formbook | 8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4

General

Target

Payment Slip_GS2004011507 & GS2005014760_pdf.exe
Size

304KB
MD5

724b0343f5f55aab914f610c1164cdcd
SHA1

b451c5667a1491a99e7c54e549fa89049beba10f
SHA256

8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4
SHA512

3e8898305f745fcf12735af7be23e780474377e6e16c1b401e783439ce1ecd10602da2f5eae8672d9d9ebe0d66215eeebe8eb46e1103fc6771d936c18ae81e47

Score

10^/10

spyware trojan stealer formbook persistence

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

cmstp.exe

description ioc process

File opened for modification C:\Program Files (x86)\Ghpp\mlt8stxwlr8c.exe cmstp.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ghpp\mlt8stxwlr8c.exe	cmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmstp.exe

Suspicious use of WriteProcessMemory 93 IoCs

Processes:

Payment Slip_GS2004011507 & GS2005014760_pdf.exerundll32.exe

description	pid	process	target process
PID 1732 wrote to memory of 1988	1732	Payment Slip_GS2004011507 & GS2005014760_pdf.exe	rundll32.exe
PID 1732 wrote to memory of 1988	1732	Payment Slip_GS2004011507 & GS2005014760_pdf.exe	rundll32.exe
PID 1732 wrote to memory of 1988	1732	Payment Slip_GS2004011507 & GS2005014760_pdf.exe	rundll32.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe
PID 1988 wrote to memory of 2908	1988	rundll32.exe	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1988 rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

cmd.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2908	cmd.exe
Token: SeDebugPrivilege	3904	cmstp.exe
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.execmstp.exe

description	pid	process	target process
PID 2908 set thread context of 3000	2908	cmd.exe	Explorer.EXE
PID 3904 set thread context of 3000	3904	cmstp.exe	Explorer.EXE

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmstp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YTCLK4G = "C:\\Program Files (x86)\\Ghpp\\mlt8stxwlr8c.exe"	cmstp.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

rundll32.execmd.execmstp.exe

pid	process
1988	rundll32.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe
3904	cmstp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

rundll32.execmd.execmstp.exe

pid process

1988 rundll32.exe
2908 cmd.exe
2908 cmd.exe
2908 cmd.exe
3904 cmstp.exe
3904 cmstp.exe
3904 cmstp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Users\Admin\AppData\Local\Temp\Payment Slip_GS2004011507 & GS2005014760_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip_GS2004011507 & GS2005014760_pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe Fireside,Pretor
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2908

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- System policy modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3904

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:700

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fireside.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mantel

Download Submit
\Users\Admin\AppData\Local\Temp\Fireside.dll

Download Submit
memory/700-10-0x0000000000000000-mapping.dmp

Download
memory/1988-0-0x0000000000000000-mapping.dmp

Download
memory/2908-4-0x0000000000000000-mapping.dmp

Download
memory/3904-5-0x0000000000000000-mapping.dmp

Download
memory/3904-6-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/3904-7-0x0000000000E00000-0x0000000000E16000-memory.dmp

Filesize
88KB

Download
memory/3904-9-0x00000000055E0000-0x00000000056FF000-memory.dmp

Filesize
1.1MB

Download
memory/4020-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads