formbook | fe199e437de02d997427dfea4e864f386e12887c5ae16d2acc465417cd539521

General

Target

BNK0002334789532_USD28,770.00.exe
Size

637KB
MD5

d7efd600d714d6d2f6b7fadc6adec0c9
SHA1

ba35f96a741637af1d1319074396f1bf891f13e1
SHA256

fe199e437de02d997427dfea4e864f386e12887c5ae16d2acc465417cd539521
SHA512

f4e1558763fb4527ca464c7a7f8a533e4fa0d4725e97c956b83acd2ef503a056930526c6e1eeb28263d9e6bbc820be2fc110548e0ef8cd28dc003cfccfda8f18
SSDEEP

12288:90zcBpbKbfzdHP/FvT9mzyK8DzVlCxlASlDAMTQu1c66XZp+:9hbbKnlJRKyKUBExjjcp

Score

10^/10

formbook uxpe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

uxpe

Decoy

a/CzoooH+7KLDxBh

pxq/4D9rqoY0CaqhS2ZJ3MoWxcQ=

54a97EJkYRruxKJBfg==

afibyRo7bSK3cepm9suqXQ==

2kIxy7hmdVItO11ceeC9

DsTkiAgZVGD7jykdq/ZFa8oWxcQ=

euyGFrS1t1r0xKJBfg==

ANUDttiRvXoVxcknM8L7cgli

vIWhu8Bb36VDR+udD2O2cn8=

CqdCYLyzwb5fWRlX5kY=

cis/39CB6vGMg5OqTrUoWvz177Fk

tl6GKyac14QX

HMzbyJUrUh3Ao80fOcr7cgli

7yKNGCGy57KLDxBh

hlormOKMBCD8uyrMw9QkUg==

3r/fZtwBUey8xw==

vlyJEwWudUHi2g==

214r37lXtmpLQWC0snrI5gjDdR0mPOKnDA==

YS1hgtPl0lz0xKJBfg==

3pa6XND7NgJ4Y3uxqO0nPnY=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

7 1564 cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1564 cscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1564	cscript.exe

pid	process
1564	cscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

BNK0002334789532_USD28,770.00.exeRegSvcs.execscript.exe

description	pid	process	target process
PID 808 set thread context of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 1124 set thread context of 1360	1124	RegSvcs.exe	Explorer.EXE
PID 1124 set thread context of 1360	1124	RegSvcs.exe	Explorer.EXE
PID 1564 set thread context of 1360	1564	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

BNK0002334789532_USD28,770.00.exeRegSvcs.execscript.exe

pid	process
808	BNK0002334789532_USD28,770.00.exe
808	BNK0002334789532_USD28,770.00.exe
808	BNK0002334789532_USD28,770.00.exe
808	BNK0002334789532_USD28,770.00.exe
808	BNK0002334789532_USD28,770.00.exe
808	BNK0002334789532_USD28,770.00.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.execscript.exe

pid process

1124 RegSvcs.exe
1124 RegSvcs.exe
1124 RegSvcs.exe
1124 RegSvcs.exe
1564 cscript.exe
1564 cscript.exe
1564 cscript.exe
1564 cscript.exe

pid	process
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1124	RegSvcs.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe
1564	cscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

BNK0002334789532_USD28,770.00.exeRegSvcs.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	808	BNK0002334789532_USD28,770.00.exe
Token: SeDebugPrivilege	1124	RegSvcs.exe
Token: SeDebugPrivilege	1564	cscript.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
1360 Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

pid	process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

BNK0002334789532_USD28,770.00.exeRegSvcs.execscript.exe

description	pid	process	target process
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 808 wrote to memory of 1124	808	BNK0002334789532_USD28,770.00.exe	RegSvcs.exe
PID 1124 wrote to memory of 1564	1124	RegSvcs.exe	cscript.exe
PID 1124 wrote to memory of 1564	1124	RegSvcs.exe	cscript.exe
PID 1124 wrote to memory of 1564	1124	RegSvcs.exe	cscript.exe
PID 1124 wrote to memory of 1564	1124	RegSvcs.exe	cscript.exe
PID 1564 wrote to memory of 1948	1564	cscript.exe	Firefox.exe
PID 1564 wrote to memory of 1948	1564	cscript.exe	Firefox.exe
PID 1564 wrote to memory of 1948	1564	cscript.exe	Firefox.exe
PID 1564 wrote to memory of 1948	1564	cscript.exe	Firefox.exe
PID 1564 wrote to memory of 1948	1564	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360

C:\Users\Admin\AppData\Local\Temp\BNK0002334789532_USD28,770.00.exe
"C:\Users\Admin\AppData\Local\Temp\BNK0002334789532_USD28,770.00.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
5⤵
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
949KB

MD5
38a3e021eb32c9976adaf0b3372080fc

SHA1
68e02803c646be21007d90bec841c176b82211fd

SHA256
8cde0275d60da0d11954f73c7c8862cfc4b306f61bb8b1ce14abe4a193af2652

SHA512
b886cc112f2750e7300b66f7242850659fa49fdc97f75aed376cb9f5440875f303a143bf8b51068ec42674f1ebe1dfcc40534f3a7aed3cc4d20f9274b9a66d18

Download Submit
memory/808-54-0x0000000000C20000-0x0000000000CC6000-memory.dmp

Filesize
664KB

Download
memory/808-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/808-56-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/808-57-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/808-58-0x00000000051D0000-0x0000000005240000-memory.dmp

Filesize
448KB

Download
memory/808-59-0x00000000040D0000-0x0000000004104000-memory.dmp

Filesize
208KB

Download
memory/1124-71-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1124-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-64-0x00000000004012B0-mapping.dmp

Download
memory/1124-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-68-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1124-69-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/1124-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-78-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1124-72-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1124-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-74-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1124-75-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1124-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-70-0x0000000006D40000-0x0000000006EE6000-memory.dmp

Filesize
1.6MB

Download
memory/1360-84-0x0000000007300000-0x000000000747C000-memory.dmp

Filesize
1.5MB

Download
memory/1360-87-0x0000000007300000-0x000000000747C000-memory.dmp

Filesize
1.5MB

Download
memory/1360-76-0x0000000006830000-0x0000000006961000-memory.dmp

Filesize
1.2MB

Download
memory/1564-79-0x0000000000000000-mapping.dmp

Download
memory/1564-80-0x00000000004C0000-0x00000000004E2000-memory.dmp

Filesize
136KB

Download
memory/1564-81-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1564-82-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1564-83-0x0000000001D10000-0x0000000001D9F000-memory.dmp

Filesize
572KB

Download
memory/1564-85-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads