formbook | 50268da94205b374b7b1344a8ae09105e3732dd026350b7418d750a2d4dca7e9

General

Target

vbc.exe
Size

10.0MB
MD5

93a2d330d57689aea5146c1d7b767ff8
SHA1

39b73da296c473b30d8ef5e4063288653500d3ef
SHA256

50268da94205b374b7b1344a8ae09105e3732dd026350b7418d750a2d4dca7e9
SHA512

b2ef5945d2599a98966ff0c58ad9917481ab27b238d6152fff32bd82313196353312ffd61cde07552d1e9bcba8cc7d2b4f47df360c427618f250217ef372fa3b
SSDEEP

96:vKbBpyUc5+YdueYZkhgEMLUEM5i2RZjz+4KpfBu7uxVJGkFpNeFnUu:vyfyUOfuUk52T/pwu7UVJrlru

Score

10^/10

formbook dcn0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation RegAsm.exe
Loads dropped DLL 1 IoCs

Processes:

colorcpl.exe

pid process

1644 colorcpl.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	RegAsm.exe

pid	process
1644	colorcpl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vbc.exeRegAsm.execolorcpl.exe

description	pid	process	target process
PID 1408 set thread context of 1652	1408	vbc.exe	RegAsm.exe
PID 1652 set thread context of 1280	1652	RegAsm.exe	Explorer.EXE
PID 1644 set thread context of 1280	1644	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exevbc.exepowershell.exeRegAsm.execolorcpl.exe

pid	process
1376	powershell.exe
1408	vbc.exe
1408	vbc.exe
1712	powershell.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegAsm.execolorcpl.exe

pid process

1652 RegAsm.exe
1652 RegAsm.exe
1652 RegAsm.exe
1644 colorcpl.exe
1644 colorcpl.exe
1644 colorcpl.exe
1644 colorcpl.exe

pid	process
1280	Explorer.EXE

pid	process
1652	RegAsm.exe
1652	RegAsm.exe
1652	RegAsm.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe
1644	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

vbc.exepowershell.exepowershell.exeRegAsm.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1408	vbc.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1652	RegAsm.exe
Token: SeDebugPrivilege	1644	colorcpl.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

vbc.execmd.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1408 wrote to memory of 1376	1408	vbc.exe	powershell.exe
PID 1408 wrote to memory of 1376	1408	vbc.exe	powershell.exe
PID 1408 wrote to memory of 1376	1408	vbc.exe	powershell.exe
PID 1408 wrote to memory of 1376	1408	vbc.exe	powershell.exe
PID 1408 wrote to memory of 1856	1408	vbc.exe	cmd.exe
PID 1408 wrote to memory of 1856	1408	vbc.exe	cmd.exe
PID 1408 wrote to memory of 1856	1408	vbc.exe	cmd.exe
PID 1408 wrote to memory of 1856	1408	vbc.exe	cmd.exe
PID 1856 wrote to memory of 1712	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 1712	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 1712	1856	cmd.exe	powershell.exe
PID 1856 wrote to memory of 1712	1856	cmd.exe	powershell.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1864	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	vbc.exe	RegAsm.exe
PID 1280 wrote to memory of 1644	1280	Explorer.EXE	colorcpl.exe
PID 1280 wrote to memory of 1644	1280	Explorer.EXE	colorcpl.exe
PID 1280 wrote to memory of 1644	1280	Explorer.EXE	colorcpl.exe
PID 1280 wrote to memory of 1644	1280	Explorer.EXE	colorcpl.exe
PID 1644 wrote to memory of 1992	1644	colorcpl.exe	Firefox.exe
PID 1644 wrote to memory of 1992	1644	colorcpl.exe	Firefox.exe
PID 1644 wrote to memory of 1992	1644	colorcpl.exe	Firefox.exe
PID 1644 wrote to memory of 1992	1644	colorcpl.exe	Firefox.exe
PID 1644 wrote to memory of 1992	1644	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
3⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f4dcb524d6b568df66a800dc01a49355

SHA1
5961d5947cf20186e22a42ef0c2a4b090108c196

SHA256
d55994cf8aa4bd8d03bffa52ba3fea241076ff88f459a228b8a8b8bdb1f9feef

SHA512
ab15500b21654fe866f9d67ca41663ce083135933845d47937c750e212e1cc7d665a2b89c199f6c2f581bd7023be8b556fa746d67e08b254fc33fcd4a9d15539

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
memory/1280-91-0x00000000073C0000-0x00000000074D5000-memory.dmp

Filesize
1.1MB

Download
memory/1280-89-0x00000000073C0000-0x00000000074D5000-memory.dmp

Filesize
1.1MB

Download
memory/1280-82-0x0000000007130000-0x0000000007297000-memory.dmp

Filesize
1.4MB

Download
memory/1376-58-0x0000000000000000-mapping.dmp

Download
memory/1376-60-0x000000006E6B0000-0x000000006EC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-61-0x000000006E6B0000-0x000000006EC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-62-0x000000006E6B0000-0x000000006EC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-57-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/1408-65-0x0000000005330000-0x000000000539A000-memory.dmp

Filesize
424KB

Download
memory/1408-54-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1408-56-0x0000000005D60000-0x0000000005EE4000-memory.dmp

Filesize
1.5MB

Download
memory/1408-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1644-88-0x0000000001DE0000-0x0000000001E6F000-memory.dmp

Filesize
572KB

Download
memory/1644-83-0x0000000000000000-mapping.dmp

Download
memory/1644-86-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1644-87-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/1644-90-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1644-85-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/1652-77-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/1652-81-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/1652-80-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1652-68-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-79-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1652-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-72-0x00000000004012B0-mapping.dmp

Download
memory/1652-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-75-0x000000006E680000-0x000000006EC2B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-64-0x0000000000000000-mapping.dmp

Download
memory/1856-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads