formbook | 0c28dff876ccdca7e5ee29299a3828974a3c1c2e9ce6a801e6db7e2a12e16a84

General

Target

New RFQ 6000333264 (K0060-01).exe
Size

1.0MB
MD5

01202dc54836c255eb5d901d3641e786
SHA1

60fdbb2aab5637e9b205a95c2940be264e07ca9f
SHA256

6262299f2c4308cc3f69f8e038d68cefb86f7acb0b718d1fe9416244c80b5956
SHA512

a95209c85deb8f971883ceea25c2cba9d06bb9d0a0d3141383ff7ef42ad767cc75beb366d5806d0cff62fe63a5079e4e9bfb68f58334ec5cee2de89c6c867b0c
SSDEEP

24576:TPxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussC5YTy3b:hYTqEpxnhjiTFdj

Score

10^/10

formbook ji99 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ji99

Decoy

f5hfqPfk5Co4t9g=

A9ql+89lMaIqvdw=

AuXIIWRbGyo4t9g=

UX9Pn/rz8So4t9g=

haAzYKqrYA==

hFdOOodp41DpKN3KlPmz

RA7UPC/1Nn7DtG2nMDC7qzFIqyNH5Q==

nu+6ldzdZuY7Mfy7R1u8

CUY9ntOFDwT+x5cuu7MwUpEX3jX7ycxrTA==

mBzgqeKiuSTnno+ywbU=

EY1SJn9aa2PgEaK8MCv87C1EqA==

eQ63l+wp6FNhJw==

1qqcmBMMW4cTvd71KFxawvWn

CU0a9s95/UP8lFS7yLc=

XnREpeCto+QncjZhqb8=

1GJM69VrRm+DuOdYWJo+Ug==

R6iIYTHZbuA0L+XKlPmz

oamYII2fY5HT3p28AlVawvWn

/f7UheK0ifs3

TSEN9Dv+PmX4hNnx

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	New RFQ 6000333264 (K0060-01).exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2652 set thread context of 1196	2652	New RFQ 6000333264 (K0060-01).exe	21
PID 2652 set thread context of 1196	2652	New RFQ 6000333264 (K0060-01).exe	21
PID 3040 set thread context of 1196	3040	ipconfig.exe	21

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New RFQ 6000333264 (K0060-01).exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3040	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2312	New RFQ 6000333264 (K0060-01).exe
2312	New RFQ 6000333264 (K0060-01).exe
2312	New RFQ 6000333264 (K0060-01).exe
2312	New RFQ 6000333264 (K0060-01).exe
2312	New RFQ 6000333264 (K0060-01).exe
2312	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe
3040	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
2652	New RFQ 6000333264 (K0060-01).exe
3040	ipconfig.exe
3040	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	New RFQ 6000333264 (K0060-01).exe
Token: SeDebugPrivilege	2652	New RFQ 6000333264 (K0060-01).exe
Token: SeDebugPrivilege	3040	ipconfig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2692	2312	New RFQ 6000333264 (K0060-01).exe	31
PID 2312 wrote to memory of 2692	2312	New RFQ 6000333264 (K0060-01).exe	31
PID 2312 wrote to memory of 2692	2312	New RFQ 6000333264 (K0060-01).exe	31
PID 2312 wrote to memory of 2692	2312	New RFQ 6000333264 (K0060-01).exe	31
PID 2312 wrote to memory of 2636	2312	New RFQ 6000333264 (K0060-01).exe	32
PID 2312 wrote to memory of 2636	2312	New RFQ 6000333264 (K0060-01).exe	32
PID 2312 wrote to memory of 2636	2312	New RFQ 6000333264 (K0060-01).exe	32
PID 2312 wrote to memory of 2636	2312	New RFQ 6000333264 (K0060-01).exe	32
PID 2312 wrote to memory of 2632	2312	New RFQ 6000333264 (K0060-01).exe	33
PID 2312 wrote to memory of 2632	2312	New RFQ 6000333264 (K0060-01).exe	33
PID 2312 wrote to memory of 2632	2312	New RFQ 6000333264 (K0060-01).exe	33
PID 2312 wrote to memory of 2632	2312	New RFQ 6000333264 (K0060-01).exe	33
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 2312 wrote to memory of 2652	2312	New RFQ 6000333264 (K0060-01).exe	34
PID 1196 wrote to memory of 3040	1196	Explorer.EXE	35
PID 1196 wrote to memory of 3040	1196	Explorer.EXE	35
PID 1196 wrote to memory of 3040	1196	Explorer.EXE	35
PID 1196 wrote to memory of 3040	1196	Explorer.EXE	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
  "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
    "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
    "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
    "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
    3⤵
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe
    "C:\Users\Admin\AppData\Local\Temp\New RFQ 6000333264 (K0060-01).exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-23-0x0000000005150000-0x0000000005228000-memory.dmp

Filesize
864KB

Download
memory/1196-32-0x0000000006D10000-0x0000000006E2E000-memory.dmp

Filesize
1.1MB

Download
memory/1196-27-0x0000000005150000-0x0000000005228000-memory.dmp

Filesize
864KB

Download
memory/1196-28-0x0000000006D10000-0x0000000006E2E000-memory.dmp

Filesize
1.1MB

Download
memory/2312-7-0x0000000004B60000-0x0000000004BEE000-memory.dmp

Filesize
568KB

Download
memory/2312-18-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-6-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2312-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x0000000004CF0000-0x0000000004D24000-memory.dmp

Filesize
208KB

Download
memory/2312-1-0x0000000000190000-0x000000000029C000-memory.dmp

Filesize
1.0MB

Download
memory/2312-2-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-3-0x0000000001E70000-0x0000000001E88000-memory.dmp

Filesize
96KB

Download
memory/2312-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2652-19-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2652-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-22-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/2652-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-26-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/2652-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2652-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-30-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/3040-31-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/3040-29-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads