formbook | 76565bfaf2fe4e6ca50046fcd0cd13dd3ea45398a01a343bf9cec3cfe0998388

General

Target

RFQ PT089110.exe
Size

272KB
MD5

8ea739a14035ea523b015f33eafe6953
SHA1

228ee69b1fccea68b79f9c1a9bb9796882696cf3
SHA256

1a685538deaab9e0cfe393b43f4f08e48c076ce115911c46e93952a121322c87
SHA512

76d462569c16143c41ce75eb8e5f4f6304f32f42f939433752a5aa3fefcfa4550da8a55179dfef2d3eef0c6a41a9de8018de785669bfc6daf337a14323f98f2a
SSDEEP

6144:9kwrUMSvXxBADF+bVEN8fyqNkpHVtxgWljiXcU0GfJyqI2q:/UMEBBAAJVfjS1EWljiXcU0EJyqy

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

faclv.exefaclv.exe

pid process

860 faclv.exe
1988 faclv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

faclv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation faclv.exe
Loads dropped DLL 3 IoCs

Processes:

RFQ PT089110.exefaclv.exeexplorer.exe

pid process

1248 RFQ PT089110.exe
860 faclv.exe
880 explorer.exe

pid	process
860	faclv.exe
1988	faclv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	faclv.exe

pid	process
1248	RFQ PT089110.exe
860	faclv.exe
880	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

faclv.exefaclv.exeexplorer.exe

description	pid	process	target process
PID 860 set thread context of 1988	860	faclv.exe	faclv.exe
PID 1988 set thread context of 1444	1988	faclv.exe	Explorer.EXE
PID 880 set thread context of 1444	880	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

faclv.exeexplorer.exe

pid	process
1988	faclv.exe
1988	faclv.exe
1988	faclv.exe
1988	faclv.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

faclv.exefaclv.exeexplorer.exe

pid process

860 faclv.exe
1988 faclv.exe
1988 faclv.exe
1988 faclv.exe
880 explorer.exe
880 explorer.exe
880 explorer.exe
880 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

faclv.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1988 faclv.exe
Token: SeDebugPrivilege 880 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1444 Explorer.EXE
1444 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1444 Explorer.EXE
1444 Explorer.EXE

pid	process
860	faclv.exe
1988	faclv.exe
1988	faclv.exe
1988	faclv.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe
880	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1988	faclv.exe
Token: SeDebugPrivilege	880	explorer.exe

pid	process
1444	Explorer.EXE
1444	Explorer.EXE

pid	process
1444	Explorer.EXE
1444	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ PT089110.exefaclv.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1248 wrote to memory of 860	1248	RFQ PT089110.exe	faclv.exe
PID 1248 wrote to memory of 860	1248	RFQ PT089110.exe	faclv.exe
PID 1248 wrote to memory of 860	1248	RFQ PT089110.exe	faclv.exe
PID 1248 wrote to memory of 860	1248	RFQ PT089110.exe	faclv.exe
PID 860 wrote to memory of 1988	860	faclv.exe	faclv.exe
PID 860 wrote to memory of 1988	860	faclv.exe	faclv.exe
PID 860 wrote to memory of 1988	860	faclv.exe	faclv.exe
PID 860 wrote to memory of 1988	860	faclv.exe	faclv.exe
PID 860 wrote to memory of 1988	860	faclv.exe	faclv.exe
PID 1444 wrote to memory of 880	1444	Explorer.EXE	explorer.exe
PID 1444 wrote to memory of 880	1444	Explorer.EXE	explorer.exe
PID 1444 wrote to memory of 880	1444	Explorer.EXE	explorer.exe
PID 1444 wrote to memory of 880	1444	Explorer.EXE	explorer.exe
PID 880 wrote to memory of 1476	880	explorer.exe	Firefox.exe
PID 880 wrote to memory of 1476	880	explorer.exe	Firefox.exe
PID 880 wrote to memory of 1476	880	explorer.exe	Firefox.exe
PID 880 wrote to memory of 1476	880	explorer.exe	Firefox.exe
PID 880 wrote to memory of 1476	880	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe" C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
Filesize
5KB

MD5
c4da7b1938a01beace3d69275e1826f9

SHA1
bb7e8c0d6b9e404551d45e9d1701a49a6aa41eda

SHA256
7d1696aa4c800e800aa5b49124b66cc00e94d155e78cd06aece207a9d7b7e47d

SHA512
9a6493fb8eaee411248e0eb65b134baee7d2746d9ff0af493f7083c6403f80c1c0588971409e2c1a5d785b674b029eaf6122d2f60bce7cc16154d91947e97fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhphjyjg.axk
Filesize
185KB

MD5
c290c052854d20566294229800e4471d

SHA1
eb4cef65b362a4ade2977078286e60b06551d2c3

SHA256
69c12b29ea58482fa5a07f00810e350c9436d40808f4b9bcc6567b32f8104255

SHA512
d199fc2fed053c1d5107084fd9930630bcb297ce281b3fdc62e83ecf641e62f1b9d64049b446f9d546347ca025305dd4f699defb1c661a1646dd9583a0207d7d

Download Submit
\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
828KB

MD5
d5ea9b5814553bd2f9bbb8bf0ea94ed6

SHA1
29629836c088dcd968efb321832edcbcfaac5b51

SHA256
5ea67d6b7f67301ca214af511740f26b9e6cc9e16b2c0ec7bba071d05b9bde78

SHA512
6867452995c8354622fe22ce4fb4868d2b9cb28bb31aa60b42f06e494b952f66c427aa66c7af09240954bf55ebcde62d4c7feb9d99e742ea3bc5beb3756a7a1e

Download Submit
memory/860-56-0x0000000000000000-mapping.dmp

Download
memory/880-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/880-75-0x0000000002410000-0x0000000002713000-memory.dmp

Filesize
3.0MB

Download
memory/880-78-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/880-76-0x0000000000B10000-0x0000000000B9F000-memory.dmp

Filesize
572KB

Download
memory/880-73-0x0000000000BA0000-0x0000000000E21000-memory.dmp

Filesize
2.5MB

Download
memory/880-72-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/880-70-0x0000000000000000-mapping.dmp

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1444-69-0x0000000004840000-0x0000000004957000-memory.dmp

Filesize
1.1MB

Download
memory/1444-77-0x0000000004970000-0x0000000004A49000-memory.dmp

Filesize
868KB

Download
memory/1444-79-0x0000000004970000-0x0000000004A49000-memory.dmp

Filesize
868KB

Download
memory/1988-68-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/1988-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-67-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1988-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-63-0x00000000004012B0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads