formbook | 15046684df239f63119e30eadc6a71abbfece9080bb3a6a1d4f7b0899ee47409

General

Target

NEWorder2022FILE8876.exe
Size

829KB
MD5

443188c8e6b449066d99f49d1b715e92
SHA1

7ebde06ed2558ad169e7b779ac2f7bc8bc758ef0
SHA256

15046684df239f63119e30eadc6a71abbfece9080bb3a6a1d4f7b0899ee47409
SHA512

1c063339b87ebe67daf14c58f20cbe917885d12ff3d1161e8e7180752710819c5b1aea92b104130d3a42beaa5906691938656c0f394591d2e2ba3beb5de31fee
SSDEEP

12288:D3YNF3wX+sJMgCEdhJlxnFrQ9dI640gfHtY/h8uSW7rbLxPkgUUj5TX:j8GlJMkdhVnaHI6ufNkUEpaE

Score

10^/10

formbook 4u5a persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

4u5a

Decoy

Y9HWoINcPu0r7SSSKt4FCmk7

G/E64auYdhRQM4wZW2bcOaY=

bL57APty/StRpW49a+EdxA==

TppryJ0SoslHe8gJFVc=

HXxDShYIEcUJDahdv2nvl5Hlbp4=

EKaq5c6w0nV3WWlEqM4Www==

VM+YjE8XS1OLcH1roYF4zA==

OwK0wxmBGnq2Fg==

B1zy4bulyfY9tj9DK2eIkeYArpTt

Avj5JeA8m9girqfQ4+cZxA==

AOY4dmDFkCdX8HUJMw==

5cQUw3pPMYr07V8=

P7ZsN4/zt63AEw==

FYyVCOpB8Vl//kSkDLPo91Yy

jxwZTBp+5gcsccPxDF+K4bDG2Rpp0A==

iGx9AO58DRhZbXX9

prwVyLkAtlhSU6irmansg8wArpTt

uqa8ZPl+FFObOkdFNg==

tL4OhF22EDaEOkdFNg==

6exH76Z9o7eu/n86vgPE

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 5 IoCs

Processes:

NEWorder2022FILE8876.exevbc.execolorcpl.exe

description	pid	process	target process
PID 4976 set thread context of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 3968 set thread context of 2600	3968	vbc.exe	Explorer.EXE
PID 216 set thread context of 2600	216	colorcpl.exe	Explorer.EXE
PID 216 set thread context of 912	216	colorcpl.exe	explorer.exe
PID 216 set thread context of 1372	216	colorcpl.exe	explorer.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1960 2600 WerFault.exe Explorer.EXE
3132 912 WerFault.exe explorer.exe

pid	pid_target	process	target process
1960	2600	WerFault.exe	Explorer.EXE
3132	912	WerFault.exe	explorer.exe

Modifies registry class 9 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{24C773CB-B9FA-4D57-ABEB-87236EBD27B4}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2386679933-1492765628-3466841596-1000\{B9C5383F-A065-4171-886B-C68E67AF47F8}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

vbc.execolorcpl.exe

pid	process
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe

Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

vbc.execolorcpl.exe

pid	process
3968	vbc.exe
3968	vbc.exe
3968	vbc.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe
216	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

vbc.execolorcpl.exeExplorer.EXEexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	3968	vbc.exe
Token: SeDebugPrivilege	216	colorcpl.exe
Token: SeShutdownPrivilege	2600	Explorer.EXE
Token: SeCreatePagefilePrivilege	2600	Explorer.EXE
Token: SeShutdownPrivilege	912	explorer.exe
Token: SeCreatePagefilePrivilege	912	explorer.exe
Token: SeShutdownPrivilege	912	explorer.exe
Token: SeCreatePagefilePrivilege	912	explorer.exe
Token: SeShutdownPrivilege	912	explorer.exe
Token: SeCreatePagefilePrivilege	912	explorer.exe
Token: SeShutdownPrivilege	912	explorer.exe
Token: SeCreatePagefilePrivilege	912	explorer.exe
Token: SeShutdownPrivilege	912	explorer.exe
Token: SeCreatePagefilePrivilege	912	explorer.exe
Token: SeShutdownPrivilege	1372	explorer.exe
Token: SeCreatePagefilePrivilege	1372	explorer.exe
Token: SeShutdownPrivilege	1372	explorer.exe
Token: SeCreatePagefilePrivilege	1372	explorer.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

explorer.exeexplorer.exe

pid process

912 explorer.exe
912 explorer.exe
912 explorer.exe
912 explorer.exe
912 explorer.exe
912 explorer.exe
912 explorer.exe
1372 explorer.exe
1372 explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
912	explorer.exe
1372	explorer.exe
1372	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

NEWorder2022FILE8876.exeExplorer.EXE

description	pid	process	target process
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 4976 wrote to memory of 3968	4976	NEWorder2022FILE8876.exe	vbc.exe
PID 2600 wrote to memory of 216	2600	Explorer.EXE	colorcpl.exe
PID 2600 wrote to memory of 216	2600	Explorer.EXE	colorcpl.exe
PID 2600 wrote to memory of 216	2600	Explorer.EXE	colorcpl.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\NEWorder2022FILE8876.exe
"C:\Users\Admin\AppData\Local\Temp\NEWorder2022FILE8876.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2600 -s 4464
2⤵
- Program crash
PID:1960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 2600 -ip 2600
1⤵
PID:4228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 912 -s 2940
2⤵
- Program crash
PID:3132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 912 -ip 912
1⤵
PID:3212

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-147-0x0000000000EE0000-0x0000000000F0D000-memory.dmp

Filesize
180KB

Download
memory/216-150-0x0000000002EB0000-0x0000000002F3F000-memory.dmp

Filesize
572KB

Download
memory/216-149-0x0000000000EE0000-0x0000000000F0D000-memory.dmp

Filesize
180KB

Download
memory/216-148-0x0000000003070000-0x00000000033BA000-memory.dmp

Filesize
3.3MB

Download
memory/216-143-0x0000000000000000-mapping.dmp

Download
memory/216-146-0x0000000000F20000-0x0000000000F39000-memory.dmp

Filesize
100KB

Download
memory/912-154-0x000000000A120000-0x000000000A264000-memory.dmp

Filesize
1.3MB

Download
memory/912-153-0x000000000A120000-0x000000000A264000-memory.dmp

Filesize
1.3MB

Download
memory/2600-152-0x00000000081B0000-0x0000000008300000-memory.dmp

Filesize
1.3MB

Download
memory/2600-151-0x00000000081B0000-0x0000000008300000-memory.dmp

Filesize
1.3MB

Download
memory/2600-142-0x0000000002E30000-0x0000000002F12000-memory.dmp

Filesize
904KB

Download
memory/3968-138-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3968-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3968-144-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3968-141-0x00000000010D0000-0x00000000010E0000-memory.dmp

Filesize
64KB

Download
memory/3968-139-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download
memory/3968-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3968-134-0x00000000004012B0-mapping.dmp

Download
memory/3968-133-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4976-132-0x0000025FB5BC0000-0x0000025FB5C96000-memory.dmp

Filesize
856KB

Download
memory/4976-136-0x00007FFD8C5D0000-0x00007FFD8D091000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads