formbook | 306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0

General

Target

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe
Size

535KB
MD5

5c6d494467d89ff50a77cc878c8c9539
SHA1

11618f354cc30d7a5716a687b9384138a0f46b5b
SHA256

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0
SHA512

6ed42edf100c076f422231c55e5df1ca9d1dda8c139fe7a19748f97685469c2a3042b9b23d222ea26c68a216c596b5084d4dc16238382cc7c3d0bad9e82c9394
SSDEEP

6144:/kw+0xk6e96C2U/2aqg9JBP/gr0TdFpyI7a5SQ/GBQDLJCoF7PdcUFauRugGcSnu:slzAKpgCb7kSQKQXJ7tF34gNV

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exe

pid process

312 tqlhmoflq.exe
3384 tqlhmoflq.exe

pid	process
312	tqlhmoflq.exe
3384	tqlhmoflq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tqlhmoflq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tqlhmoflq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tqlhmoflq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjakvdcpmud = "C:\\Users\\Admin\\AppData\\Roaming\\xtgsdlfsmuyw\\gbcpcfqjpc.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tqlhmoflq.exe\" C:\\Users\\Admin\\AppDat"	tqlhmoflq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exe

description	pid	process	target process
PID 312 set thread context of 3384	312	tqlhmoflq.exe	tqlhmoflq.exe
PID 3384 set thread context of 792	3384	tqlhmoflq.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

tqlhmoflq.exehelp.exe

pid	process
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
2972	help.exe
2972	help.exe
2972	help.exe
2972	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tqlhmoflq.exetqlhmoflq.exehelp.exe

pid process

312 tqlhmoflq.exe
3384 tqlhmoflq.exe
3384 tqlhmoflq.exe
3384 tqlhmoflq.exe
2972 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tqlhmoflq.exehelp.exe

description pid process

Token: SeDebugPrivilege 3384 tqlhmoflq.exe
Token: SeDebugPrivilege 2972 help.exe

pid	process
312	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
3384	tqlhmoflq.exe
2972	help.exe

description	pid	process
Token: SeDebugPrivilege	3384	tqlhmoflq.exe
Token: SeDebugPrivilege	2972	help.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exetqlhmoflq.exeExplorer.EXE

description	pid	process	target process
PID 4524 wrote to memory of 312	4524	306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe	tqlhmoflq.exe
PID 4524 wrote to memory of 312	4524	306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe	tqlhmoflq.exe
PID 4524 wrote to memory of 312	4524	306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe	tqlhmoflq.exe
PID 312 wrote to memory of 3384	312	tqlhmoflq.exe	tqlhmoflq.exe
PID 312 wrote to memory of 3384	312	tqlhmoflq.exe	tqlhmoflq.exe
PID 312 wrote to memory of 3384	312	tqlhmoflq.exe	tqlhmoflq.exe
PID 312 wrote to memory of 3384	312	tqlhmoflq.exe	tqlhmoflq.exe
PID 792 wrote to memory of 2972	792	Explorer.EXE	help.exe
PID 792 wrote to memory of 2972	792	Explorer.EXE	help.exe
PID 792 wrote to memory of 2972	792	Explorer.EXE	help.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe
"C:\Users\Admin\AppData\Local\Temp\306e86d6c586c3a6a52ed61b426b1e2520671b95b54510fb3faede2f499801d0.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe" C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
"C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\glolpx.d
Filesize
185KB

MD5
8da1a70786ac6e4f3dfb388eb1fd8afc

SHA1
5ba11c38ed1053aeaac158dff30a803a4d4410a8

SHA256
63eb014dd1a10b91067357e5692397ab1464bf3b146ba9baf199fe48ec5ac7c6

SHA512
b57314d2bd94d93b635f8c14aa67259915153b2aa238c1445e5d5b00a5cd6cd7dc250ea9ac499169ee85c99c9cf4e3e6bce986cfaa97c865afd2d6813d5efffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmxskx.hap
Filesize
7KB

MD5
418b6039126a6cbb2921062ad20f4647

SHA1
505d64913e58eedfdbe0adc5d88385d36f3470fd

SHA256
6c069ae01b50d2553e568d274dbcb015f9ec95f3ef25283a7182f6c532cf9435

SHA512
4cf5e5e57d0352231bddf83b3f335d6ca359cb48480fb974dfe0133eba8171a5745fa65e22b8cbdfcaafc6e77ac366ee0d71aea7bcc27682ae67bcf9434cadeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqlhmoflq.exe
Filesize
287KB

MD5
b1710f487cd6c24bd3eaa637f90198ab

SHA1
0c9b0b875ffc7497a25236c50dd17e676c8aa098

SHA256
443c686a4a3eae981c5dce9b6f56ec291aec1bc52fce378fca7f67c4723e9cb0

SHA512
26b38d31b5e4ca4dc84749428cb443669547a5e0300479aa83c6ca4072aaef34fca3bf3d53b86a6b01268d378a62432cdd2c22b90fcb16473803d6fc48eeb3c9

Download Submit
memory/312-132-0x0000000000000000-mapping.dmp

Download
memory/792-144-0x00000000085C0000-0x0000000008748000-memory.dmp

Filesize
1.5MB

Download
memory/2972-145-0x0000000000000000-mapping.dmp

Download
memory/2972-146-0x0000000000D00000-0x000000000104A000-memory.dmp

Filesize
3.3MB

Download
memory/2972-147-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

Filesize
28KB

Download
memory/2972-148-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/3384-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3384-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3384-141-0x00000000011E0000-0x000000000152A000-memory.dmp

Filesize
3.3MB

Download
memory/3384-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/3384-143-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/3384-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads