formbook | 0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7

General

Target

Outstanding SOA.exe
Size

601KB
MD5

5b18fe7d9aa3fdcdec0d0932827f7b05
SHA1

104e5d48286576742b08a760d208ce13ad141594
SHA256

0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7
SHA512

871820be64509b04dd7fd35d7e44204050801a9157836fc9ddfaedf83a1aa6d583bd0541753caa9b78e6b2c425e2e7487e5e223d5bcdcbb95d5b7bca0186db53
SSDEEP

12288:1Z+9tvUmtBrASq86QaJZ76qIJgNhU3aHHI1S8WDcKEBkKmYu8gWd78rrYk3S:b+vvLo86QMZ7QQuoT8WYu8Rd78r8

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

rnpjg.exernpjg.exe

pid process

2952 rnpjg.exe
4948 rnpjg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rnpjg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation rnpjg.exe

pid	process
2952	rnpjg.exe
4948	rnpjg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	rnpjg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rnpjg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fraqedsp = "C:\\Users\\Admin\\AppData\\Roaming\\ijgmkirxgg\\gtbkyhm.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rnpjg.exe\" \"C:\\Users\\Admin\\AppData\\Local\\"	rnpjg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

rnpjg.exernpjg.execscript.exe

description	pid	process	target process
PID 2952 set thread context of 4948	2952	rnpjg.exe	rnpjg.exe
PID 4948 set thread context of 2468	4948	rnpjg.exe	Explorer.EXE
PID 4948 set thread context of 2468	4948	rnpjg.exe	Explorer.EXE
PID 1320 set thread context of 2468	1320	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1956 NETSTAT.EXE

pid	process
1956	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rnpjg.execscript.exe

pid	process
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
1320	cscript.exe
1320	cscript.exe
1320	cscript.exe
1320	cscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rnpjg.exernpjg.execscript.exe

pid process

2952 rnpjg.exe
4948 rnpjg.exe
4948 rnpjg.exe
4948 rnpjg.exe
4948 rnpjg.exe
1320 cscript.exe
1320 cscript.exe

pid	process
2952	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
4948	rnpjg.exe
1320	cscript.exe
1320	cscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rnpjg.exeExplorer.EXEcscript.exe

description	pid	process
Token: SeDebugPrivilege	4948	rnpjg.exe
Token: SeShutdownPrivilege	2468	Explorer.EXE
Token: SeCreatePagefilePrivilege	2468	Explorer.EXE
Token: SeDebugPrivilege	1320	cscript.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rnpjg.exe

pid process

2952 rnpjg.exe
2952 rnpjg.exe
2952 rnpjg.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

rnpjg.exe

pid process

2952 rnpjg.exe
2952 rnpjg.exe
2952 rnpjg.exe

pid	process
2952	rnpjg.exe
2952	rnpjg.exe
2952	rnpjg.exe

pid	process
2952	rnpjg.exe
2952	rnpjg.exe
2952	rnpjg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Outstanding SOA.exernpjg.exeExplorer.EXErnpjg.exe

description	pid	process	target process
PID 4380 wrote to memory of 2952	4380	Outstanding SOA.exe	rnpjg.exe
PID 4380 wrote to memory of 2952	4380	Outstanding SOA.exe	rnpjg.exe
PID 4380 wrote to memory of 2952	4380	Outstanding SOA.exe	rnpjg.exe
PID 2952 wrote to memory of 4948	2952	rnpjg.exe	rnpjg.exe
PID 2952 wrote to memory of 4948	2952	rnpjg.exe	rnpjg.exe
PID 2952 wrote to memory of 4948	2952	rnpjg.exe	rnpjg.exe
PID 2952 wrote to memory of 4948	2952	rnpjg.exe	rnpjg.exe
PID 2468 wrote to memory of 1276	2468	Explorer.EXE	mstsc.exe
PID 2468 wrote to memory of 1276	2468	Explorer.EXE	mstsc.exe
PID 2468 wrote to memory of 1276	2468	Explorer.EXE	mstsc.exe
PID 2468 wrote to memory of 1956	2468	Explorer.EXE	NETSTAT.EXE
PID 2468 wrote to memory of 1956	2468	Explorer.EXE	NETSTAT.EXE
PID 2468 wrote to memory of 1956	2468	Explorer.EXE	NETSTAT.EXE
PID 4948 wrote to memory of 1320	4948	rnpjg.exe	cscript.exe
PID 4948 wrote to memory of 1320	4948	rnpjg.exe	cscript.exe
PID 4948 wrote to memory of 1320	4948	rnpjg.exe	cscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\Outstanding SOA.exe
"C:\Users\Admin\AppData\Local\Temp\Outstanding SOA.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\rnpjg.exe
"C:\Users\Admin\AppData\Local\Temp\rnpjg.exe" "C:\Users\Admin\AppData\Local\Temp\zmcinw.au3"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\rnpjg.exe
"C:\Users\Admin\AppData\Local\Temp\rnpjg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:1956

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\alctbc.kyq
Filesize
184KB

MD5
73d4c92a0cb55a83cf0e4b08879c4080

SHA1
ea27c6e1f86b6469dea6e0392af690c7ac332cd0

SHA256
f6454a96452a2142a954b0e27a9ffffa9a3b7a15bfdfacfd7394bd4575897147

SHA512
1233e3d6158fafdbc4dadc5f36081fbbbe5d6a794b3cee4bf9f1251518c0f088a27b44cd44cdb63a91d38041d8ebe85007b08e08311f9af61363f933126208af

Download Submit
C:\Users\Admin\AppData\Local\Temp\opkjlsm.tem
Filesize
71KB

MD5
b009dc657334b7c5620e3f69b67c52d8

SHA1
2b627181e4604e43f0e5940685c906af2f934ebd

SHA256
e27c476fe94f05e6071774ae78face8e7aa210017d82fc2b730ed9a4225190f4

SHA512
61e21eb90d14e2c6dcdb5663bdad813dc3acba3d464ec6beca244e43d1201e6959e82f2b2d4d3ea33088a330b439f364a2bc1c8b9a34e931a30b0f133a633a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnpjg.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnpjg.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnpjg.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmcinw.au3
Filesize
5KB

MD5
117023ca6c9d048889527b2fa88b8389

SHA1
ac25454c352cd8ca72dd78a998a83bacdc157669

SHA256
7e4adc51d85f01a9f32511a94ac5e80489feb54039128697943c00cecf8d59ac

SHA512
bc200140dd1552c55b7fa10f21715b4a881d8a331c073ba5368544c5efede85b1f1242b58eb31505415cb195203cdf7f3cd99de758af1717aed91e092c44e0a8

Download Submit
memory/1320-156-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/1320-155-0x0000000002870000-0x00000000028FF000-memory.dmp

Filesize
572KB

Download
memory/1320-154-0x0000000002960000-0x0000000002CAA000-memory.dmp

Filesize
3.3MB

Download
memory/1320-152-0x0000000000C20000-0x0000000000C47000-memory.dmp

Filesize
156KB

Download
memory/1320-153-0x00000000005C0000-0x00000000005ED000-memory.dmp

Filesize
180KB

Download
memory/1320-149-0x0000000000000000-mapping.dmp

Download
memory/2468-157-0x0000000007E30000-0x0000000007F1B000-memory.dmp

Filesize
940KB

Download
memory/2468-148-0x0000000002910000-0x0000000002A2D000-memory.dmp

Filesize
1.1MB

Download
memory/2468-145-0x0000000007770000-0x000000000790D000-memory.dmp

Filesize
1.6MB

Download
memory/2952-132-0x0000000000000000-mapping.dmp

Download
memory/4948-144-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/4948-147-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/4948-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4948-151-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4948-146-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4948-143-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4948-142-0x0000000001640000-0x000000000198A000-memory.dmp

Filesize
3.3MB

Download
memory/4948-141-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/4948-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4948-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads