formbook | 7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5

General

Target

7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe
Size

336KB
MD5

3b33c707e522fc9e706c62687387ddbc
SHA1

d98eb37e12d6d7b03fd94933ab5f7dc445c67477
SHA256

7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5
SHA512

7591fdefeff5a11fea8726d784a62229de33378f54cd27841647c53983fca87f055e40f6743bd62d7bb0493bd11b4d3a4c19529f890d924f6872d804b19c8695
SSDEEP

6144:9kwOU0Tna911TEwbdaqga1lpGC1xA67/jYUUEU6LrgJxet8ZJ8EGlu:Cf41y3ajpPA678UrU6LrgfeU8EGY

Score

10^/10

formbook ctap rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ctap

Decoy

7fuiHU5O7pBugItrXtDlRbQzVNAypQ==

Ioe4Ezkvrkk5SljtGsXC

7SdYmzWqxYzoB10eYg==

87z12VKpqmy0nXHtGsXC

frPRoZR38nhTXl/tGsXC

JybcU3xwAWn21yEPd4XnKA==

B6LTKeV3SeQZAg==

9iFOJSEVtE+I6ea4tn6M72ANGm3K

bROuHdVCVl63QIZuI2etey+ugP0=

25FDh/Be3fhaReK+BwZm9aY+og==

ipYbazKawI7oB10eYg==

Y3ONgI2GHcStmm5WhEZCsE/GlNJovg==

NMjp1U2zzpPoB10eYg==

ZZOygHxoGkBxNTz1RnI=

Hy1dkswBcyQh

94qXZbB1+8ciD4Q=

JUhyQ8Fxl+4gBA==

7wuj4eTJFutgR7+k1R8mIA==

Nj3QJ1RBulY2AMS/1R8mIA==

LjFXk8zI5vgdq8N6ropiNA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

pxzpa.exepxzpa.exe

pid process

1812 pxzpa.exe
412 pxzpa.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pxzpa.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation pxzpa.exe

pid	process
1812	pxzpa.exe
412	pxzpa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	pxzpa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

pxzpa.exepxzpa.execmmon32.exe

description	pid	process	target process
PID 1812 set thread context of 412	1812	pxzpa.exe	pxzpa.exe
PID 412 set thread context of 1040	412	pxzpa.exe	Explorer.EXE
PID 3508 set thread context of 1040	3508	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

pxzpa.execmmon32.exe

pid	process
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1040 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

pxzpa.exepxzpa.execmmon32.exe

pid process

1812 pxzpa.exe
412 pxzpa.exe
412 pxzpa.exe
412 pxzpa.exe
3508 cmmon32.exe
3508 cmmon32.exe
3508 cmmon32.exe
3508 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pxzpa.execmmon32.exe

description pid process

Token: SeDebugPrivilege 412 pxzpa.exe
Token: SeDebugPrivilege 3508 cmmon32.exe

pid	process
1040	Explorer.EXE

pid	process
1812	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
412	pxzpa.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe
3508	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	412	pxzpa.exe
Token: SeDebugPrivilege	3508	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exepxzpa.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 4572 wrote to memory of 1812	4572	7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe	pxzpa.exe
PID 4572 wrote to memory of 1812	4572	7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe	pxzpa.exe
PID 4572 wrote to memory of 1812	4572	7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe	pxzpa.exe
PID 1812 wrote to memory of 412	1812	pxzpa.exe	pxzpa.exe
PID 1812 wrote to memory of 412	1812	pxzpa.exe	pxzpa.exe
PID 1812 wrote to memory of 412	1812	pxzpa.exe	pxzpa.exe
PID 1812 wrote to memory of 412	1812	pxzpa.exe	pxzpa.exe
PID 1040 wrote to memory of 3508	1040	Explorer.EXE	cmmon32.exe
PID 1040 wrote to memory of 3508	1040	Explorer.EXE	cmmon32.exe
PID 1040 wrote to memory of 3508	1040	Explorer.EXE	cmmon32.exe
PID 3508 wrote to memory of 1668	3508	cmmon32.exe	Firefox.exe
PID 3508 wrote to memory of 1668	3508	cmmon32.exe	Firefox.exe
PID 3508 wrote to memory of 1668	3508	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe
  "C:\Users\Admin\AppData\Local\Temp\7c0561d38ad8d30935cc4750ef54f86ae0e8fedd0858278b6a202cf9589ae4d5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\pxzpa.exe
    "C:\Users\Admin\AppData\Local\Temp\pxzpa.exe" C:\Users\Admin\AppData\Local\Temp\bvfschl.llo
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\pxzpa.exe
      "C:\Users\Admin\AppData\Local\Temp\pxzpa.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:412
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvfschl.llo

Filesize
5KB

MD5
234ecaa2516da7694806821607cb957f

SHA1
5e24bc4f64658bd2c9bbfed88ca6d39d1f84f278

SHA256
4559491a1389e02acd69695203a90b6692df27d34a3095ba7f4f753562754f56

SHA512
1a0fb05636f903ea3b583ec022b3d1182ee7c7a872abfc99822b633cb7bb2a305200406093430e308ecaaba28b5ed2ed84223812962863592d4d2cd399b18f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\puacwrlc.q

Filesize
185KB

MD5
ae560924ece971bea500b39cf812665d

SHA1
db73b123c1edb1cde8925d784f1f793aacf26f6e

SHA256
176f6aaf297901b7100ab3164b6229042dc858876c48c04b7efeef2e71798176

SHA512
67fdbe987fa13481daccc6432034ddf4a33f1033a469adbfa347d8361a9290e5dcb183a45085486ef90d1409f991494c26902d85c1c8bf29ee98753dcbb1a8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxzpa.exe

Filesize
281KB

MD5
ca0cca1b24cac955c84585eeefab6944

SHA1
517916bf6278c0584e8c50e2deeb5d75c67a413b

SHA256
aa4e786e9913c83ff743a8dfce23200f1c9b10a0040bd0d6507194c373607585

SHA512
28194e9239b47707438c2e1637d27506335253d5ba051b15e856a0afa1f88984f793c8c8a87b28b322efa7bae7db47d6f0a8f12091275f4cc16a1226ab4bb488

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxzpa.exe

Filesize
281KB

MD5
ca0cca1b24cac955c84585eeefab6944

SHA1
517916bf6278c0584e8c50e2deeb5d75c67a413b

SHA256
aa4e786e9913c83ff743a8dfce23200f1c9b10a0040bd0d6507194c373607585

SHA512
28194e9239b47707438c2e1637d27506335253d5ba051b15e856a0afa1f88984f793c8c8a87b28b322efa7bae7db47d6f0a8f12091275f4cc16a1226ab4bb488

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxzpa.exe

Filesize
281KB

MD5
ca0cca1b24cac955c84585eeefab6944

SHA1
517916bf6278c0584e8c50e2deeb5d75c67a413b

SHA256
aa4e786e9913c83ff743a8dfce23200f1c9b10a0040bd0d6507194c373607585

SHA512
28194e9239b47707438c2e1637d27506335253d5ba051b15e856a0afa1f88984f793c8c8a87b28b322efa7bae7db47d6f0a8f12091275f4cc16a1226ab4bb488

Download Submit
memory/412-142-0x0000000001420000-0x0000000001430000-memory.dmp

Filesize
64KB

Download
memory/412-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/412-141-0x00000000016F0000-0x0000000001A3A000-memory.dmp

Filesize
3.3MB

Download
memory/412-137-0x0000000000000000-mapping.dmp

Download
memory/412-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1040-151-0x00000000087C0000-0x0000000008938000-memory.dmp

Filesize
1.5MB

Download
memory/1040-143-0x00000000087C0000-0x0000000008938000-memory.dmp

Filesize
1.5MB

Download
memory/1040-154-0x0000000009070000-0x00000000091DA000-memory.dmp

Filesize
1.4MB

Download
memory/1040-152-0x0000000009070000-0x00000000091DA000-memory.dmp

Filesize
1.4MB

Download
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/3508-149-0x00000000026B0000-0x00000000029FA000-memory.dmp

Filesize
3.3MB

Download
memory/3508-150-0x00000000023D0000-0x000000000245F000-memory.dmp

Filesize
572KB

Download
memory/3508-148-0x00000000003E0000-0x000000000040D000-memory.dmp

Filesize
180KB

Download
memory/3508-147-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/3508-153-0x00000000003E0000-0x000000000040D000-memory.dmp

Filesize
180KB

Download
memory/3508-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads