formbook | c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817

General

Target

c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
Size

1017KB
MD5

02d49663964ca14885477e43bb4d8538
SHA1

4bfef39721918c796c5ccdd19f0fba421c4fc937
SHA256

c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817
SHA512

6d89d0a58963b9f6ed520deac1c06008b23a575f461283eb3ed2896a6372bb381e41e4c0a51f657cdb64500eea1ec5d51ec787de22d092e79101efd96fb7da0b
SSDEEP

12288:Y6wnpkQlkkaFIpiiXnXTVCRIaDQ2UtaQwXydUjSZv8PogcM+SwgT6AQSQy4A:Hgbg0nXoR429XTe4mNAtQy4A

Score

10^/10

formbook zgrat pp0t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pp0t

Decoy

c9tSf4QHOwJjLbRfkwuwURujn/iH

pq54GqPOHu8U

WeXPb9LyJlOEMnTHjmv+O95VTnX7KA==

U18lwwKHPkJlZ3+u/e3h/zvV

ADj7RlmLOuc5QNhAHo4lWQ==

ifzvnDteMx0b

PmEpuAehVVp1QZV1JIY=

Ab+SQKRM4d7ZidIlwu2y6jTS

iAjigMrD+xQL9IoeDlPm+sY=

XisFVVjH25z9z6jrg3f8OMMHxHxf9Tw=

BeXeBZq31ouzxg==

ysN9oYfOHu8U

ml8KIinPAMgRuTe7fY4=

voMdjO13pzDNk1Q=

/PrtkRtASgyodEc=

Z3UEHTRRgXWhra71DkSvoZrd

qXE75D5v82lO/2hF4vSZ15hMD3dg3Bl4Kw==

x8m0Yaa4x7stHrsS5o7BWw==

0thWfXqJu6Rn/9AZRQ==

/ndSqtQFQYq+qicJodEHK90=

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2836-7-0x0000000005CE0000-0x0000000005D6E000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2148	powershell.exe
2016	powershell.exe
2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2332	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2016	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	30
PID 2836 wrote to memory of 2016	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	30
PID 2836 wrote to memory of 2016	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	30
PID 2836 wrote to memory of 2016	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	30
PID 2836 wrote to memory of 2148	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	32
PID 2836 wrote to memory of 2148	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	32
PID 2836 wrote to memory of 2148	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	32
PID 2836 wrote to memory of 2148	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	32
PID 2836 wrote to memory of 320	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	34
PID 2836 wrote to memory of 320	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	34
PID 2836 wrote to memory of 320	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	34
PID 2836 wrote to memory of 320	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	34
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36
PID 2836 wrote to memory of 2332	2836	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	36

C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
"C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wegDzXR.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wegDzXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4173.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:320
- C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
  "C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4173.tmp

Filesize
1KB

MD5
27aad7613b3b73d7b9c7a446195106ee

SHA1
3c0e7a8d8dcfff7dc6152e4ddb45a978cd516844

SHA256
ba6d6121b943eed5aed85ad90d5eb19bdece7ca670dafab024d6062f9e9fbc7f

SHA512
b27ee4f82b7fc4455c5e3158cdb161cf5f38b098fef2b58601b1785c3d6dc6f9d52ce24c7d8bff824de392fbb052f6fa84e1a5c5d2990b168421f0b2493fcf59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
53f02d38b6ef063c9e407b5657dd4518

SHA1
1632fa038ca1d127babf86698975332ff7aea0d7

SHA256
8c644938d0ca3ac00cd53cf2b439ae6dde99b5e28accf1c89bf0a4b24b98cc52

SHA512
87fe376109721d70377f27372858b1e541f166215b6f452c21b5583c1f0f34e22f57350ddb4004d785f195509b96c0aa28b07e7bfb180e9229a1d6a045f85cdc

Download Submit
memory/2016-35-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-33-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/2016-40-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-31-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-38-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/2148-39-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2148-36-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-37-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2148-34-0x0000000002970000-0x00000000029B0000-memory.dmp

Filesize
256KB

Download
memory/2148-41-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-32-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-28-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2332-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-30-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2332-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-20-0x0000000002380000-0x00000000023B4000-memory.dmp

Filesize
208KB

Download
memory/2836-27-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2836-0-0x0000000000110000-0x0000000000214000-memory.dmp

Filesize
1.0MB

Download
memory/2836-7-0x0000000005CE0000-0x0000000005D6E000-memory.dmp

Filesize
568KB

Download
memory/2836-6-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2836-5-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2836-4-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2836-3-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/2836-2-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2836-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.