formbook | 81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c

General

Target

103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
Size

333KB
MD5

4c7135b466d0d97fe0dce29650ed97f2
SHA1

fde47b76280185cd1d39e9d22aed3d8e0047814f
SHA256

81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c
SHA512

bb0820a6ee336942a3a06da0cc2bdc49ea870cde63ff0972ce1559531e473c256590826bd6b4ac5afe913748a4b07d2a7a4be0b4b1d047a7ba5d416329aaa91b
SSDEEP

6144:9kw5wnBY2pNRJapeMSZE2dcEtJI5WwYFJ0oPsMf48ZKXQm1s:YBfpf+eMSZ37keP0m1KX8

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

kqegg.exekqegg.exe

pid process

560 kqegg.exe
1104 kqegg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kqegg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation kqegg.exe

pid	process
560	kqegg.exe
1104	kqegg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	kqegg.exe

Loads dropped DLL 3 IoCs

Processes:

103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exekqegg.exe

pid	process
1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
560	kqegg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

kqegg.exekqegg.exechkdsk.exe

description	pid	process	target process
PID 560 set thread context of 1104	560	kqegg.exe	kqegg.exe
PID 1104 set thread context of 1232	1104	kqegg.exe	Explorer.EXE
PID 1104 set thread context of 1232	1104	kqegg.exe	Explorer.EXE
PID 940 set thread context of 1232	940	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

kqegg.exechkdsk.exe

pid process

1104 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
940 chkdsk.exe
940 chkdsk.exe
940 chkdsk.exe
940 chkdsk.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

kqegg.exekqegg.exechkdsk.exe

pid process

560 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
1104 kqegg.exe
940 chkdsk.exe
940 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kqegg.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 1104 kqegg.exe
Token: SeDebugPrivilege 940 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1104	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe
940	chkdsk.exe

pid	process
1232	Explorer.EXE

pid	process
560	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
1104	kqegg.exe
940	chkdsk.exe
940	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	1104	kqegg.exe
Token: SeDebugPrivilege	940	chkdsk.exe

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exekqegg.exeExplorer.EXE

description	pid	process	target process
PID 1448 wrote to memory of 560	1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1448 wrote to memory of 560	1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1448 wrote to memory of 560	1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1448 wrote to memory of 560	1448	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 560 wrote to memory of 1104	560	kqegg.exe	kqegg.exe
PID 560 wrote to memory of 1104	560	kqegg.exe	kqegg.exe
PID 560 wrote to memory of 1104	560	kqegg.exe	kqegg.exe
PID 560 wrote to memory of 1104	560	kqegg.exe	kqegg.exe
PID 560 wrote to memory of 1104	560	kqegg.exe	kqegg.exe
PID 1232 wrote to memory of 940	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 940	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 940	1232	Explorer.EXE	chkdsk.exe
PID 1232 wrote to memory of 940	1232	Explorer.EXE	chkdsk.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
"C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\kqegg.exe
"C:\Users\Admin\AppData\Local\Temp\kqegg.exe" C:\Users\Admin\AppData\Local\Temp\wvdthhroe.qae
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\kqegg.exe
"C:\Users\Admin\AppData\Local\Temp\kqegg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvnlw.sq
Filesize
185KB

MD5
96d4bdf2e55c695f32c41a6f33a7a98c

SHA1
23a374f703723ef2ebfe7f6d8338a705d7c8a6b4

SHA256
9c000d4b6530199eca0fe0a900c5db8807e4e13b740619e25b622694a629b5a1

SHA512
59475292a1ad844126099e713f31d61ae756f7c0e50e95be3cf1dbf9841995a254b6d1cb00fa1ba783cf2043713c46e6c40fe0ecad45c504ac0c82ed42970170

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvdthhroe.qae
Filesize
5KB

MD5
c7765f682b89ddbbc6a38ca8847d987c

SHA1
e9f8f90ac19b207a702321f10f136b96d7984bf6

SHA256
d0963fe8c05f93ce2ab565cac70972e0c64bd746b640c1cb19221e60a6298363

SHA512
b5c90356b83baa78d60d4316bdb03d9bfd91730c033d6108617aa3133da9a96dae37177241bb5d13c1379adfbb979d5391f70d177f05f69068c37c9779f24a0c

Download Submit
\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
memory/560-57-0x0000000000000000-mapping.dmp

Download
memory/940-75-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/940-76-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/940-80-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/940-78-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/940-74-0x0000000000B60000-0x0000000000B67000-memory.dmp

Filesize
28KB

Download
memory/940-72-0x0000000000000000-mapping.dmp

Download
memory/1104-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-70-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1104-68-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1104-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-67-0x0000000000750000-0x0000000000A53000-memory.dmp

Filesize
3.0MB

Download
memory/1104-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-63-0x00000000004012B0-mapping.dmp

Download
memory/1232-71-0x0000000006420000-0x000000000656E000-memory.dmp

Filesize
1.3MB

Download
memory/1232-77-0x0000000006420000-0x000000000656E000-memory.dmp

Filesize
1.3MB

Download
memory/1232-69-0x0000000005EC0000-0x0000000006013000-memory.dmp

Filesize
1.3MB

Download
memory/1232-79-0x0000000004100000-0x0000000004244000-memory.dmp

Filesize
1.3MB

Download
memory/1232-81-0x0000000004100000-0x0000000004244000-memory.dmp

Filesize
1.3MB

Download
memory/1448-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads