formbook | c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
Size

1017KB
MD5

02d49663964ca14885477e43bb4d8538
SHA1

4bfef39721918c796c5ccdd19f0fba421c4fc937
SHA256

c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817
SHA512

6d89d0a58963b9f6ed520deac1c06008b23a575f461283eb3ed2896a6372bb381e41e4c0a51f657cdb64500eea1ec5d51ec787de22d092e79101efd96fb7da0b
SSDEEP

12288:Y6wnpkQlkkaFIpiiXnXTVCRIaDQ2UtaQwXydUjSZv8PogcM+SwgT6AQSQy4A:Hgbg0nXoR429XTe4mNAtQy4A

Score

10^/10

formbook zgrat pp0t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

pp0t

Decoy

c9tSf4QHOwJjLbRfkwuwURujn/iH

pq54GqPOHu8U

WeXPb9LyJlOEMnTHjmv+O95VTnX7KA==

U18lwwKHPkJlZ3+u/e3h/zvV

ADj7RlmLOuc5QNhAHo4lWQ==

ifzvnDteMx0b

PmEpuAehVVp1QZV1JIY=

Ab+SQKRM4d7ZidIlwu2y6jTS

iAjigMrD+xQL9IoeDlPm+sY=

XisFVVjH25z9z6jrg3f8OMMHxHxf9Tw=

BeXeBZq31ouzxg==

ysN9oYfOHu8U

ml8KIinPAMgRuTe7fY4=

voMdjO13pzDNk1Q=

/PrtkRtASgyodEc=

Z3UEHTRRgXWhra71DkSvoZrd

qXE75D5v82lO/2hF4vSZ15hMD3dg3Bl4Kw==

x8m0Yaa4x7stHrsS5o7BWw==

0thWfXqJu6Rn/9AZRQ==

/ndSqtQFQYq+qicJodEHK90=

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1272-10-0x000000000AD50000-0x000000000ADDE000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1272 set thread context of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1296	powershell.exe
1296	powershell.exe
1960	powershell.exe
1960	powershell.exe
2828	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2828	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
2828	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
1296	powershell.exe
1960	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 1960	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	110
PID 1272 wrote to memory of 1960	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	110
PID 1272 wrote to memory of 1960	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	110
PID 1272 wrote to memory of 1296	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	112
PID 1272 wrote to memory of 1296	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	112
PID 1272 wrote to memory of 1296	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	112
PID 1272 wrote to memory of 3968	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	114
PID 1272 wrote to memory of 3968	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	114
PID 1272 wrote to memory of 3968	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	114
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116
PID 1272 wrote to memory of 2828	1272	c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe	116

C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
"C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wegDzXR.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wegDzXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4685.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe
  "C:\Users\Admin\AppData\Local\Temp\c1bd96883587818b3cb169701f342d982a3a785164ef9261a70a49043f7f6817.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2524 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
be0512a66c441e024f04e10de4592572

SHA1
a411d0696ffab6fda3436847c6eddabc2d75dcad

SHA256
e4fbe6bb87b1fc324723d24e1fd5815dbede8fbbbad3f61cc4a0a3f9320aab46

SHA512
dcef697bb07d7939c00e7652bbdef821b6152de0ba79551a538b3e1802702e6848dee207488a753b2535969efe2c5d48f7e23bd0db8c2050d58ac17d684e226a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jl5qql0m.okk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4685.tmp

Filesize
1KB

MD5
96784faec991ced3f3509c824d50240a

SHA1
54d69c915e0ef914e0e79a3cdc47481e748dcd6f

SHA256
5abd6aedb4ff9979b34bfb58798a7fd52ce2234fe3f8fba7b6add4801a1472ab

SHA512
0c378f8d7e8bed738c75882fbdf0b99416f23765c1f152929aa25c2536d0eafb6b40eaf97d4e709c061cc7a79e3bc8f3a581eaef920014185d84b7040bf9d203

Download Submit
memory/1272-8-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/1272-10-0x000000000AD50000-0x000000000ADDE000-memory.dmp

Filesize
568KB

Download
memory/1272-5-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/1272-6-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/1272-7-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1272-25-0x0000000001630000-0x0000000001664000-memory.dmp

Filesize
208KB

Download
memory/1272-9-0x00000000073E0000-0x00000000073EC000-memory.dmp

Filesize
48KB

Download
memory/1272-4-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/1272-11-0x000000000AE80000-0x000000000AF1C000-memory.dmp

Filesize
624KB

Download
memory/1272-12-0x00000000015C0000-0x0000000001626000-memory.dmp

Filesize
408KB

Download
memory/1272-0-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1272-3-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/1272-2-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/1272-31-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1272-1-0x0000000000E40000-0x0000000000F44000-memory.dmp

Filesize
1.0MB

Download
memory/1296-91-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/1296-24-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1296-22-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1296-23-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1296-89-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/1296-88-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/1296-86-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/1296-56-0x0000000002440000-0x0000000002450000-memory.dmp

Filesize
64KB

Download
memory/1296-98-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1296-84-0x0000000007130000-0x000000000713A000-memory.dmp

Filesize
40KB

Download
memory/1296-82-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/1296-80-0x0000000006D90000-0x0000000006E33000-memory.dmp

Filesize
652KB

Download
memory/1296-65-0x00000000713E0000-0x000000007142C000-memory.dmp

Filesize
304KB

Download
memory/1296-54-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

Filesize
304KB

Download
memory/1296-58-0x0000000006D50000-0x0000000006D82000-memory.dmp

Filesize
200KB

Download
memory/1960-16-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-85-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-57-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

Filesize
64KB

Download
memory/1960-59-0x00000000713E0000-0x000000007142C000-memory.dmp

Filesize
304KB

Download
memory/1960-53-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/1960-70-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/1960-52-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/1960-81-0x00000000077A0000-0x0000000007843000-memory.dmp

Filesize
652KB

Download
memory/1960-42-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/1960-83-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/1960-19-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/1960-55-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1960-30-0x0000000005E10000-0x0000000005E32000-memory.dmp

Filesize
136KB

Download
memory/1960-87-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/1960-97-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-18-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/1960-90-0x0000000007B10000-0x0000000007B24000-memory.dmp

Filesize
80KB

Download
memory/1960-20-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/1960-92-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

Filesize
32KB

Download
memory/2828-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-43-0x0000000000F60000-0x00000000012AA000-memory.dmp

Filesize
3.3MB

Download