formbook | 306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0

General

Target

Betalningsaviseringsanmärkning - 0000274553.cab.exe
Size

535KB
MD5

5c6d494467d89ff50a77cc878c8c9539
SHA1

11618f354cc30d7a5716a687b9384138a0f46b5b
SHA256

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
SHA512

6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394
SSDEEP

6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exe

pid process

3116 tqlhmoflq.exe
4368 tqlhmoflq.exe

pid	process
3116	tqlhmoflq.exe
4368	tqlhmoflq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tqlhmoflq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tqlhmoflq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tqlhmoflq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjakvdcpmud = "C:\\Users\\Admin\\AppData\\Roaming\\xtgsdlfsmuyw\\gbcpcfqjpc.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqlhmoflq.exe\" C:\\Users\\Admin\\AppDat"	tqlhmoflq.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exe

description	pid	process	target process
PID 3116 set thread context of 4368	3116	tqlhmoflq.exe	tqlhmoflq.exe
PID 4368 set thread context of 2164	4368	tqlhmoflq.exe	Explorer.EXE
PID 4368 set thread context of 2164	4368	tqlhmoflq.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tqlhmoflq.exe

pid	process
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2164 Explorer.EXE
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exe

pid process

3116 tqlhmoflq.exe
4368 tqlhmoflq.exe
4368 tqlhmoflq.exe

pid	process
2164	Explorer.EXE

pid	process
3116	tqlhmoflq.exe
4368	tqlhmoflq.exe
4368	tqlhmoflq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tqlhmoflq.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4368	tqlhmoflq.exe
Token: SeShutdownPrivilege	2164	Explorer.EXE
Token: SeCreatePagefilePrivilege	2164	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Betalningsaviseringsanmärkning - 0000274553.cab.exetqlhmoflq.exeExplorer.EXE

description	pid	process	target process
PID 2836 wrote to memory of 3116	2836	Betalningsaviseringsanmärkning - 0000274553.cab.exe	tqlhmoflq.exe
PID 2836 wrote to memory of 3116	2836	Betalningsaviseringsanmärkning - 0000274553.cab.exe	tqlhmoflq.exe
PID 2836 wrote to memory of 3116	2836	Betalningsaviseringsanmärkning - 0000274553.cab.exe	tqlhmoflq.exe
PID 3116 wrote to memory of 4368	3116	tqlhmoflq.exe	tqlhmoflq.exe
PID 3116 wrote to memory of 4368	3116	tqlhmoflq.exe	tqlhmoflq.exe
PID 3116 wrote to memory of 4368	3116	tqlhmoflq.exe	tqlhmoflq.exe
PID 3116 wrote to memory of 4368	3116	tqlhmoflq.exe	tqlhmoflq.exe
PID 2164 wrote to memory of 3416	2164	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 3416	2164	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 3416	2164	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 2032	2164	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 2032	2164	Explorer.EXE	wlanext.exe
PID 2164 wrote to memory of 2032	2164	Explorer.EXE	wlanext.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe
"C:\Users\Admin\AppData\Local\Temp\Betalningsaviseringsanmärkning - 0000274553.cab.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe" C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:740

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:3416

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glolpx.d
Filesize
185KB

MD5
8da1a70786ac6e4f3dfb388eb1fd8afc

SHA1
5ba11c38ed1053aeaac158dff30a803a4d4410a8

SHA256
63eb014dd1a10b91067357e5692397ab1464bf3b146ba9baf199fe48ec5ac7c6

SHA512
b57314d2bd94d93b635f8c14aa67259915153b2aa238c1445e5d5b00a5cd6cd7dc250ea9ac499169ee85c99c9cf4e3e6bce986cfaa97c865afd2d6813d5efffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
Filesize
7KB

MD5
418b6039126a6cbb2921062ad20f4647

SHA1
505d64913e58eedfdbe0adc5d88385d36f3470fd

SHA256
6c069ae01b50d2553e568d274dbcb015f9ec95f3ef25283a7182f6c532cf9435

SHA512
4cf5e5e57d0352231bddf83b3f335d6ca359cb48480fb974dfe0133eba8171a5745fa65e22b8cbdfcaafc6e77ac366ee0d71aea7bcc27682ae67bcf9434cadeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
memory/2164-144-0x0000000007FF0000-0x0000000008199000-memory.dmp

Filesize
1.7MB

Download
memory/2164-149-0x0000000002BA0000-0x0000000002C58000-memory.dmp

Filesize
736KB

Download
memory/3116-132-0x0000000000000000-mapping.dmp

Download
memory/4368-137-0x0000000000000000-mapping.dmp

Download
memory/4368-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4368-141-0x00000000015B0000-0x00000000018FA000-memory.dmp

Filesize
3.3MB

Download
memory/4368-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4368-143-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/4368-145-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4368-146-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/4368-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-148-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads