formbook | e752c4ee3b2c0db6221f94f88acc85bb622b3c9dfd94614dd432d4785ad84cf3

General

Target

srbgxywv96tp5kc.exe
Size

661KB
MD5

bc24bbabc84243feeaf0eb15d93ff488
SHA1

d3a2c9d7d4c3178875b52f095f4283404fdc348d
SHA256

e752c4ee3b2c0db6221f94f88acc85bb622b3c9dfd94614dd432d4785ad84cf3
SHA512

0f3f2603af9368587fb6f30bb763e0cb2291ac4e651cd1a5d44fb17407d056a1fe90a7fce17e1032862d355a3768620ccb3951e83659b92c0fb8202d65a29d0e
SSDEEP

12288:kPuYd+V6b1momPZefvB3bEZgN33pnxbB8Csck4U2E+z3SoVOdEIib9uaFskvQPuI:kPuYd+V6bIomxivNwZKnRsR8/CoMEBb4

Score

10^/10

formbook fqwu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fqwu

Decoy

N6XHavFRXQTRmNUkF9dn

EoaWTgFMmLFmUJ7CJNkTiGoj5A==

Dm+WNJDwSQa5cML3Q7EBiGoj5A==

nixR8ZCkOWjqrASBuic=

yvWQNApkdf4QYIih4+xUDY0=

RtmBQtDYDb50g8btXA==

8SU541y9Ec12NYK8PSOfA8OPpaphimY=

/yEvxvlAkquuY3W1QQ==

AlHZgYW4BiI9V+M=

YsHIUsAOO15j+9TnWA==

JJu1S7QIIMij0xUqlUtv

CmWBLrD98YnyUCCFvy0=

uPwhAVEvtu1rTuY=

PI6bR88GVGXmRlpxpKjtBpo=

GnL7qs9HVQAiF6ckF9dn

2zVeBFKZgO1rTuY=

2VI1VpOg7boCAFxvrWN3ys9rovE=

L1lO62zA2o1QEEZRQtgh7g==

brhF5dY1e3zmSyCFvy0=

U6m2TsEidTTdsA5kX8wh7g==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	srbgxywv96tp5kc.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1708 set thread context of 1360	1708	srbgxywv96tp5kc.exe	11
PID 1480 set thread context of 1360	1480	raserver.exe	11

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1708	srbgxywv96tp5kc.exe
1708	srbgxywv96tp5kc.exe
1708	srbgxywv96tp5kc.exe
1708	srbgxywv96tp5kc.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1708	srbgxywv96tp5kc.exe
1708	srbgxywv96tp5kc.exe
1708	srbgxywv96tp5kc.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe
1480	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	srbgxywv96tp5kc.exe
Token: SeDebugPrivilege	1480	raserver.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1764 wrote to memory of 1708	1764	srbgxywv96tp5kc.exe	26
PID 1360 wrote to memory of 1480	1360	Explorer.EXE	27
PID 1360 wrote to memory of 1480	1360	Explorer.EXE	27
PID 1360 wrote to memory of 1480	1360	Explorer.EXE	27
PID 1360 wrote to memory of 1480	1360	Explorer.EXE	27
PID 1480 wrote to memory of 856	1480	raserver.exe	30
PID 1480 wrote to memory of 856	1480	raserver.exe	30
PID 1480 wrote to memory of 856	1480	raserver.exe	30
PID 1480 wrote to memory of 856	1480	raserver.exe	30
PID 1480 wrote to memory of 856	1480	raserver.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\srbgxywv96tp5kc.exe
  "C:\Users\Admin\AppData\Local\Temp\srbgxywv96tp5kc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\srbgxywv96tp5kc.exe
    "C:\Users\Admin\AppData\Local\Temp\srbgxywv96tp5kc.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
memory/1360-71-0x0000000007300000-0x0000000007478000-memory.dmp

Filesize
1.5MB

Download
memory/1360-80-0x0000000003FA0000-0x000000000403E000-memory.dmp

Filesize
632KB

Download
memory/1360-79-0x0000000003FA0000-0x000000000403E000-memory.dmp

Filesize
632KB

Download
memory/1480-78-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1480-77-0x0000000001E60000-0x0000000001EEF000-memory.dmp

Filesize
572KB

Download
memory/1480-76-0x00000000020A0000-0x00000000023A3000-memory.dmp

Filesize
3.0MB

Download
memory/1480-75-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1480-74-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1480-72-0x0000000000000000-mapping.dmp

Download
memory/1708-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-64-0x00000000004012B0-mapping.dmp

Download
memory/1708-68-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1708-69-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1708-70-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1708-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1764-54-0x00000000013E0000-0x000000000148C000-memory.dmp

Filesize
688KB

Download
memory/1764-59-0x0000000000B80000-0x0000000000BB4000-memory.dmp

Filesize
208KB

Download
memory/1764-58-0x0000000004D80000-0x0000000004DF0000-memory.dmp

Filesize
448KB

Download
memory/1764-57-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1764-56-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/1764-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing