formbook | 438153728a6eb77664398020d884c6eb1fd74f39116090b502b39c2116765f20

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/09/2022, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT COPY.exe
Size

1.0MB
MD5

40b8041f55f40b2975deb791cdd40f17
SHA1

c0a57f918bbdd09d69e2fb380ccea7cc69e65ba8
SHA256

9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369
SHA512

f3f0cbb4bd3515caeaad79f99e050445e02a6678ecc679206dca1c7b701785fd65086e10e7eedf4ed55a3196f8a2995961b92a7ae1bcab93bf71b11f2ac4f995
SSDEEP

24576:iqJo1MNiwGovlW0G4lA0PsUCiyfTwWQn:iqiKlbfPbCiy7w

Score

10^/10

formbook uymo rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

uymo

Decoy

A4J+j1lFUiMbPgQD0uzpdg==

F3lajp/JwxgpzPZ3bf9zrK0EzWDU/JY=

bOCwjfx/jOF4Las6GFv7+tQ=

9BDZHgUVSa1ypSWjNcPR

S9u+wp+ai+yEW4OWIQ==

wXxiP8BRWDG2JiTw5XA=

VeumNjNg3QeL/qtw

KYxbMI9RU7eqPpEYg1v7+tQ=

zwfU2Vv4NxXzDLy1IWFrDo3iqOoV1KB3

0XQ3wM3oGntH+iTw5XA=

nx7p2XIfYkHv9+Uu+VKx3l41j3mS454=

+BIOmtNni5xbAo5VEZFYQFAw

tkQa0SXOEjV/0yTw5XA=

YOLHv42Us4eMrHCod80dYluXJzNn

HZdsbBNsdAvOq+cr4CaIfg==

YlQ/0dwFQYtd+DXIxzKUlO8kBc9C9A==

mCL+zS69yZ9DyvVMC4399tE/Xk0V1KB3

+tXLkwCl2LyCqaNnalv7+tQ=

yPzM2bjLKPyixsjWSoWe9NI=

KQPQVL5puBHigv/RmyAU0ExD4GDU/JY=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	PAYMENT COPY.exe

Loads dropped DLL 1 IoCs

pid	Process
316	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 1476	1100	PAYMENT COPY.exe	33
PID 1476 set thread context of 1236	1476	PAYMENT COPY.exe	24
PID 316 set thread context of 1236	316	raserver.exe	24

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1116	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1100	PAYMENT COPY.exe
1100	PAYMENT COPY.exe
1100	PAYMENT COPY.exe
1100	PAYMENT COPY.exe
1100	PAYMENT COPY.exe
1100	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
1448	powershell.exe
1316	powershell.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1476	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
1476	PAYMENT COPY.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe
316	raserver.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	PAYMENT COPY.exe
Token: SeDebugPrivilege	1476	PAYMENT COPY.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	316	raserver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1316	1100	PAYMENT COPY.exe	27
PID 1100 wrote to memory of 1316	1100	PAYMENT COPY.exe	27
PID 1100 wrote to memory of 1316	1100	PAYMENT COPY.exe	27
PID 1100 wrote to memory of 1316	1100	PAYMENT COPY.exe	27
PID 1100 wrote to memory of 1448	1100	PAYMENT COPY.exe	29
PID 1100 wrote to memory of 1448	1100	PAYMENT COPY.exe	29
PID 1100 wrote to memory of 1448	1100	PAYMENT COPY.exe	29
PID 1100 wrote to memory of 1448	1100	PAYMENT COPY.exe	29
PID 1100 wrote to memory of 1116	1100	PAYMENT COPY.exe	31
PID 1100 wrote to memory of 1116	1100	PAYMENT COPY.exe	31
PID 1100 wrote to memory of 1116	1100	PAYMENT COPY.exe	31
PID 1100 wrote to memory of 1116	1100	PAYMENT COPY.exe	31
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1100 wrote to memory of 1476	1100	PAYMENT COPY.exe	33
PID 1236 wrote to memory of 316	1236	Explorer.EXE	34
PID 1236 wrote to memory of 316	1236	Explorer.EXE	34
PID 1236 wrote to memory of 316	1236	Explorer.EXE	34
PID 1236 wrote to memory of 316	1236	Explorer.EXE	34
PID 316 wrote to memory of 1636	316	raserver.exe	37
PID 316 wrote to memory of 1636	316	raserver.exe	37
PID 316 wrote to memory of 1636	316	raserver.exe	37
PID 316 wrote to memory of 1636	316	raserver.exe	37
PID 316 wrote to memory of 1636	316	raserver.exe	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GTYovZfcuUiN.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GTYovZfcuUiN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE438.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE438.tmp

Filesize
1KB

MD5
76964372b663953f289c0aa2027a2aeb

SHA1
ed5c3b7bd58b549dbc5a43bbbb532a4db8ad8135

SHA256
7c00d89cea0bc073d17430696bae2e54468d4d4f6cf7776bc0c96a945885b443

SHA512
7f8025836f477427f461161c1f666766543b3b58a55ed91c516845e12ecc11c9092e19b4300580978bae02547542d27058a0c3743412798a731d8bf74983599a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
959170a1652aef602a76214b4018e4d2

SHA1
54d81a3ff99c76ed9ee18243399ea28490bfa208

SHA256
3cb6f0c2fe23fb5f687cbd80858431b5a97205a98818db5c7ced4f815813523f

SHA512
281d4952b8979fddef7703a4c0566497478cef274afdd07e9168f58211385bdfa35b9be2980872485f1e7364d6c94e2327f6fd0768464eb6edd65a52b56b652f

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
memory/316-83-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/316-84-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/316-88-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/316-85-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/316-86-0x0000000001E70000-0x0000000001EFF000-memory.dmp

Filesize
572KB

Download
memory/1100-58-0x0000000005AA0000-0x0000000005B6A000-memory.dmp

Filesize
808KB

Download
memory/1100-54-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/1100-57-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1100-56-0x0000000000660000-0x0000000000674000-memory.dmp

Filesize
80KB

Download
memory/1100-66-0x0000000005F60000-0x0000000005FD0000-memory.dmp

Filesize
448KB

Download
memory/1100-55-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1236-89-0x0000000004E10000-0x0000000004F21000-memory.dmp

Filesize
1.1MB

Download
memory/1236-87-0x0000000004E10000-0x0000000004F21000-memory.dmp

Filesize
1.1MB

Download
memory/1236-80-0x0000000004C30000-0x0000000004D45000-memory.dmp

Filesize
1.1MB

Download
memory/1316-74-0x000000006D8B0000-0x000000006DE5B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-75-0x000000006D8B0000-0x000000006DE5B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-77-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1476-78-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/1476-79-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1476-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download