formbook | b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53

General

Target

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
Size

1.4MB
MD5

0393f20ecb4b99b38966e3a94216f212
SHA1

2cb18bc160cbeaf8b66ca55312421f94c42df208
SHA256

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53
SHA512

6d0d2e1e37e59f449a95830a91fa0b4eb5eb9289e642efbed1921bfa8e9ca61103e7b4342f5da2217f50a88d03172f1dbb57ba181b2dc49b553070420ec09dbf
SSDEEP

24576:QTj/5C3n+JPMx235GFslxw/JHzpmHdVXFsp4D2:QT9g034FyKTpAV1sz

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exengentask.exeNETSTAT.EXE

description	pid	process	target process
PID 4864 set thread context of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 3772 set thread context of 2248	3772	ngentask.exe	Explorer.EXE
PID 3092 set thread context of 2248	3092	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3092 NETSTAT.EXE

pid	process
3092	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exengentask.exeNETSTAT.EXE

pid	process
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2248 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ngentask.exeNETSTAT.EXE

pid process

3772 ngentask.exe
3772 ngentask.exe
3772 ngentask.exe
3092 NETSTAT.EXE
3092 NETSTAT.EXE
3092 NETSTAT.EXE
3092 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ngentask.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3772 ngentask.exe
Token: SeDebugPrivilege 3092 NETSTAT.EXE

pid	process
2248	Explorer.EXE

pid	process
3772	ngentask.exe
3772	ngentask.exe
3772	ngentask.exe
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE
3092	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	3772	ngentask.exe
Token: SeDebugPrivilege	3092	NETSTAT.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4864 wrote to memory of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 4864 wrote to memory of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 4864 wrote to memory of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 4864 wrote to memory of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 4864 wrote to memory of 3772	4864	b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe	ngentask.exe
PID 2248 wrote to memory of 3092	2248	Explorer.EXE	NETSTAT.EXE
PID 2248 wrote to memory of 3092	2248	Explorer.EXE	NETSTAT.EXE
PID 2248 wrote to memory of 3092	2248	Explorer.EXE	NETSTAT.EXE
PID 3092 wrote to memory of 2936	3092	NETSTAT.EXE	Firefox.exe
PID 3092 wrote to memory of 2936	3092	NETSTAT.EXE	Firefox.exe
PID 3092 wrote to memory of 2936	3092	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe
"C:\Users\Admin\AppData\Local\Temp\b9803c80f4ab3c34d74cc1722861173d89c5bd7160ac159df8a4d1144a1fba53.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-147-0x0000000007F40000-0x0000000008064000-memory.dmp

Filesize
1.1MB

Download
memory/2248-156-0x0000000008460000-0x00000000085C1000-memory.dmp

Filesize
1.4MB

Download
memory/2248-154-0x0000000008460000-0x00000000085C1000-memory.dmp

Filesize
1.4MB

Download
memory/3092-155-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/3092-153-0x0000000000C60000-0x0000000000CEF000-memory.dmp

Filesize
572KB

Download
memory/3092-151-0x0000000000510000-0x000000000053D000-memory.dmp

Filesize
180KB

Download
memory/3092-152-0x0000000000EF0000-0x000000000123A000-memory.dmp

Filesize
3.3MB

Download
memory/3092-150-0x0000000000280000-0x000000000028B000-memory.dmp

Filesize
44KB

Download
memory/3092-149-0x0000000000000000-mapping.dmp

Download
memory/3772-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3772-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3772-145-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/3772-146-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/3772-143-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3772-136-0x0000000000000000-mapping.dmp

Download
memory/3772-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3772-144-0x0000000001040000-0x000000000138A000-memory.dmp

Filesize
3.3MB

Download
memory/3772-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4864-132-0x000000000235C000-0x000000000291D000-memory.dmp

Filesize
5.8MB

Download
memory/4864-148-0x0000000002929000-0x0000000002A4C000-memory.dmp

Filesize
1.1MB

Download
memory/4864-135-0x000000000F0C0000-0x000000000F3BA000-memory.dmp

Filesize
3.0MB

Download
memory/4864-134-0x000000000F0C0000-0x000000000F3BA000-memory.dmp

Filesize
3.0MB

Download
memory/4864-133-0x0000000002929000-0x0000000002A4C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads