formbook | 81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c

General

Target

103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
Size

333KB
MD5

4c7135b466d0d97fe0dce29650ed97f2
SHA1

fde47b76280185cd1d39e9d22aed3d8e0047814f
SHA256

81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c
SHA512

bb0820a6ee336942a3a06da0cc2bdc49ea870cde63ff0972ce1559531e473c256590826bd6b4ac5afe913748a4b07d2a7a4be0b4b1d047a7ba5d416329aaa91b
SSDEEP

6144:9kw5wnBY2pNRJapeMSZE2dcEtJI5WwYFJ0oPsMf48ZKXQm1s:YBfpf+eMSZ37keP0m1KX8

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

kqegg.exekqegg.exe

pid process

1952 kqegg.exe
2696 kqegg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kqegg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation kqegg.exe

pid	process
1952	kqegg.exe
2696	kqegg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	kqegg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

kqegg.exekqegg.exenetsh.exe

description	pid	process	target process
PID 1952 set thread context of 2696	1952	kqegg.exe	kqegg.exe
PID 2696 set thread context of 2016	2696	kqegg.exe	Explorer.EXE
PID 2696 set thread context of 2016	2696	kqegg.exe	Explorer.EXE
PID 4548 set thread context of 2016	4548	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

kqegg.exenetsh.exe

pid	process
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2016 Explorer.EXE
Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

kqegg.exekqegg.exenetsh.exe

pid process

1952 kqegg.exe
2696 kqegg.exe
2696 kqegg.exe
2696 kqegg.exe
2696 kqegg.exe
4548 netsh.exe
4548 netsh.exe
4548 netsh.exe
4548 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kqegg.exenetsh.exe

description pid process

Token: SeDebugPrivilege 2696 kqegg.exe
Token: SeDebugPrivilege 4548 netsh.exe

pid	process
2016	Explorer.EXE

pid	process
1952	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
2696	kqegg.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe
4548	netsh.exe

description	pid	process
Token: SeDebugPrivilege	2696	kqegg.exe
Token: SeDebugPrivilege	4548	netsh.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exekqegg.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1912 wrote to memory of 1952	1912	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1912 wrote to memory of 1952	1912	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1912 wrote to memory of 1952	1912	103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe	kqegg.exe
PID 1952 wrote to memory of 2696	1952	kqegg.exe	kqegg.exe
PID 1952 wrote to memory of 2696	1952	kqegg.exe	kqegg.exe
PID 1952 wrote to memory of 2696	1952	kqegg.exe	kqegg.exe
PID 1952 wrote to memory of 2696	1952	kqegg.exe	kqegg.exe
PID 2016 wrote to memory of 4548	2016	Explorer.EXE	netsh.exe
PID 2016 wrote to memory of 4548	2016	Explorer.EXE	netsh.exe
PID 2016 wrote to memory of 4548	2016	Explorer.EXE	netsh.exe
PID 2016 wrote to memory of 2460	2016	Explorer.EXE	control.exe
PID 2016 wrote to memory of 2460	2016	Explorer.EXE	control.exe
PID 2016 wrote to memory of 2460	2016	Explorer.EXE	control.exe
PID 4548 wrote to memory of 3780	4548	netsh.exe	Firefox.exe
PID 4548 wrote to memory of 3780	4548	netsh.exe	Firefox.exe
PID 4548 wrote to memory of 3780	4548	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe
"C:\Users\Admin\AppData\Local\Temp\103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\kqegg.exe
"C:\Users\Admin\AppData\Local\Temp\kqegg.exe" C:\Users\Admin\AppData\Local\Temp\wvdthhroe.qae
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\kqegg.exe
"C:\Users\Admin\AppData\Local\Temp\kqegg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:2460

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvnlw.sq
Filesize
185KB

MD5
96d4bdf2e55c695f32c41a6f33a7a98c

SHA1
23a374f703723ef2ebfe7f6d8338a705d7c8a6b4

SHA256
9c000d4b6530199eca0fe0a900c5db8807e4e13b740619e25b622694a629b5a1

SHA512
59475292a1ad844126099e713f31d61ae756f7c0e50e95be3cf1dbf9841995a254b6d1cb00fa1ba783cf2043713c46e6c40fe0ecad45c504ac0c82ed42970170

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqegg.exe
Filesize
276KB

MD5
b7b47839865c6fc7a47965cb0a15ede7

SHA1
04cbdc9da3b625484f3276762abf9516f1797197

SHA256
ff9c7f0f6b66da24407bfc7861618fdc4c0932c00165389ccf218c3cf385641c

SHA512
d6a83edfdea850c53500f0c3a8857d01cd018a31dc719577fce908ee84de2d61a5a762485b7aa6db12e82da92e38a803dfb06c45ddaa629a10dbf91538e83c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvdthhroe.qae
Filesize
5KB

MD5
c7765f682b89ddbbc6a38ca8847d987c

SHA1
e9f8f90ac19b207a702321f10f136b96d7984bf6

SHA256
d0963fe8c05f93ce2ab565cac70972e0c64bd746b640c1cb19221e60a6298363

SHA512
b5c90356b83baa78d60d4316bdb03d9bfd91730c033d6108617aa3133da9a96dae37177241bb5d13c1379adfbb979d5391f70d177f05f69068c37c9779f24a0c

Download Submit
memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/2016-143-0x0000000002790000-0x0000000002857000-memory.dmp

Filesize
796KB

Download
memory/2016-155-0x0000000002860000-0x0000000002948000-memory.dmp

Filesize
928KB

Download
memory/2016-153-0x0000000002860000-0x0000000002948000-memory.dmp

Filesize
928KB

Download
memory/2016-147-0x0000000002790000-0x0000000002857000-memory.dmp

Filesize
796KB

Download
memory/2016-146-0x0000000007070000-0x00000000071C3000-memory.dmp

Filesize
1.3MB

Download
memory/2696-144-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/2696-142-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2696-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-141-0x0000000000B20000-0x0000000000E6A000-memory.dmp

Filesize
3.3MB

Download
memory/2696-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-137-0x0000000000000000-mapping.dmp

Download
memory/4548-148-0x0000000000000000-mapping.dmp

Download
memory/4548-149-0x0000000000890000-0x00000000008AE000-memory.dmp

Filesize
120KB

Download
memory/4548-150-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download
memory/4548-151-0x0000000001890000-0x0000000001BDA000-memory.dmp

Filesize
3.3MB

Download
memory/4548-152-0x00000000016B0000-0x000000000173F000-memory.dmp

Filesize
572KB

Download
memory/4548-154-0x0000000000FC0000-0x0000000000FED000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads