formbook | e764f6e7bdb61df66914dcf9787d1bd6b738f1bd1f13320d57f44362c2ef676e

General

Target

PO 20002001.exe
Size

297KB
MD5

0ea5a94cd963591f731b5f460371e159
SHA1

1b3528c85a3a965106e2d81361d103c0833bf126
SHA256

ff4cff76876cda952a48855396ca07f5fb5216a5df0efd10c9701c135552703c
SHA512

577548cdbd08cc58bba5f08bdf25312d55395b9105334adbfbed3a5cf4d0e549ee4e0c9f0eb07e4f25c8246733f6d352e6c3af811669948905e0cc3d4f9e7aa4
SSDEEP

6144:dNeZ6Ej0A8ksOkFgZNK3ZPVQ8xqP2vYniHUPKI66gc:dNkjZsOkSZNKJPeJ3nS+

Score

10^/10

formbook 8h9m discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

8h9m

Decoy

1mlTmspKx2v1tBk=

yIc4QeHIRDCOR+Jw1Ok=

H8t9mJXm6cGdYU06SRJfL3sSLA==

lAXKHDi6++LIhlEwKs+bWhMZ+L66nQ==

E6WKvzgn56BxKQHIJyzgBAF/rqd3991G

POOMBhRnJuTJ

jamOvN0WjnY=

SkSWCK+QG2v1tBk=

UO/pC56OWQfVlG83j5ePL3sSLA==

zZE+TtGyQ/VHCmpNpqjvtO+qOv0gK/xY

Qf2nzo6CKw0wULtN3u8=

aQXZ7xd65+B5qcGN5es=

pVcLOF283IPToRfbFwmBk+/HYa/XgWg=

/q6WucVnJuTJ

1q6TtFFOBOLzXuZ80eM=

deGLxFs25Mot+4FNkDRsYM4=

OSMfWPXclKD9TD0In3Yh0w==

a//mBgh1bElZOCPn7JQcaAXZ7q/XgWg=

jTcUGqB9bkvyvQ/7

B3hUcn7MyK7CtqeFrxQV3Q==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	bwfjco.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	bwfjco.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	bwfjco.exe

Loads dropped DLL 6 IoCs

pid	Process
3064	PO 20002001.exe
2056	bwfjco.exe
2532	bwfjco.exe
2056	bwfjco.exe
3060	bwfjco.exe
1580	wininit.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 2532	2056	bwfjco.exe	32
PID 2056 set thread context of 3060	2056	bwfjco.exe	33
PID 2532 set thread context of 1184	2532	bwfjco.exe	21
PID 3060 set thread context of 1184	3060	bwfjco.exe	21
PID 2532 set thread context of 1184	2532	bwfjco.exe	21
PID 1580 set thread context of 1184	1580	wininit.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO 20002001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bwfjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2532	bwfjco.exe
2532	bwfjco.exe
2532	bwfjco.exe
2532	bwfjco.exe
3060	bwfjco.exe
3060	bwfjco.exe
3060	bwfjco.exe
3060	bwfjco.exe
1580	wininit.exe
1580	wininit.exe
2532	bwfjco.exe
3024	wscript.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
2532	bwfjco.exe
3060	bwfjco.exe
3060	bwfjco.exe
3060	bwfjco.exe
1580	wininit.exe
2532	bwfjco.exe
2532	bwfjco.exe
2532	bwfjco.exe
1580	wininit.exe
1580	wininit.exe
1580	wininit.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	bwfjco.exe
Token: SeDebugPrivilege	3060	bwfjco.exe
Token: SeDebugPrivilege	1580	wininit.exe
Token: SeDebugPrivilege	3024	wscript.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2056	3064	PO 20002001.exe	30
PID 3064 wrote to memory of 2056	3064	PO 20002001.exe	30
PID 3064 wrote to memory of 2056	3064	PO 20002001.exe	30
PID 3064 wrote to memory of 2056	3064	PO 20002001.exe	30
PID 2056 wrote to memory of 2532	2056	bwfjco.exe	32
PID 2056 wrote to memory of 2532	2056	bwfjco.exe	32
PID 2056 wrote to memory of 2532	2056	bwfjco.exe	32
PID 2056 wrote to memory of 2532	2056	bwfjco.exe	32
PID 2056 wrote to memory of 2532	2056	bwfjco.exe	32
PID 2056 wrote to memory of 3060	2056	bwfjco.exe	33
PID 2056 wrote to memory of 3060	2056	bwfjco.exe	33
PID 2056 wrote to memory of 3060	2056	bwfjco.exe	33
PID 2056 wrote to memory of 3060	2056	bwfjco.exe	33
PID 2056 wrote to memory of 3060	2056	bwfjco.exe	33
PID 1184 wrote to memory of 1580	1184	Explorer.EXE	34
PID 1184 wrote to memory of 1580	1184	Explorer.EXE	34
PID 1184 wrote to memory of 1580	1184	Explorer.EXE	34
PID 1184 wrote to memory of 1580	1184	Explorer.EXE	34
PID 1184 wrote to memory of 3024	1184	Explorer.EXE	36
PID 1184 wrote to memory of 3024	1184	Explorer.EXE	36
PID 1184 wrote to memory of 3024	1184	Explorer.EXE	36
PID 1184 wrote to memory of 3024	1184	Explorer.EXE	36
PID 1580 wrote to memory of 1936	1580	wininit.exe	38
PID 1580 wrote to memory of 1936	1580	wininit.exe	38
PID 1580 wrote to memory of 1936	1580	wininit.exe	38
PID 1580 wrote to memory of 1936	1580	wininit.exe	38
PID 1580 wrote to memory of 1936	1580	wininit.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\PO 20002001.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 20002001.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
    "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
      "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\bwfjco.exe
      "C:\Users\Admin\AppData\Local\Temp\bwfjco.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1936
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\achjhvsdh.azq

Filesize
4KB

MD5
7bd0fac8e7e5459381be70375c4c9dce

SHA1
8caac83cadcc9bcbef3c52c39bcbd96d2c1fa5ec

SHA256
b1d32cbf786ae8134a383e9d65da1a8a258fcb821c4ede9917a45aee318ec6c8

SHA512
e20f4c4515bba6d028c7a273ecb100e145d56344f30f0ddbf5400f34e7ce83081636f4f4ade3227565609583cce7a4a2ee564717fcf2ec2a295230f22a613660

Download Submit
C:\Users\Admin\AppData\Local\Temp\bwfjco.exe

Filesize
6KB

MD5
9c52ec38c352cd19ae28913fe206a5b3

SHA1
a79300b49a4f1cce8db98515f79759a51bae664b

SHA256
5cb816f8eec3869aba2eec928f0a2c212b55658ae4d0f58ccfe5dbee87ba47de

SHA512
efa5c0060a217a2a8d5a811d0895dfe52ec4cc7213218d7abd09f1a3a621b828015df4c7adcd26ca71f776610ad9a46a710114297a5a76411cd22850675e0a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl8tqv.zip

Filesize
486KB

MD5
1e73cacce02ae20026a81f1e56416aa3

SHA1
f491a7301ce11cf11a92c0245c7e03d927422286

SHA256
0dd0dd38cde5a14e7d6d0830db62cc7037e521fd042b0b8da0763128b2c0b3f2

SHA512
afe77facd8b16cc744ac2277414ffaf83436999d15eb8ac707f8098e2f8ed4cb29b430392ebe46b7fa65b20730615bc33dee9416f7141da5032a630894980a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\shvpsv.be

Filesize
185KB

MD5
d19b92cc62122dcaf130832ec21246e1

SHA1
e3e63fa4982dcce0227939e80e34ad3641eb7ff6

SHA256
d04d38a866be7fa623450edc018e90f6c7d671fec29310f6771e2f4b7c9dcb98

SHA512
dad7e263853e1cb1f1dab2734b97bb7d498f87a017054a80dd0ba07746fb8d16d03db57815cc6d6ecf1e10a544a5560edd1a4ab2ef594539935a2d253ef9043a

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
927KB

MD5
7fd80b1cc72dc580c02ca4cfbfb2592d

SHA1
18da905af878b27151b359cf1a7d0a650764e8a1

SHA256
1e6dccbdf8527abb53c289da920463b7895300d0d984cc7e91a3ecda4e673190

SHA512
13f7f29b5ed31c551aa5f27742557aa4d026a226087d6fcbca094819759ecc753a2c33b7422ae88dc6a4a0a966edb8485a18e59a0283ba2686cae5d78e0190a3

Download Submit
memory/1184-29-0x0000000007730000-0x0000000007887000-memory.dmp

Filesize
1.3MB

Download
memory/1184-34-0x0000000007B50000-0x0000000007C8A000-memory.dmp

Filesize
1.2MB

Download
memory/1184-33-0x00000000079D0000-0x0000000007B41000-memory.dmp

Filesize
1.4MB

Download
memory/1184-20-0x0000000007730000-0x0000000007887000-memory.dmp

Filesize
1.3MB

Download
memory/1184-46-0x00000000050A0000-0x0000000005197000-memory.dmp

Filesize
988KB

Download
memory/1184-43-0x0000000007B50000-0x0000000007C8A000-memory.dmp

Filesize
1.2MB

Download
memory/1184-24-0x00000000079D0000-0x0000000007B41000-memory.dmp

Filesize
1.4MB

Download
memory/1580-90-0x0000000061E00000-0x0000000061ED2000-memory.dmp

Filesize
840KB

Download
memory/1580-42-0x0000000000510000-0x000000000059F000-memory.dmp

Filesize
572KB

Download
memory/1580-26-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/1580-30-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1580-27-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/2056-9-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2532-37-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2532-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-31-0x0000000000423000-0x0000000000424000-memory.dmp

Filesize
4KB

Download
memory/2532-28-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2532-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-14-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3024-38-0x0000000000C60000-0x0000000000C86000-memory.dmp

Filesize
152KB

Download
memory/3024-36-0x0000000000C60000-0x0000000000C86000-memory.dmp

Filesize
152KB

Download
memory/3060-21-0x0000000000423000-0x0000000000424000-memory.dmp

Filesize
4KB

Download
memory/3060-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing