formbook | 987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b

General

Target

fcd6f1cc2f300673b3940b9623f4267f.exe
Size

643KB
MD5

fcd6f1cc2f300673b3940b9623f4267f
SHA1

d8f8e1b07996ba6d8d3f482c2ab710853ee91f8b
SHA256

987834ddf97f12dbb06e1f6820fd3436f0226dffa78ac6fcec8b31cc52fdb26b
SHA512

d31c8238e17de73f352e6a7bb62449e7de951b6d5a9e3cc7ebb47403c1b22ffa8e504a979f915fa28f25d3bdf6be7471f72d19d57567a86ff79892a77c094c50
SSDEEP

12288:dec3pbKbflZUMvkEN2KMK+SknwYDZD5BUUEwcfJZSpH+:d1ZbKbUM7MKJYVEEbp

Score

10^/10

formbook q4k5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

ZXN4RZ1db9JIzC7mhQ==

5+KpXZWys/DewpGQbChh6uPT5SNzFQ==

A8YuEKESXrzBhw==

uYH/9+Amwe1ZMkaR

KAusoWlA4I1Rt0P0jA==

AgIBy9IHiq8cdo4h47hB

PsX/0DrQRr+0hQ==

3z4v9UwXBjNTf48h47hB

bySPUkT+SFuT

VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==

3+DcnQWuXG84sOphj5LEHIv/hA==

TOZXSDkjSHDoLk/pl2HYpOXJ

q7GGZ9KJrss/oTNwyxI=

2+O/k7y22Qo=

Joatk/qnSoO3q48h47hB

KT1UQcQ9yxWFQzCI

onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==

a8IY/+/oCDOj2TuM4Ohc

UlIOzyniF1sRnTNwyxI=

8UJiR6gijbvt+exXo7oCvdNV4BE=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcd6f1cc2f300673b3940b9623f4267f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fcd6f1cc2f300673b3940b9623f4267f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fcd6f1cc2f300673b3940b9623f4267f.exe

description pid process target process

PID 4204 set thread context of 2164 4204 fcd6f1cc2f300673b3940b9623f4267f.exe fcd6f1cc2f300673b3940b9623f4267f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3736 schtasks.exe

description	pid	process	target process
PID 4204 set thread context of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe

pid	process
3736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fcd6f1cc2f300673b3940b9623f4267f.exepowershell.exefcd6f1cc2f300673b3940b9623f4267f.exe

pid	process
4204	fcd6f1cc2f300673b3940b9623f4267f.exe
4204	fcd6f1cc2f300673b3940b9623f4267f.exe
4660	powershell.exe
4660	powershell.exe
2164	fcd6f1cc2f300673b3940b9623f4267f.exe
2164	fcd6f1cc2f300673b3940b9623f4267f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fcd6f1cc2f300673b3940b9623f4267f.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4204 fcd6f1cc2f300673b3940b9623f4267f.exe
Token: SeDebugPrivilege 4660 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4204	fcd6f1cc2f300673b3940b9623f4267f.exe
Token: SeDebugPrivilege	4660	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fcd6f1cc2f300673b3940b9623f4267f.exe

C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe
"C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NdTjnguQflTNNq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NdTjnguQflTNNq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp661C.tmp"
2⤵
- Creates scheduled task(s)
PID:3736

C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe
"C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe"
2⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe
"C:\Users\Admin\AppData\Local\Temp\fcd6f1cc2f300673b3940b9623f4267f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp661C.tmp
Filesize
1KB

MD5
bba830aa974e6982f8236bc97335954a

SHA1
b0d7b251f4a161e190f300d6c85be4134098d180

SHA256
df0490b8ed904bf76d635911d25987375ed6ca78960f40e5323588d3fc544dd5

SHA512
2834f2e963b3e44cdd7c11e283f6e657351ce1ce2ffa574bf281689221b0e9dad882fa1aba82e55a02f4f7adf6dfe1deb9223d29ceebdeb879c974d82fe1c648

Download Submit
memory/1940-141-0x0000000000000000-mapping.dmp

Download
memory/2164-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-143-0x0000000000000000-mapping.dmp

Download
memory/2164-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2164-151-0x0000000001A00000-0x0000000001D4A000-memory.dmp

Filesize
3.3MB

Download
memory/2164-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3736-138-0x0000000000000000-mapping.dmp

Download
memory/4204-132-0x0000000000AC0000-0x0000000000B66000-memory.dmp

Filesize
664KB

Download
memory/4204-136-0x0000000009130000-0x00000000091CC000-memory.dmp

Filesize
624KB

Download
memory/4204-135-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/4204-134-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/4204-133-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4660-139-0x0000000002390000-0x00000000023C6000-memory.dmp

Filesize
216KB

Download
memory/4660-155-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/4660-148-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/4660-149-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4660-150-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4660-137-0x0000000000000000-mapping.dmp

Download
memory/4660-152-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/4660-153-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/4660-154-0x00000000715E0000-0x000000007162C000-memory.dmp

Filesize
304KB

Download
memory/4660-142-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/4660-156-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/4660-157-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/4660-158-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/4660-159-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/4660-160-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/4660-161-0x0000000007360000-0x000000000737A000-memory.dmp

Filesize
104KB

Download
memory/4660-162-0x0000000007340000-0x0000000007348000-memory.dmp

Filesize
32KB

Download

description	pid	process	target process
PID 4204 wrote to memory of 4660	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	powershell.exe
PID 4204 wrote to memory of 4660	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	powershell.exe
PID 4204 wrote to memory of 4660	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	powershell.exe
PID 4204 wrote to memory of 3736	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	schtasks.exe
PID 4204 wrote to memory of 3736	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	schtasks.exe
PID 4204 wrote to memory of 3736	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	schtasks.exe
PID 4204 wrote to memory of 1940	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 1940	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 1940	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe
PID 4204 wrote to memory of 2164	4204	fcd6f1cc2f300673b3940b9623f4267f.exe	fcd6f1cc2f300673b3940b9623f4267f.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads