f86af546196e2944e477e8ff89ea298ccbc9b0cd4e7e5b5fd40f4f616b838c6e75e493854c5af6a545183c

Download Submit
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/572-83-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/572-80-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/572-86-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/572-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/572-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/572-82-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/572-87-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/572-81-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/572-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/572-91-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/572-76-0x00000000004012B0-mapping.dmp

Download
memory/572-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/572-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/572-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/976-61-0x0000000000000000-mapping.dmp

Download
memory/980-63-0x0000000000000000-mapping.dmp

Download
memory/1220-88-0x0000000005020000-0x00000000050DD000-memory.dmp

Filesize
756KB

Download
memory/1220-84-0x0000000004CF0000-0x0000000004E22000-memory.dmp

Filesize
1.2MB

Download
memory/1240-59-0x0000000000000000-mapping.dmp

Download
memory/1324-57-0x0000000000700000-0x0000000000718000-memory.dmp

Filesize
96KB

Download
memory/1324-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1324-54-0x0000000000350000-0x0000000000442000-memory.dmp

Filesize
968KB

Download
memory/1324-56-0x0000000000520000-0x0000000000550000-memory.dmp

Filesize
192KB

Download
memory/1580-58-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1632-68-0x0000000001210000-0x0000000001302000-memory.dmp

Filesize
968KB

Download
memory/1632-71-0x0000000000700000-0x0000000000706000-memory.dmp

Filesize
24KB

Download
memory/1632-70-0x0000000000B70000-0x0000000000B8A000-memory.dmp

Filesize
104KB

Download
memory/1664-89-0x0000000000000000-mapping.dmp

Download
memory/1664-92-0x0000000000710000-0x000000000071D000-memory.dmp

Filesize
52KB

Download
memory/1664-93-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1664-94-0x0000000002110000-0x0000000002413000-memory.dmp

Filesize
3.0MB

Download
memory/1664-95-0x0000000000660000-0x00000000006EF000-memory.dmp

Filesize
572KB

Download
memory/1664-96-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads