formbook | 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9

General

Target

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
Size

52KB
MD5

207fdcecc4c844004d064f7f7d25fb0f
SHA1

4a1b05f7cd8b3ba7c82f48ca8aeb10b264369c4c
SHA256

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9
SHA512

739ce29e9cf6d5cb25e22841bb28d0e0d825c452df49f3b15e9a0b2d275150f88da198566b540fc3d40c089cbd0dcd077f79620e4a2c2d1f7d9e13a5cb46499d
SSDEEP

768:EyH64NqpyLvO3klekO2Pco2YQ78QTEB6SrZdP545gkRUnqkAmZbI:w5pyLvLy2awvsSVBqukeqxEI

Score

10^/10

formbook scse rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

7 1984 cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1984 cscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	1984	cscript.exe

pid	process
1984	cscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exejsc.execscript.exe

description	pid	process	target process
PID 880 set thread context of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 1652 set thread context of 1396	1652	jsc.exe	Explorer.EXE
PID 1984 set thread context of 1396	1984	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exejsc.execscript.exe

pid	process
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1652	jsc.exe
1652	jsc.exe
1652	jsc.exe
1652	jsc.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

jsc.execscript.exe

pid process

1652 jsc.exe
1652 jsc.exe
1652 jsc.exe
1984 cscript.exe
1984 cscript.exe
1984 cscript.exe
1984 cscript.exe

pid	process
1652	jsc.exe
1652	jsc.exe
1652	jsc.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe
1984	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exejsc.execscript.exe

description	pid	process
Token: SeDebugPrivilege	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
Token: SeDebugPrivilege	1652	jsc.exe
Token: SeDebugPrivilege	1984	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
1396 Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

pid	process
1396	Explorer.EXE
1396	Explorer.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 880 wrote to memory of 1116	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	MSBuild.exe
PID 880 wrote to memory of 1116	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	MSBuild.exe
PID 880 wrote to memory of 1116	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	MSBuild.exe
PID 880 wrote to memory of 1992	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	CasPol.exe
PID 880 wrote to memory of 1992	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	CasPol.exe
PID 880 wrote to memory of 1992	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	CasPol.exe
PID 880 wrote to memory of 2020	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInUtil.exe
PID 880 wrote to memory of 2020	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInUtil.exe
PID 880 wrote to memory of 2020	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInUtil.exe
PID 880 wrote to memory of 2024	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	dfsvc.exe
PID 880 wrote to memory of 2024	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	dfsvc.exe
PID 880 wrote to memory of 2024	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	dfsvc.exe
PID 880 wrote to memory of 1720	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_compiler.exe
PID 880 wrote to memory of 1720	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_compiler.exe
PID 880 wrote to memory of 1720	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_compiler.exe
PID 880 wrote to memory of 1716	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	mscorsvw.exe
PID 880 wrote to memory of 1716	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	mscorsvw.exe
PID 880 wrote to memory of 1716	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	mscorsvw.exe
PID 880 wrote to memory of 1988	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ComSvcConfig.exe
PID 880 wrote to memory of 1988	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ComSvcConfig.exe
PID 880 wrote to memory of 1988	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ComSvcConfig.exe
PID 880 wrote to memory of 1980	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regiis.exe
PID 880 wrote to memory of 1980	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regiis.exe
PID 880 wrote to memory of 1980	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regiis.exe
PID 880 wrote to memory of 1144	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regbrowsers.exe
PID 880 wrote to memory of 1144	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regbrowsers.exe
PID 880 wrote to memory of 1144	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regbrowsers.exe
PID 880 wrote to memory of 1928	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	csc.exe
PID 880 wrote to memory of 1928	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	csc.exe
PID 880 wrote to memory of 1928	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	csc.exe
PID 880 wrote to memory of 1376	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_state.exe
PID 880 wrote to memory of 1376	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_state.exe
PID 880 wrote to memory of 1376	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_state.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 880 wrote to memory of 1652	880	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	jsc.exe
PID 1396 wrote to memory of 1984	1396	Explorer.EXE	cscript.exe
PID 1396 wrote to memory of 1984	1396	Explorer.EXE	cscript.exe
PID 1396 wrote to memory of 1984	1396	Explorer.EXE	cscript.exe
PID 1396 wrote to memory of 1984	1396	Explorer.EXE	cscript.exe
PID 1984 wrote to memory of 1544	1984	cscript.exe	Firefox.exe
PID 1984 wrote to memory of 1544	1984	cscript.exe	Firefox.exe
PID 1984 wrote to memory of 1544	1984	cscript.exe	Firefox.exe
PID 1984 wrote to memory of 1544	1984	cscript.exe	Firefox.exe
PID 1984 wrote to memory of 1544	1984	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
"C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:1116

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:1992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:2024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:1720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:1988

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:1980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:1928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:1376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
804KB

MD5
b09588d000ef4bf2a3dddd85bd701423

SHA1
44a810ff8920a340a30b66d932253555143dc28b

SHA256
ce4ffc1a12150b8523378553f2a97dd3fc44d5210ae6c296ab31e2c78f0d03c3

SHA512
1d807d92da34ccba4628f2a55c3ac1c03ff63925d79e266b4e52d71002228cbde76206ec696c3e25143fc2e0cab56589155666ff6f8ea0ebfd5ebcd362168e2a

Download Submit
memory/880-55-0x000000001B170000-0x000000001B1E4000-memory.dmp

Filesize
464KB

Download
memory/880-54-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/1396-65-0x0000000004930000-0x00000000049EA000-memory.dmp

Filesize
744KB

Download
memory/1396-75-0x0000000007000000-0x00000000070FA000-memory.dmp

Filesize
1000KB

Download
memory/1396-72-0x0000000004930000-0x00000000049EA000-memory.dmp

Filesize
744KB

Download
memory/1396-71-0x0000000007000000-0x00000000070FA000-memory.dmp

Filesize
1000KB

Download
memory/1652-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-61-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1652-64-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/1652-62-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/1652-63-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-57-0x00000000004012B0-mapping.dmp

Download
memory/1652-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1984-66-0x0000000000000000-mapping.dmp

Download
memory/1984-70-0x00000000009C0000-0x0000000000A4F000-memory.dmp

Filesize
572KB

Download
memory/1984-69-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1984-73-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1984-74-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1984-68-0x0000000000070000-0x000000000009D000-memory.dmp

Filesize
180KB

Download
memory/1984-67-0x0000000000A70000-0x0000000000A92000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads