formbook | c7963d714e508e583052dbac69fd4bb75d271db457308f67adb0e9bfae93ad60

General

Target

ORDER NO VOL- 6542 335 22.exe
Size

1.0MB
MD5

d59478fd8ef62d1006e85001c3ac59f3
SHA1

aaf63576f5f1f412547c51bee18f88deeb06d36a
SHA256

af9c39c609e5cda424ed4cd2fbe7f32c0d9d2936754d41c098a7dec269c42fd2
SHA512

7184b20f299cf019d9a8f260fc8fd135b7e5b558a4e4061b10f2930a80949aef67de2bd9293770585cef7a677fdacef69cbaa61a688905118c717d4ced98999c
SSDEEP

24576:E1RcJw0mlJ5noiNiGLU8GXplgs8PErrmDgvqOR:Ezc6jnvQr8GQormDIjR

Score

10^/10

formbook nquy discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

nquy

Decoy

a3sidprVANFTG0llIjdA

amYQhcIbS9blLB0=

GOqH7AZQZTYBOB8vWeHGwCVnUw==

kp1yw+EwVCesxslPY5gtZ2aiBcRa

zV/0O1+y47mCh6+5

uX0OU3R898WRBa/Rog==

6val8whPkGM9wuxTFGNI

ozzlSYzyF/XOgNSKG5fsoNYzkk+pxgDF

sHo2h6PuHfFwtOdTFGNI

xZ54yOceUB/thMxtzhp4wCVnUw==

s4pIou5HdD3C1snrARcqXw==

jiOqEVW81qEjTIs5ouY+1hZ3MGvCJg==

Nga3BkamwZ4gVmz0fb5KkYs=

DNeA3Bp8vJpd8VPogb5KkYs=

tbZjsdPoeu0sRcPUqA==

RToES3S3EqV3+g2XLLtFzOHPMXwE7JvN

+c+C3eYzcETJ8hehDlIno5I=

3KE0kK71Hf/ODgNTFGNI

MPrCqTAJbjGx

fkXl/0uKuIgIDPB+aeTYSA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ORDER NO VOL- 6542 335 22.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 552 set thread context of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 1976 set thread context of 3452	1976	ORDER NO VOL- 6542 335 22.exe	56
PID 1976 set thread context of 3452	1976	ORDER NO VOL- 6542 335 22.exe	56
PID 1092 set thread context of 3452	1092	help.exe	56

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1824	552	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER NO VOL- 6542 335 22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ORDER NO VOL- 6542 335 22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
552	ORDER NO VOL- 6542 335 22.exe
552	ORDER NO VOL- 6542 335 22.exe
552	ORDER NO VOL- 6542 335 22.exe
552	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1976	ORDER NO VOL- 6542 335 22.exe
1092	help.exe
1092	help.exe
1092	help.exe
1092	help.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	ORDER NO VOL- 6542 335 22.exe
Token: SeDebugPrivilege	1976	ORDER NO VOL- 6542 335 22.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeDebugPrivilege	1092	help.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 924	552	ORDER NO VOL- 6542 335 22.exe	100
PID 552 wrote to memory of 924	552	ORDER NO VOL- 6542 335 22.exe	100
PID 552 wrote to memory of 924	552	ORDER NO VOL- 6542 335 22.exe	100
PID 552 wrote to memory of 4512	552	ORDER NO VOL- 6542 335 22.exe	101
PID 552 wrote to memory of 4512	552	ORDER NO VOL- 6542 335 22.exe	101
PID 552 wrote to memory of 4512	552	ORDER NO VOL- 6542 335 22.exe	101
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 552 wrote to memory of 1976	552	ORDER NO VOL- 6542 335 22.exe	102
PID 1976 wrote to memory of 1092	1976	ORDER NO VOL- 6542 335 22.exe	107
PID 1976 wrote to memory of 1092	1976	ORDER NO VOL- 6542 335 22.exe	107
PID 1976 wrote to memory of 1092	1976	ORDER NO VOL- 6542 335 22.exe	107
PID 1092 wrote to memory of 4900	1092	help.exe	108
PID 1092 wrote to memory of 4900	1092	help.exe	108
PID 1092 wrote to memory of 4900	1092	help.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe"
    3⤵
    PID:924
- - C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe"
    3⤵
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER NO VOL- 6542 335 22.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1284
    3⤵
    - Program crash
    PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 552
1⤵
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-8-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/552-10-0x0000000008250000-0x000000000831A000-memory.dmp

Filesize
808KB

Download
memory/552-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/552-3-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/552-4-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/552-5-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/552-6-0x0000000006910000-0x0000000006924000-memory.dmp

Filesize
80KB

Download
memory/552-7-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/552-1-0x0000000000D50000-0x0000000000E5C000-memory.dmp

Filesize
1.0MB

Download
memory/552-23-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/552-9-0x0000000006BA0000-0x0000000006BAC000-memory.dmp

Filesize
48KB

Download
memory/552-11-0x0000000008320000-0x00000000083BC000-memory.dmp

Filesize
624KB

Download
memory/552-12-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/552-13-0x0000000008460000-0x00000000084D2000-memory.dmp

Filesize
456KB

Download
memory/552-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1092-29-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/1092-32-0x0000000000D00000-0x0000000000D2D000-memory.dmp

Filesize
180KB

Download
memory/1092-30-0x0000000000410000-0x0000000000417000-memory.dmp

Filesize
28KB

Download
memory/1976-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-18-0x00000000012B0000-0x00000000015FA000-memory.dmp

Filesize
3.3MB

Download
memory/1976-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-21-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/1976-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-26-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/1976-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1976-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3452-28-0x0000000009310000-0x0000000009473000-memory.dmp

Filesize
1.4MB

Download
memory/3452-27-0x0000000009540000-0x00000000096EA000-memory.dmp

Filesize
1.7MB

Download
memory/3452-31-0x0000000009540000-0x00000000096EA000-memory.dmp

Filesize
1.7MB

Download
memory/3452-22-0x0000000009310000-0x0000000009473000-memory.dmp

Filesize
1.4MB

Download
memory/3452-35-0x0000000009820000-0x0000000009979000-memory.dmp

Filesize
1.3MB

Download
memory/3452-36-0x0000000009820000-0x0000000009979000-memory.dmp

Filesize
1.3MB

Download
memory/3452-44-0x0000000009820000-0x0000000009979000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing