formbook | 0c28dff876ccdca7e5ee29299a3828974a3c1c2e9ce6a801e6db7e2a12e16a84

General

Target

New RFQ 6000333264 (K0060-01).exe
Size

1.0MB
MD5

01202dc54836c255eb5d901d3641e786
SHA1

60fdbb2aab5637e9b205a95c2940be264e07ca9f
SHA256

6262299f2c4308cc3f69f8e038d68cefb86f7acb0b718d1fe9416244c80b5956
SHA512

a95209c85deb8f971883ceea25c2cba9d06bb9d0a0d3141383ff7ef42ad767cc75beb366d5806d0cff62fe63a5079e4e9bfb68f58334ec5cee2de89c6c867b0c
SSDEEP

24576:TPxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussC5YTy3b:hYTqEpxnhjiTFdj

Score

10^/10

formbook ji99 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ji99

Decoy

f5hfqPfk5Co4t9g=

A9ql+89lMaIqvdw=

AuXIIWRbGyo4t9g=

UX9Pn/rz8So4t9g=

haAzYKqrYA==

hFdOOodp41DpKN3KlPmz

RA7UPC/1Nn7DtG2nMDC7qzFIqyNH5Q==

nu+6ldzdZuY7Mfy7R1u8

CUY9ntOFDwT+x5cuu7MwUpEX3jX7ycxrTA==

mBzgqeKiuSTnno+ywbU=

EY1SJn9aa2PgEaK8MCv87C1EqA==

eQ63l+wp6FNhJw==

1qqcmBMMW4cTvd71KFxawvWn

CU0a9s95/UP8lFS7yLc=

XnREpeCto+QncjZhqb8=

1GJM69VrRm+DuOdYWJo+Ug==

R6iIYTHZbuA0L+XKlPmz

oamYII2fY5HT3p28AlVawvWn

/f7UheK0ifs3

TSEN9Dv+PmX4hNnx

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	New RFQ 6000333264 (K0060-01).exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2792 set thread context of 1200	2792	New RFQ 6000333264 (K0060-01).exe	21
PID 2792 set thread context of 1200	2792	New RFQ 6000333264 (K0060-01).exe	21

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	1928	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New RFQ 6000333264 (K0060-01).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe
2792	New RFQ 6000333264 (K0060-01).exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	New RFQ 6000333264 (K0060-01).exe
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 2160 wrote to memory of 2792	2160	New RFQ 6000333264 (K0060-01).exe	30
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1200 wrote to memory of 1928	1200	Explorer.EXE	33
PID 1928 wrote to memory of 2396	1928	msiexec.exe	34
PID 1928 wrote to memory of 2396	1928	msiexec.exe	34
PID 1928 wrote to memory of 2396	1928	msiexec.exe	34
PID 1928 wrote to memory of 2396	1928	msiexec.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
  "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
    "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1484
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 268
    3⤵
    - Program crash
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-24-0x00000000074D0000-0x00000000075F4000-memory.dmp

Filesize
1.1MB

Download
memory/1200-36-0x0000000007600000-0x0000000007785000-memory.dmp

Filesize
1.5MB

Download
memory/1200-29-0x0000000007600000-0x0000000007785000-memory.dmp

Filesize
1.5MB

Download
memory/1200-28-0x00000000074D0000-0x00000000075F4000-memory.dmp

Filesize
1.1MB

Download
memory/1928-33-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/1928-30-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/1928-31-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

Filesize
80KB

Download
memory/2160-6-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2160-7-0x0000000005FE0000-0x000000000606E000-memory.dmp

Filesize
568KB

Download
memory/2160-1-0x00000000010E0000-0x00000000011EC000-memory.dmp

Filesize
1.0MB

Download
memory/2160-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-3-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2160-4-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2160-5-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-18-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2160-8-0x0000000000E30000-0x0000000000E64000-memory.dmp

Filesize
208KB

Download
memory/2792-22-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/2792-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-19-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2792-27-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2792-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing