formbook | 02a2a44548d03be7cbc7276014f36ad14b6238694864f0ba481b2303ee387cfb

General

Target

FACTURE AVEC TVA.exe
Size

239KB
MD5

62e00c3a2ab7efb375892ccf1024a3fd
SHA1

fa3d67066ad84410aeb1618c7f753f1a2896390d
SHA256

02a2a44548d03be7cbc7276014f36ad14b6238694864f0ba481b2303ee387cfb
SHA512

24205b1de8568b89eb2348b2a2cb2c0f3f1bd93e73d6f2e4acb4bfffb69112a8e801f577cdc640413f079852cde6818cb0e712acd09c42a8407254c0debc8ba6
SSDEEP

6144:QBn1zdM7q6aFrQWloaSP/EyNaaEf32j0CmhusYi9BaEZRdFWV:gzdQqFFvz6/pNazU0CmXPZ/FWV

Score

10^/10

formbook fqsu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fqsu

Decoy

GhfTqaOqC4FsyoQRW/8=

kbPIpd/8k1C6zJz5mYYdK90ZUA==

VIdg/CoNGeYJHA==

KhzoqndOhw1j43z0ew==

wv8mTDcsX2wJN/Q=

MqBgt6S+3BgGKBQHLZy7Ucg=

GyhOb++nZDi39NPK7dbaKapf

pBtD1UoSTdo3eSp9H7OhRqMV0TAuKMU=

WTzTg1w+fP4fMO0oPPM=

NS/tpGdUwkiMwqmgkxoSzjrQATAuKMU=

MnoSdM1hYn4tdwxjB2fX

3EUfH2EJY17mMf4=

V9/wg2yCQruVszm7V+4=

aNL8pZCGYW4Ej2LD

1Bif9VkmdgVfrJqRvl1GtlTZq1M=

9wHIgmB8EOB2uUVcUfk=

1Fdn15qem+fL1qhrY9xdQmAnVg==

Y32ThttYUUr6PsuRmozlNP74RD+uBz7dOQ==

f5HKyoWNAJLM2qjnZlizsvXDKFs=

mRfaGezap6ZyvJqthZvf

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

uqxnynobr.exeuqxnynobr.exe

pid process

3948 uqxnynobr.exe
780 uqxnynobr.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

uqxnynobr.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation uqxnynobr.exe

pid	process
3948	uqxnynobr.exe
780	uqxnynobr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	uqxnynobr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uqxnynobr.exeuqxnynobr.exechkdsk.exe

description	pid	process	target process
PID 3948 set thread context of 780	3948	uqxnynobr.exe	uqxnynobr.exe
PID 780 set thread context of 2408	780	uqxnynobr.exe	Explorer.EXE
PID 4812 set thread context of 2408	4812	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

uqxnynobr.exechkdsk.exe

pid	process
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2408 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

uqxnynobr.exeuqxnynobr.exechkdsk.exe

pid process

3948 uqxnynobr.exe
780 uqxnynobr.exe
780 uqxnynobr.exe
780 uqxnynobr.exe
4812 chkdsk.exe
4812 chkdsk.exe
4812 chkdsk.exe
4812 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uqxnynobr.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 780 uqxnynobr.exe
Token: SeDebugPrivilege 4812 chkdsk.exe

pid	process
2408	Explorer.EXE

pid	process
3948	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
780	uqxnynobr.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe
4812	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	780	uqxnynobr.exe
Token: SeDebugPrivilege	4812	chkdsk.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

FACTURE AVEC TVA.exeuqxnynobr.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 4780 wrote to memory of 3948	4780	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 4780 wrote to memory of 3948	4780	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 4780 wrote to memory of 3948	4780	FACTURE AVEC TVA.exe	uqxnynobr.exe
PID 3948 wrote to memory of 780	3948	uqxnynobr.exe	uqxnynobr.exe
PID 3948 wrote to memory of 780	3948	uqxnynobr.exe	uqxnynobr.exe
PID 3948 wrote to memory of 780	3948	uqxnynobr.exe	uqxnynobr.exe
PID 3948 wrote to memory of 780	3948	uqxnynobr.exe	uqxnynobr.exe
PID 2408 wrote to memory of 4812	2408	Explorer.EXE	chkdsk.exe
PID 2408 wrote to memory of 4812	2408	Explorer.EXE	chkdsk.exe
PID 2408 wrote to memory of 4812	2408	Explorer.EXE	chkdsk.exe
PID 4812 wrote to memory of 4944	4812	chkdsk.exe	Firefox.exe
PID 4812 wrote to memory of 4944	4812	chkdsk.exe	Firefox.exe
PID 4812 wrote to memory of 4944	4812	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe
"C:\Users\Admin\AppData\Local\Temp\FACTURE AVEC TVA.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
"C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe" C:\Users\Admin\AppData\Local\Temp\ztuecd.tu
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
"C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe" C:\Users\Admin\AppData\Local\Temp\ztuecd.tu
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oopif.ljy
Filesize
185KB

MD5
652dd75f9712c42f1533d2c9ce27193c

SHA1
164f2e39d4162d14ce73c7df685a91df1ec171ea

SHA256
e13dd5da05017fef245451ad3c55c830c83b74d38888f8eee562e935f47fed70

SHA512
e14e0598fb1a8790f74b33b3d5536e58a8dfa52d16d643e68786abe12c03e19a431ca939d8745fc1ec9a94859984bcd246ce6bb979abc4186288ba1e2f073300

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqxnynobr.exe
Filesize
59KB

MD5
5c274179ecd4defdf1bd20db9a9c860e

SHA1
4ec2eee3235b621dcb4399121d0bbcb29f71b9a8

SHA256
4111d8a77648c1ecc36b62e34144f14a7b02e22bd5a0ba7493b9c2d0faadec0d

SHA512
9f4f62da4b76638f464fbc139c326a68ab3cf7871a2c2a3219ca9d8d58e951e6e9f053aeeaa0ed83e6905f9bf895421f00eb7504b55970cc95ab49aa6da93b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztuecd.tu
Filesize
5KB

MD5
83f910fa1ed81a4332017deaa830250b

SHA1
5d2ed1114ffc96ec7f979275fad73e73e99d4931

SHA256
b4f259a4a936d4b152dbe3c454c0f96740e47096c47c0efb81f0593f859227b8

SHA512
193c0132a2101f6bf8e07adb3045084e03e1b1161a6a0cdc1c50c66d5c78eda3b00d5f9692dd4945137825c9f036cc86ceeadac072de2fdcfc15d8684afe2db7

Download Submit
memory/780-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-143-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/780-137-0x0000000000000000-mapping.dmp

Download
memory/780-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-142-0x00000000009C0000-0x0000000000D0A000-memory.dmp

Filesize
3.3MB

Download
memory/780-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-144-0x0000000008260000-0x000000000832D000-memory.dmp

Filesize
820KB

Download
memory/2408-150-0x0000000008330000-0x0000000008435000-memory.dmp

Filesize
1.0MB

Download
memory/2408-152-0x0000000008330000-0x0000000008435000-memory.dmp

Filesize
1.0MB

Download
memory/3948-132-0x0000000000000000-mapping.dmp

Download
memory/4812-145-0x0000000000000000-mapping.dmp

Download
memory/4812-147-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/4812-146-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/4812-148-0x00000000010C0000-0x000000000140A000-memory.dmp

Filesize
3.3MB

Download
memory/4812-149-0x0000000000DF0000-0x0000000000E7F000-memory.dmp

Filesize
572KB

Download
memory/4812-151-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads