formbook | 1a67a5a9f3b74eb679eb5d2684961322941e9243aafd225c2fc08024f63fb59e

General

Target

document_M0234.exe
Size

249KB
MD5

0b6c508dec4b6647dca3d1bd61b002d4
SHA1

5f85f53b7f2e54d74fa7733ecc51d5e8819e4bf6
SHA256

1a67a5a9f3b74eb679eb5d2684961322941e9243aafd225c2fc08024f63fb59e
SHA512

036286c289f8b0963acc44d5f35d3527a6ad899b24c72688c64be88274b3cdf837cca618f7827d763e92984c8bf7e8d025abda62dbf4806d192555fd2cd969e7
SSDEEP

6144:gBn1Qvgd4/Vb+WwPpYM1ZKaUqjkb3Gi3S37:wQvF/B/eCMWa1S3p3S37

Score

10^/10

formbook 9qtp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

9qtp

Decoy

0BbXnywB2jUlm9nKiMma

R5A2IaujqtD/dAqI8Y0IpQ==

hOvaxGAt51Bx33P7Vyt6XPnYWw==

IDg+M/RH+D5aQ18d8Y0IpQ==

W1xH1/2HTrysGWEUdK2equ4Y

qHgkqNn4xTo4

8S7brii3eMzty+KgvBqIXPnYWw==

j8x44wKIXrW2tRiH8Y0IpQ==

GywuINvBRm2eaNY=

dTja44gPmQhkiaLZ

s6aIdgBm7Dx5fsUB2rE=

m5h7cA6JHX1p5ylfoc4ouA==

uDxNFJgassFFTdQ=

RERUNcLCgdAOabklo1PDTjf5Uw==

pKeadO1BswJQKXZ0tAkBF9wkNVs=

xd7Yr00rxzGBNlS1XA==

01Jd2fhoQpThdH5Sc8sprQ==

oOSWBCeNDDWeB8M=

EV8ae4iFCmdrT78Zr6VnObkG

Ghkc7nZnXXPEOX1FUToisZc=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

zzlxhi.exezzlxhi.exe

pid process

2700 zzlxhi.exe
4920 zzlxhi.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zzlxhi.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation zzlxhi.exe

pid	process
2700	zzlxhi.exe
4920	zzlxhi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	zzlxhi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zzlxhi.exezzlxhi.execontrol.exe

description	pid	process	target process
PID 2700 set thread context of 4920	2700	zzlxhi.exe	zzlxhi.exe
PID 4920 set thread context of 376	4920	zzlxhi.exe	Explorer.EXE
PID 4980 set thread context of 376	4980	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

zzlxhi.execontrol.exe

pid	process
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

376 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

zzlxhi.exezzlxhi.execontrol.exe

pid process

2700 zzlxhi.exe
4920 zzlxhi.exe
4920 zzlxhi.exe
4920 zzlxhi.exe
4980 control.exe
4980 control.exe
4980 control.exe
4980 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zzlxhi.execontrol.exe

description pid process

Token: SeDebugPrivilege 4920 zzlxhi.exe
Token: SeDebugPrivilege 4980 control.exe

pid	process
376	Explorer.EXE

pid	process
2700	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4920	zzlxhi.exe
4980	control.exe
4980	control.exe
4980	control.exe
4980	control.exe

description	pid	process
Token: SeDebugPrivilege	4920	zzlxhi.exe
Token: SeDebugPrivilege	4980	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

document_M0234.exezzlxhi.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 2152 wrote to memory of 2700	2152	document_M0234.exe	zzlxhi.exe
PID 2152 wrote to memory of 2700	2152	document_M0234.exe	zzlxhi.exe
PID 2152 wrote to memory of 2700	2152	document_M0234.exe	zzlxhi.exe
PID 2700 wrote to memory of 4920	2700	zzlxhi.exe	zzlxhi.exe
PID 2700 wrote to memory of 4920	2700	zzlxhi.exe	zzlxhi.exe
PID 2700 wrote to memory of 4920	2700	zzlxhi.exe	zzlxhi.exe
PID 2700 wrote to memory of 4920	2700	zzlxhi.exe	zzlxhi.exe
PID 376 wrote to memory of 4980	376	Explorer.EXE	control.exe
PID 376 wrote to memory of 4980	376	Explorer.EXE	control.exe
PID 376 wrote to memory of 4980	376	Explorer.EXE	control.exe
PID 4980 wrote to memory of 3192	4980	control.exe	Firefox.exe
PID 4980 wrote to memory of 3192	4980	control.exe	Firefox.exe
PID 4980 wrote to memory of 3192	4980	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\document_M0234.exe
"C:\Users\Admin\AppData\Local\Temp\document_M0234.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe
"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe
"C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe" C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rizjnohxig.wn
Filesize
185KB

MD5
37ca2219eb26d33677e2697680949352

SHA1
fb817d807d9d1fe3ed0ed398c76293088b11ad93

SHA256
d1f582fa16093b89d3cc7b63ad5880a766d389607df7839fbde54201321da2b2

SHA512
4a90f548ea44fece68d52a1b35a50e48ecd232bcb1e50636ff1fbf694caf93d0921f774e0e0700cfdb28389be7c8dce149bb5e3808f8c5cdd979e9376acf1ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcocdnzaguw.y
Filesize
5KB

MD5
32b8e9872d3b73cc9cc9d5d886f4b39a

SHA1
51465ace022e9b4bf75614a84ef0fbb6abdf358d

SHA256
9eaad4bdebd926e37c83c5a5cb850a0e4a74888120a50bac5e163a6c997f4264

SHA512
326a9b63c95a67f392a5273002a45c2bb257c1c7cb53ba652f5ec72c37945531395d03ba02d8085efab8e023a4372cfb0fdada8a22ed347e14d0f658d1b3175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe
Filesize
59KB

MD5
7933f62d56acf239be280e77cc3cda48

SHA1
7ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd

SHA256
02ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715

SHA512
79b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe
Filesize
59KB

MD5
7933f62d56acf239be280e77cc3cda48

SHA1
7ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd

SHA256
02ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715

SHA512
79b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzlxhi.exe
Filesize
59KB

MD5
7933f62d56acf239be280e77cc3cda48

SHA1
7ad3dae5e5a4d2e0a7b44e1076df463ec7f921bd

SHA256
02ee0374c20a68f1e0f81c8014b75521f09e2c4625e0afeabb0af87dc9aa5715

SHA512
79b16980c324db3c65db53166f7eea2b25610693f671b21d3ae89d6f4ffb6a4d2f3a5978b682598ff2830cde51964e25b793f3a18251ebe1450bdfeb8a24aae0

Download Submit
memory/376-151-0x0000000008C90000-0x0000000008DE1000-memory.dmp

Filesize
1.3MB

Download
memory/376-149-0x0000000008C90000-0x0000000008DE1000-memory.dmp

Filesize
1.3MB

Download
memory/376-143-0x0000000008B70000-0x0000000008C8C000-memory.dmp

Filesize
1.1MB

Download
memory/2700-132-0x0000000000000000-mapping.dmp

Download
memory/4920-142-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/4920-141-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/4920-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-137-0x0000000000000000-mapping.dmp

Download
memory/4980-144-0x0000000000000000-mapping.dmp

Download
memory/4980-145-0x0000000000C20000-0x0000000000C47000-memory.dmp

Filesize
156KB

Download
memory/4980-146-0x00000000006C0000-0x00000000006ED000-memory.dmp

Filesize
180KB

Download
memory/4980-147-0x00000000025A0000-0x00000000028EA000-memory.dmp

Filesize
3.3MB

Download
memory/4980-148-0x00000000023F0000-0x000000000247F000-memory.dmp

Filesize
572KB

Download
memory/4980-150-0x00000000006C0000-0x00000000006ED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads