formbook | 4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8

General

Target

Purchase order-77.exe
Size

443KB
MD5

8a26d6812aece27f98e9985488d457b0
SHA1

ba317aa78c6efd8e763f7b7a19c858724c6f2f1d
SHA256

4fc6cac9d7547036158bc3aa8be06f2a6be57eabc406abf3a39c2cacb5f410b8
SHA512

bc94d03c06d842601f755073c8e47e3ae6f1b07aab30d347c3884c23ebf8e72acdb972f0b3a034ec5c31b49e76cd5a995d737e5e7f7497b52290019930608576

Score

10^/10

trojan spyware stealer formbook persistence

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3944	Purchase order-77.exe
3944	Purchase order-77.exe
2072	Purchase order-77.exe
2072	Purchase order-77.exe
2072	Purchase order-77.exe
2072	Purchase order-77.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	systray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Grfitm\fv04djo4.exe	systray.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-ZUPIPJ0827 = "C:\\Program Files (x86)\\Grfitm\\fv04djo4.exe"	systray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	systray.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 2056	3944	Purchase order-77.exe	72
PID 3944 wrote to memory of 2056	3944	Purchase order-77.exe	72
PID 3944 wrote to memory of 2056	3944	Purchase order-77.exe	72
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 3944 wrote to memory of 2072	3944	Purchase order-77.exe	73
PID 2988 wrote to memory of 2128	2988	Explorer.EXE	74
PID 2988 wrote to memory of 2128	2988	Explorer.EXE	74
PID 2988 wrote to memory of 2128	2988	Explorer.EXE	74
PID 2128 wrote to memory of 2576	2128	systray.exe	75
PID 2128 wrote to memory of 2576	2128	systray.exe	75
PID 2128 wrote to memory of 2576	2128	systray.exe	75
PID 2128 wrote to memory of 3868	2128	systray.exe	77
PID 2128 wrote to memory of 3868	2128	systray.exe	77
PID 2128 wrote to memory of 3868	2128	systray.exe	77
PID 2128 wrote to memory of 3880	2128	systray.exe	79
PID 2128 wrote to memory of 3880	2128	systray.exe	79
PID 2128 wrote to memory of 3880	2128	systray.exe	79

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	Purchase order-77.exe
Token: SeDebugPrivilege	2072	Purchase order-77.exe
Token: SeDebugPrivilege	2128	systray.exe
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 2072	3944	Purchase order-77.exe	73
PID 2072 set thread context of 2988	2072	Purchase order-77.exe	56
PID 2128 set thread context of 2988	2128	systray.exe	56

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2072	Purchase order-77.exe
2072	Purchase order-77.exe
2072	Purchase order-77.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe
2128	systray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2988
- C:\Users\Admin\AppData\Local\Temp\Purchase order-77.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase order-77.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\Purchase order-77.exe
    "{path}"
    3⤵
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\Purchase order-77.exe
    "{path}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:2072
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  - Drops file in Program Files directory
  - Adds Run entry to policy start application
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase order-77.exe"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2128-5-0x0000000001310000-0x0000000001316000-memory.dmp

Filesize
24KB

Download
memory/2128-7-0x0000000004A90000-0x0000000004C22000-memory.dmp

Filesize
1.6MB

Download
memory/2128-4-0x0000000001310000-0x0000000001316000-memory.dmp

Filesize
24KB

Download
memory/3880-13-0x00007FF692EE0000-0x00007FF692F73000-memory.dmp

Filesize
588KB

Download
memory/3880-14-0x00007FF692EE0000-0x00007FF692F73000-memory.dmp

Filesize
588KB

Download
memory/3880-15-0x00007FF692EE0000-0x00007FF692F73000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads