formbook | 05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b

General

Target

RFQ No. 980007 & 983185.exe
Size

239KB
MD5

a9ee4f66b0686b6696d2853667da9c18
SHA1

6c4ec8743ac76cd05fc33ba3d05e82c47d87ecce
SHA256

05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b
SHA512

d222a4cc4ea8b89b6aa66eee2f2ee0510cae392e15b04945e75baf3db7302ff9e9b8d063dce021096b539e26c26ea3478ecb4d17f3d763ff1f60a98e9c6a20c9
SSDEEP

6144:xBnYpMnlMPjMn6m3AWilyG6M2abL9cBjr8Jiw:UpglZ6m373G6M2alc9AJX

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

zxcia.exezxcia.exe

pid process

3648 zxcia.exe
788 zxcia.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zxcia.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation zxcia.exe

pid	process
3648	zxcia.exe
788	zxcia.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	zxcia.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zxcia.exezxcia.exeNETSTAT.EXE

description	pid	process	target process
PID 3648 set thread context of 788	3648	zxcia.exe	zxcia.exe
PID 788 set thread context of 2764	788	zxcia.exe	Explorer.EXE
PID 1796 set thread context of 2764	1796	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1796 NETSTAT.EXE

pid	process
1796	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

zxcia.exeNETSTAT.EXE

pid	process
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2764 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

zxcia.exezxcia.exeNETSTAT.EXE

pid process

3648 zxcia.exe
3648 zxcia.exe
788 zxcia.exe
788 zxcia.exe
788 zxcia.exe
1796 NETSTAT.EXE
1796 NETSTAT.EXE
1796 NETSTAT.EXE
1796 NETSTAT.EXE

pid	process
2764	Explorer.EXE

pid	process
3648	zxcia.exe
3648	zxcia.exe
788	zxcia.exe
788	zxcia.exe
788	zxcia.exe
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE
1796	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

zxcia.exeExplorer.EXENETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	788	zxcia.exe
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeDebugPrivilege	1796	NETSTAT.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE
Token: SeShutdownPrivilege	2764	Explorer.EXE
Token: SeCreatePagefilePrivilege	2764	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

2764 Explorer.EXE
2764 Explorer.EXE

pid	process
2764	Explorer.EXE
2764	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RFQ No. 980007 & 983185.exezxcia.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2156 wrote to memory of 3648	2156	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 2156 wrote to memory of 3648	2156	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 2156 wrote to memory of 3648	2156	RFQ No. 980007 & 983185.exe	zxcia.exe
PID 3648 wrote to memory of 788	3648	zxcia.exe	zxcia.exe
PID 3648 wrote to memory of 788	3648	zxcia.exe	zxcia.exe
PID 3648 wrote to memory of 788	3648	zxcia.exe	zxcia.exe
PID 3648 wrote to memory of 788	3648	zxcia.exe	zxcia.exe
PID 2764 wrote to memory of 1796	2764	Explorer.EXE	NETSTAT.EXE
PID 2764 wrote to memory of 1796	2764	Explorer.EXE	NETSTAT.EXE
PID 2764 wrote to memory of 1796	2764	Explorer.EXE	NETSTAT.EXE
PID 1796 wrote to memory of 1852	1796	NETSTAT.EXE	Firefox.exe
PID 1796 wrote to memory of 1852	1796	NETSTAT.EXE	Firefox.exe
PID 1796 wrote to memory of 1852	1796	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ No. 980007 & 983185.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\zxcia.exe
"C:\Users\Admin\AppData\Local\Temp\zxcia.exe" C:\Users\Admin\AppData\Local\Temp\wwgysm.u
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\zxcia.exe
"C:\Users\Admin\AppData\Local\Temp\zxcia.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\addqembg.akh
Filesize
185KB

MD5
1004c011123dca04b18de42d207a7eda

SHA1
7c6704ec238046df9679742104d3fcce2221a436

SHA256
d9b8ddbba450f37caf3ff8b88cec37f269ce37bf41fb173c8659c9818c08c2f2

SHA512
2406f35ce017a43bfec7b2050b79dc9aebcad34cbb14f5598284791287aeb2d5a4464b8dc3b4ea5a0f55f95f0942b5b6887defbb5205eb3a64c0a40a12e01472

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwgysm.u
Filesize
5KB

MD5
faa57729447a24669e0d3e46b18e0232

SHA1
49f11122be3748b0b0acf5c329c533457a18f954

SHA256
0db5fa443f4e268da1c759bb827eff866ff89a5f9dcadf7a5ee96d94a079d97d

SHA512
5cdc0ff8fe1a5850f39979c656c3ac4eef58d8f1a773064568464b6e199e20f92ec15ecc43837017835dc5e413fbec45c5be16f2b450e9d90e2ac20d319d5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcia.exe
Filesize
12KB

MD5
aa22266d15fb5c32c2d556f73928ca4f

SHA1
bf8abdf87eb0ff02ab397be1e0b80c7c32d8f1a5

SHA256
207b2b2b68c53a3983aca22eeafd50e7bf065e347379332692c716ef8e7303d5

SHA512
6cf19e8c36bfcb78d1a18f2637671132e1d4bc50fd23818c50ec1facbf2786d1404ba2e8a679e66c9f705eaaa25047887b46ee776c624335278320760c3fa294

Download Submit
memory/788-143-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/788-137-0x0000000000000000-mapping.dmp

Download
memory/788-139-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/788-140-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download
memory/788-141-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1796-150-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/1796-151-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/1796-144-0x0000000000000000-mapping.dmp

Download
memory/1796-159-0x00000000003A0000-0x00000000003CD000-memory.dmp

Filesize
180KB

Download
memory/1796-157-0x0000000000B90000-0x0000000000C1F000-memory.dmp

Filesize
572KB

Download
memory/1796-152-0x0000000000ED0000-0x000000000121A000-memory.dmp

Filesize
3.3MB

Download
memory/2764-155-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-145-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2764-169-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/2764-148-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-149-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-153-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2764-154-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-142-0x0000000007B70000-0x0000000007C35000-memory.dmp

Filesize
788KB

Download
memory/2764-156-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-146-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/2764-158-0x0000000002880000-0x000000000292F000-memory.dmp

Filesize
700KB

Download
memory/2764-147-0x0000000007450000-0x0000000007460000-memory.dmp

Filesize
64KB

Download
memory/2764-160-0x0000000002880000-0x000000000292F000-memory.dmp

Filesize
700KB

Download
memory/2764-161-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2764-162-0x00000000009D0000-0x00000000009E0000-memory.dmp

Filesize
64KB

Download
memory/2764-163-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/2764-164-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/2764-165-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/2764-166-0x00000000009D0000-0x00000000009E0000-memory.dmp

Filesize
64KB

Download
memory/2764-167-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/2764-168-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3648-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads