formbook | 3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093

General

Target

3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
Size

1.1MB
MD5

78c60cf7fbdfb30416050544a80ab48e
SHA1

a3f2348dc1a1ad60f1cbdc269632da2b4245ac65
SHA256

3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093
SHA512

363a3637186a87a8f5beceec59e579b4ccae86f87ab5b3536ac5c0cfc49961e840a5f6de6bac567569a3aa1bcd280a1abac7ddcd102ba623cac8250f8868bdc0
SSDEEP

24576:cL4LJWJYb9gCJysH0sF/xikvcKw7xWho8L64:dLJWJceIFJho+Z

Score

10^/10

formbook wnoa rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

wnoa

Decoy

Anzfj8CstzWn/Ik=

BkhCB8WrOvIUcY78lw==

xEyLf4okJGEBag18DTzNfYc8/tJTCyY=

L8YF7D0dJmDN2XbqnL6BMPM=

pLq2gHn54xib667ul/0cGeUUZA==

bKjcinHr8mKS6qLfjA==

n/YN69yEx3KoUAU52DiE+IS5ItJTCyY=

BRQILrmcFxdJkIE=

e7itYBn9mZWx1FOTUzskZA==

e7Gqlb+Fsy3d+bramPc=

SV5QF+PEQe4c7onu

F6D7r3RAggSr98cs+mWjCY/KQw53Diw=

lqixnJdBnCAJdelB0L6BMPM=

N8Y0Fx2lwnaYJNQg4iUaGeUUZA==

4tF/NC6/DfUpRbGngLVx

oLuerEDAN+8c7onu

hpiWgzD7vb4c7onu

twgjE4g2SQIjRbGngLVx

G26ZgMF1Wp4/iTtpPm9sMvU=

SQaUJPgO/kyg

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

description	pid	process	target process
PID 4740 set thread context of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4500 schtasks.exe

pid	process
4500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

pid	process
500	powershell.exe
500	powershell.exe
3208	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
3208	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 500 powershell.exe

description	pid	process
Token: SeDebugPrivilege	500	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

description	pid	process	target process
PID 4740 wrote to memory of 500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	powershell.exe
PID 4740 wrote to memory of 500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	powershell.exe
PID 4740 wrote to memory of 500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	powershell.exe
PID 4740 wrote to memory of 4500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	schtasks.exe
PID 4740 wrote to memory of 4500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	schtasks.exe
PID 4740 wrote to memory of 4500	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	schtasks.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
PID 4740 wrote to memory of 3208	4740	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe	3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe

C:\Users\Admin\AppData\Local\Temp\3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
"C:\Users\Admin\AppData\Local\Temp\3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ilSuUHrnnZh.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:500
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ilSuUHrnnZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe
  "C:\Users\Admin\AppData\Local\Temp\3dd65f1a69d9bfc66ac90f94418e7038bb7716f55b2b75b2926a1e026ebaa093.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp

Filesize
1KB

MD5
350e27bb4c0b320001c077a8b63849d3

SHA1
e18dc93a9ad606a4947f34bfa939838de5a02b41

SHA256
914315c135a62979e02dd32152ea4c249007842da9cfc0c165105fa8aab830d8

SHA512
9888005e280add15ff8a3d27a286a16ec66d8839a326e81a9cb67093ee98455bb475b3d3bd6a537e16e900039aa09874dc928120cb28f96110a6a6fd939d5742

Download Submit
memory/500-140-0x0000000000A70000-0x0000000000AA6000-memory.dmp

Filesize
216KB

Download
memory/500-156-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

Filesize
104KB

Download
memory/500-159-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/500-158-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/500-161-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/500-138-0x0000000000000000-mapping.dmp

Download
memory/500-160-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/500-152-0x0000000006130000-0x0000000006162000-memory.dmp

Filesize
200KB

Download
memory/500-157-0x0000000006F60000-0x0000000006F6A000-memory.dmp

Filesize
40KB

Download
memory/500-142-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/500-143-0x0000000004A90000-0x0000000004AB2000-memory.dmp

Filesize
136KB

Download
memory/500-144-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/500-155-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/500-154-0x0000000006110000-0x000000000612E000-memory.dmp

Filesize
120KB

Download
memory/500-148-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/500-153-0x0000000074D80000-0x0000000074DCC000-memory.dmp

Filesize
304KB

Download
memory/3208-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-151-0x00000000017B0000-0x0000000001AFA000-memory.dmp

Filesize
3.3MB

Download
memory/3208-150-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3208-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-145-0x0000000000000000-mapping.dmp

Download
memory/4500-139-0x0000000000000000-mapping.dmp

Download
memory/4740-132-0x0000000000C90000-0x0000000000DAC000-memory.dmp

Filesize
1.1MB

Download
memory/4740-137-0x0000000001670000-0x00000000016D6000-memory.dmp

Filesize
408KB

Download
memory/4740-136-0x0000000009FC0000-0x000000000A05C000-memory.dmp

Filesize
624KB

Download
memory/4740-135-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/4740-134-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4740-133-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads