formbook | 05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b

General

Target

RFQ No. 980007 & 983185.exe
Size

239KB
MD5

a9ee4f66b0686b6696d2853667da9c18
SHA1

6c4ec8743ac76cd05fc33ba3d05e82c47d87ecce
SHA256

05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b
SHA512

d222a4cc4ea8b89b6aa66eee2f2ee0510cae392e15b04945e75baf3db7302ff9e9b8d063dce021096b539e26c26ea3478ecb4d17f3d763ff1f60a98e9c6a20c9
SSDEEP

6144:xBnYpMnlMPjMn6m3AWilyG6M2abL9cBjr8Jiw:UpglZ6m373G6M2alc9AJX

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 520 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

zxcia.exezxcia.exe

pid process

936 zxcia.exe
856 zxcia.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zxcia.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation zxcia.exe
Loads dropped DLL 3 IoCs

Processes:

RFQ No. 980007 & 983185.exezxcia.exerundll32.exe

pid process

1276 RFQ No. 980007 & 983185.exe
936 zxcia.exe
520 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
8	520	rundll32.exe

pid	process
936	zxcia.exe
856	zxcia.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	zxcia.exe

pid	process
1276	RFQ No. 980007 & 983185.exe
936	zxcia.exe
520	rundll32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

zxcia.exezxcia.exerundll32.exe

description	pid	process	target process
PID 936 set thread context of 856	936	zxcia.exe	zxcia.exe
PID 856 set thread context of 1284	856	zxcia.exe	Explorer.EXE
PID 856 set thread context of 1284	856	zxcia.exe	Explorer.EXE
PID 520 set thread context of 1284	520	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

zxcia.exerundll32.exe

pid	process
856	zxcia.exe
856	zxcia.exe
856	zxcia.exe
856	zxcia.exe
856	zxcia.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

zxcia.exezxcia.exerundll32.exe

pid process

936 zxcia.exe
856 zxcia.exe
856 zxcia.exe
856 zxcia.exe
856 zxcia.exe
520 rundll32.exe
520 rundll32.exe
520 rundll32.exe
520 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

zxcia.exerundll32.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 856 zxcia.exe
Token: SeDebugPrivilege 520 rundll32.exe
Token: SeShutdownPrivilege 1284 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
1284	Explorer.EXE

pid	process
936	zxcia.exe
856	zxcia.exe
856	zxcia.exe
856	zxcia.exe
856	zxcia.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe
520	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	856	zxcia.exe
Token: SeDebugPrivilege	520	rundll32.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ No. 980007 & 983185.exezxcia.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1276 wrote to memory of 936	1276	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 1276 wrote to memory of 936	1276	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 1276 wrote to memory of 936	1276	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 1276 wrote to memory of 936	1276	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 936 wrote to memory of 856	936	zxcia.exe	zxcia.exe
PID 936 wrote to memory of 856	936	zxcia.exe	zxcia.exe
PID 936 wrote to memory of 856	936	zxcia.exe	zxcia.exe
PID 936 wrote to memory of 856	936	zxcia.exe	zxcia.exe
PID 936 wrote to memory of 856	936	zxcia.exe	zxcia.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 1284 wrote to memory of 520	1284	Explorer.EXE	rundll32.exe
PID 520 wrote to memory of 1860	520	rundll32.exe	Firefox.exe
PID 520 wrote to memory of 1860	520	rundll32.exe	Firefox.exe
PID 520 wrote to memory of 1860	520	rundll32.exe	Firefox.exe
PID 520 wrote to memory of 1860	520	rundll32.exe	Firefox.exe
PID 520 wrote to memory of 1860	520	rundll32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\zxcia.exe
"C:\Users\Admin\AppData\Local\Temp\zxcia.exe" C:\Users\Admin\AppData\Local\Temp\wwgysm.u
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\zxcia.exe
"C:\Users\Admin\AppData\Local\Temp\zxcia.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\addqembg.akh
Filesize
185KB

MD5
1004c011123dca04b18de42d207a7eda

SHA1
7c6704ec238046df9679742104d3fcce2221a436

SHA256
d9b8ddbba450f37caf3ff8b88cec37f269ce37bf41fb173c8659c9818c08c2f2

SHA512
2406f35ce017a43bfec7b2050b79dc9aebcad34cbb14f5598284791287aeb2d5a4464b8dc3b4ea5a0f55f95f0942b5b6887defbb5205eb3a64c0a40a12e01472

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwgysm.u
Filesize
5KB

MD5
faa57729447a24669e0d3e46b18e0232

SHA1
49f11122be3748b0b0acf5c329c533457a18f954

SHA256
0db5fa443f4e268da1c759bb827eff866ff89a5f9dcadf7a5ee96d94a079d97d

SHA512
5cdc0ff8fe1a5850f39979c656c3ac4eef58d8f1a773064568464b6e199e20f92ec15ecc43837017835dc5e413fbec45c5be16f2b450e9d90e2ac20d319d5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
825KB

MD5
00a91261929192a7facc32a9f330029a

SHA1
7df4ffdf48a6df0bac21a82d6db56aa11db470dc

SHA256
c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f

SHA512
18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

Download Submit
\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
memory/520-76-0x00000000006E0000-0x00000000006EE000-memory.dmp

Filesize
56KB

Download
memory/520-79-0x0000000001DB0000-0x0000000001E3F000-memory.dmp

Filesize
572KB

Download
memory/520-81-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/520-78-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/520-77-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/520-73-0x0000000000000000-mapping.dmp

Download
memory/856-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-66-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/856-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/856-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-72-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/856-62-0x00000000004012B0-mapping.dmp

Download
memory/856-69-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/856-67-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1284-75-0x00000000045E0000-0x00000000046C9000-memory.dmp

Filesize
932KB

Download
memory/1284-68-0x0000000002AB0000-0x0000000002B9A000-memory.dmp

Filesize
936KB

Download
memory/1284-80-0x00000000046D0000-0x00000000047FA000-memory.dmp

Filesize
1.2MB

Download
memory/1284-70-0x00000000045E0000-0x00000000046C9000-memory.dmp

Filesize
932KB

Download
memory/1284-82-0x00000000046D0000-0x00000000047FA000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads