formbook | 76565bfaf2fe4e6ca50046fcd0cd13dd3ea45398a01a343bf9cec3cfe0998388

General

Target

RFQ PT089110.exe
Size

272KB
MD5

8ea739a14035ea523b015f33eafe6953
SHA1

228ee69b1fccea68b79f9c1a9bb9796882696cf3
SHA256

1a685538deaab9e0cfe393b43f4f08e48c076ce115911c46e93952a121322c87
SHA512

76d462569c16143c41ce75eb8e5f4f6304f32f42f939433752a5aa3fefcfa4550da8a55179dfef2d3eef0c6a41a9de8018de785669bfc6daf337a14323f98f2a
SSDEEP

6144:9kwrUMSvXxBADF+bVEN8fyqNkpHVtxgWljiXcU0GfJyqI2q:/UMEBBAAJVfjS1EWljiXcU0EJyqy

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

faclv.exefaclv.exe

pid process

1960 faclv.exe
4212 faclv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

faclv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation faclv.exe

pid	process
1960	faclv.exe
4212	faclv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	faclv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

faclv.exefaclv.execontrol.exe

description	pid	process	target process
PID 1960 set thread context of 4212	1960	faclv.exe	faclv.exe
PID 4212 set thread context of 2180	4212	faclv.exe	Explorer.EXE
PID 4868 set thread context of 2180	4868	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

faclv.execontrol.exe

pid	process
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2180 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

faclv.exefaclv.execontrol.exe

pid process

1960 faclv.exe
4212 faclv.exe
4212 faclv.exe
4212 faclv.exe
4868 control.exe
4868 control.exe
4868 control.exe
4868 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

faclv.execontrol.exe

description pid process

Token: SeDebugPrivilege 4212 faclv.exe
Token: SeDebugPrivilege 4868 control.exe

pid	process
2180	Explorer.EXE

pid	process
1960	faclv.exe
4212	faclv.exe
4212	faclv.exe
4212	faclv.exe
4868	control.exe
4868	control.exe
4868	control.exe
4868	control.exe

description	pid	process
Token: SeDebugPrivilege	4212	faclv.exe
Token: SeDebugPrivilege	4868	control.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RFQ PT089110.exefaclv.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4920 wrote to memory of 1960	4920	RFQ PT089110.exe	faclv.exe
PID 4920 wrote to memory of 1960	4920	RFQ PT089110.exe	faclv.exe
PID 4920 wrote to memory of 1960	4920	RFQ PT089110.exe	faclv.exe
PID 1960 wrote to memory of 4212	1960	faclv.exe	faclv.exe
PID 1960 wrote to memory of 4212	1960	faclv.exe	faclv.exe
PID 1960 wrote to memory of 4212	1960	faclv.exe	faclv.exe
PID 1960 wrote to memory of 4212	1960	faclv.exe	faclv.exe
PID 2180 wrote to memory of 4868	2180	Explorer.EXE	control.exe
PID 2180 wrote to memory of 4868	2180	Explorer.EXE	control.exe
PID 2180 wrote to memory of 4868	2180	Explorer.EXE	control.exe
PID 4868 wrote to memory of 628	4868	control.exe	Firefox.exe
PID 4868 wrote to memory of 628	4868	control.exe	Firefox.exe
PID 4868 wrote to memory of 628	4868	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PT089110.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe" C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\faclv.exe
"C:\Users\Admin\AppData\Local\Temp\faclv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\faclv.exe
Filesize
141KB

MD5
f88b0229271ec4a4962ade420916973f

SHA1
8c3eff757988b1b43213b85dd272af0289a85f2f

SHA256
e66c55f14ddcfb93aa5f236b67829bc4b43916e1ff84bf89ee90275bc873729e

SHA512
f09c5cc0a50169582d0578fb2959a15841394c2a391b7a31be8a6e2cd90586b37b18e39d3395e176a250ac5dbba1db091206c3b3364221ec92cde78a182dba53

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjqrtywbglb.t
Filesize
5KB

MD5
c4da7b1938a01beace3d69275e1826f9

SHA1
bb7e8c0d6b9e404551d45e9d1701a49a6aa41eda

SHA256
7d1696aa4c800e800aa5b49124b66cc00e94d155e78cd06aece207a9d7b7e47d

SHA512
9a6493fb8eaee411248e0eb65b134baee7d2746d9ff0af493f7083c6403f80c1c0588971409e2c1a5d785b674b029eaf6122d2f60bce7cc16154d91947e97fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhphjyjg.axk
Filesize
185KB

MD5
c290c052854d20566294229800e4471d

SHA1
eb4cef65b362a4ade2977078286e60b06551d2c3

SHA256
69c12b29ea58482fa5a07f00810e350c9436d40808f4b9bcc6567b32f8104255

SHA512
d199fc2fed053c1d5107084fd9930630bcb297ce281b3fdc62e83ecf641e62f1b9d64049b446f9d546347ca025305dd4f699defb1c661a1646dd9583a0207d7d

Download Submit
memory/1960-132-0x0000000000000000-mapping.dmp

Download
memory/2180-152-0x0000000003610000-0x00000000036D2000-memory.dmp

Filesize
776KB

Download
memory/2180-150-0x0000000003610000-0x00000000036D2000-memory.dmp

Filesize
776KB

Download
memory/2180-143-0x0000000003180000-0x00000000032EB000-memory.dmp

Filesize
1.4MB

Download
memory/4212-142-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/4212-141-0x00000000009C0000-0x0000000000D0A000-memory.dmp

Filesize
3.3MB

Download
memory/4212-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-137-0x0000000000000000-mapping.dmp

Download
memory/4868-144-0x0000000000000000-mapping.dmp

Download
memory/4868-146-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/4868-147-0x0000000002480000-0x00000000027CA000-memory.dmp

Filesize
3.3MB

Download
memory/4868-148-0x0000000000630000-0x000000000065D000-memory.dmp

Filesize
180KB

Download
memory/4868-149-0x0000000002320000-0x00000000023AF000-memory.dmp

Filesize
572KB

Download
memory/4868-151-0x0000000000630000-0x000000000065D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads