formbook | b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53

General

Target

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
Size

1.4MB
MD5

0393f20ecb4b99b38966e3a94216f212
SHA1

2cb18bc160cbeaf8b66ca55312421f94c42df208
SHA256

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53
SHA512

6d0d2e1e37e59f449a95830a91fa0b4eb5eb9289e642efbed1921bfa8e9ca61103e7b4342f5da2217f50a88d03172f1dbb57ba181b2dc49b553070420ec09dbf
SSDEEP

24576:QTj/5C3n+JPMx235GFslxw/JHzpmHdVXFsp4D2:QT9g034FyKTpAV1sz

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exengentask.exesystray.exe

description	pid	process	target process
PID 2444 set thread context of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 4916 set thread context of 2180	4916	ngentask.exe	Explorer.EXE
PID 860 set thread context of 2180	860	systray.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exengentask.exesystray.exe

pid	process
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2180 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ngentask.exesystray.exe

pid process

4916 ngentask.exe
4916 ngentask.exe
4916 ngentask.exe
860 systray.exe
860 systray.exe
860 systray.exe
860 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ngentask.exesystray.exe

description pid process

Token: SeDebugPrivilege 4916 ngentask.exe
Token: SeDebugPrivilege 860 systray.exe

pid	process
2180	Explorer.EXE

pid	process
4916	ngentask.exe
4916	ngentask.exe
4916	ngentask.exe
860	systray.exe
860	systray.exe
860	systray.exe
860	systray.exe

description	pid	process
Token: SeDebugPrivilege	4916	ngentask.exe
Token: SeDebugPrivilege	860	systray.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2444 wrote to memory of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2444 wrote to memory of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2444 wrote to memory of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2444 wrote to memory of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2444 wrote to memory of 4916	2444	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2180 wrote to memory of 860	2180	Explorer.EXE	systray.exe
PID 2180 wrote to memory of 860	2180	Explorer.EXE	systray.exe
PID 2180 wrote to memory of 860	2180	Explorer.EXE	systray.exe
PID 860 wrote to memory of 204	860	systray.exe	Firefox.exe
PID 860 wrote to memory of 204	860	systray.exe	Firefox.exe
PID 860 wrote to memory of 204	860	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
"C:\Users\Admin\AppData\Local\Temp\b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-149-0x0000000000000000-mapping.dmp

Download
memory/860-157-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/860-155-0x0000000002340000-0x00000000023CF000-memory.dmp

Filesize
572KB

Download
memory/860-154-0x0000000002460000-0x00000000027AA000-memory.dmp

Filesize
3.3MB

Download
memory/860-153-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/860-151-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2180-147-0x0000000008380000-0x0000000008470000-memory.dmp

Filesize
960KB

Download
memory/2180-158-0x0000000008940000-0x0000000008A8D000-memory.dmp

Filesize
1.3MB

Download
memory/2180-156-0x0000000008940000-0x0000000008A8D000-memory.dmp

Filesize
1.3MB

Download
memory/2444-135-0x000000000D6C0000-0x000000000D9BA000-memory.dmp

Filesize
3.0MB

Download
memory/2444-133-0x00000000021CB000-0x00000000022EE000-memory.dmp

Filesize
1.1MB

Download
memory/2444-134-0x000000000D6C0000-0x000000000D9BA000-memory.dmp

Filesize
3.0MB

Download
memory/2444-132-0x0000000002332000-0x00000000028F3000-memory.dmp

Filesize
5.8MB

Download
memory/2444-148-0x00000000021CB000-0x00000000022EE000-memory.dmp

Filesize
1.1MB

Download
memory/4916-146-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/4916-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4916-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4916-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4916-136-0x0000000000000000-mapping.dmp

Download
memory/4916-150-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4916-142-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4916-145-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4916-144-0x00000000010D0000-0x000000000141A000-memory.dmp

Filesize
3.3MB

Download
memory/4916-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads