formbook | 6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3

Analysis

max time kernel
176s
max time network
195s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
07-12-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe
Size

855KB
MD5

06492c1cc7f4b4014d8d870cbef4cc7e
SHA1

72bd56591a036f1543d7a3dbb874bd756155d79a
SHA256

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3
SHA512

5f4fe2bf826b6cb1f4b57de43ca5f907c3c537a6a5e648eb7867040a5c6047261ef12c2ef81c6a6faf91e8e6c08ce5f77e9c5080f9380df4a4ef213a18720f14
SSDEEP

12288:6jjm/7QG8h3WX9GPlqmTG/HVuYSk2/YEZA3zzu0YzYzLJqTX:Ek7QTmYy/EYSZRZADz7pA

Score

10^/10

formbook pgnt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pgnt

Decoy

0WG18LbM4lR9iqMRa4nlBzTb

jcfGYzPgZTqFZVO9FV2yIw==

laIfrdSC8/4CNg==

Q73ilev5GIWuOrAAFV2yIw==

Q2u/pMw7pv4sPA==

TbqvIUHwlQscPo0HFV2yIw==

8PNWfGPyE8n0IQ==

WtgROxXzvY2L

PryaRBNjm4eP

Y9Hdi06Cry1um9Sj68YAu1o=

3Gulyp7CMQtR78jvLkk=

JJ3GasTVTCRQT6Tfz6S6GlI=

RnS42bhb9tI0R6UpD6wOxriNxw==

he1mi2sOGfzTRGHnuA==

eaYjCtjxVjdU5XLRtBMBLKk9quA=

k9rTeEqYzzw8WaTfz6S6GlI=

5luVQwe2vJWKEAiMdF4=

MGW14L9OVk5Y5TaR6w/DqdhYxXVY

mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==

y5klhuMbE8n0IQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

12 4956 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
12	4956	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exeRegsvcs.execmstp.exe

description	pid	process	target process
PID 2728 set thread context of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 996 set thread context of 2420	996	Regsvcs.exe	Explorer.EXE
PID 4956 set thread context of 2420	4956	cmstp.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exeRegsvcs.execmstp.exe

pid	process
2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe
2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2420 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Regsvcs.execmstp.exe

pid process

996 Regsvcs.exe
996 Regsvcs.exe
996 Regsvcs.exe
4956 cmstp.exe
4956 cmstp.exe
4956 cmstp.exe
4956 cmstp.exe

pid	process
2420	Explorer.EXE

pid	process
996	Regsvcs.exe
996	Regsvcs.exe
996	Regsvcs.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe
4956	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exeRegsvcs.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe
Token: SeDebugPrivilege	996	Regsvcs.exe
Token: SeDebugPrivilege	4956	cmstp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 2728 wrote to memory of 3784	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 3784	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 3784	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2728 wrote to memory of 996	2728	6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe	Regsvcs.exe
PID 2420 wrote to memory of 4956	2420	Explorer.EXE	cmstp.exe
PID 2420 wrote to memory of 4956	2420	Explorer.EXE	cmstp.exe
PID 2420 wrote to memory of 4956	2420	Explorer.EXE	cmstp.exe
PID 4956 wrote to memory of 4216	4956	cmstp.exe	Firefox.exe
PID 4956 wrote to memory of 4216	4956	cmstp.exe	Firefox.exe
PID 4956 wrote to memory of 4216	4956	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Local\Temp\6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe
"C:\Users\Admin\AppData\Local\Temp\6c2ccca3064d2d2f17e9cd5222df4efbd2b21dc5bd7acf5b0fe57edeccd037d3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
3⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-135-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-125-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-119-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-118-0x00000000004012B0-mapping.dmp

Download
memory/996-121-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-122-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-124-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-136-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-126-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-129-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/996-128-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-131-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-137-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-133-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-132-0x0000000000E90000-0x00000000011B0000-memory.dmp

Filesize
3.1MB

Download
memory/996-120-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-130-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-139-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-140-0x0000000000CF0000-0x0000000000E8B000-memory.dmp

Filesize
1.6MB

Download
memory/996-141-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-138-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/996-142-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-143-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-144-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/996-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2420-145-0x0000000002DC0000-0x0000000002F27000-memory.dmp

Filesize
1.4MB

Download
memory/2420-185-0x0000000000F80000-0x0000000001069000-memory.dmp

Filesize
932KB

Download
memory/2420-188-0x0000000000F80000-0x0000000001069000-memory.dmp

Filesize
932KB

Download
memory/2728-115-0x0000022285C90000-0x0000022285D6C000-memory.dmp

Filesize
880KB

Download
memory/2728-116-0x0000022286050000-0x000002228605A000-memory.dmp

Filesize
40KB

Download
memory/4956-156-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-174-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-151-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-152-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-153-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-154-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-155-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-149-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-157-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-158-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-160-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-161-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-163-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-164-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-165-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-166-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-167-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-168-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-169-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-170-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-162-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-171-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-172-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-173-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-147-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-175-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-176-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-177-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-178-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-179-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-180-0x00000000011D0000-0x00000000011E6000-memory.dmp

Filesize
88KB

Download
memory/4956-181-0x00000000006A0000-0x00000000006CD000-memory.dmp

Filesize
180KB

Download
memory/4956-182-0x00000000045F0000-0x0000000004910000-memory.dmp

Filesize
3.1MB

Download
memory/4956-183-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-184-0x0000000000FB0000-0x0000000001143000-memory.dmp

Filesize
1.6MB

Download
memory/4956-186-0x00000000006A0000-0x00000000006CD000-memory.dmp

Filesize
180KB

Download
memory/4956-187-0x0000000000FB0000-0x0000000001143000-memory.dmp

Filesize
1.6MB

Download
memory/4956-146-0x0000000000000000-mapping.dmp

Download
memory/4956-189-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-190-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-191-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-192-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-193-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-194-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-195-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-196-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-197-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/4956-198-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download