formbook | 82478a8a9aad7d755492677e29689c5656bddb130798408bc38a751ccd35cfbd

General

Target

vbc.exe
Size

530KB
MD5

e0f08dfaeaed44278f920fc7273fdf44
SHA1

5e0c30d0b93c402d537cfb5e07eaa8d56d95d1f4
SHA256

82478a8a9aad7d755492677e29689c5656bddb130798408bc38a751ccd35cfbd
SHA512

dacd0c17a959a682289e8a2425d3987f26e6cbccb0c6c8ef610a8b7e6add41482ff7772c42e71ef35dc084489d400dc14b7e9d4376b7729f5e08a618c8e69f41
SSDEEP

6144:HTouKrWBEu3/Z2lpGDHU3ykJADi/X0+MNfSN5TLCeQap2BUsMD:HToPWBv/cpGrU3yxDmX03NyKa

Score

10^/10

formbook bi0n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

bi0n

Decoy

3KYw9ovswPHR8QjRyDcR1P46YXc=

/i8gGNAsn2I4VHkv7E44xdsQ

0oYE4IF6u2qKez0TkX0VsLfQKmrUvA==

0nUgH3O7ILSf55sR

B8eQnZvxZq0i

35ZK/5/4VQ/51I0u6044xdsQ

LEkzAqEVlUvz3KShj/I=

FuRY/gTKCbaGD8B4r+CF

WAx3RjCdHNeoyqShj/I=

G9OonMc0ee4OO10=

pVnKruS9wrUShKiD+mxBETGimk6j2w6sbA==

Ek0YsB98EYYQ34QJxDAMpNEJ

Pf3g1xANKHVWtJipZo8tOpc=

avm1BbiAitY/XGkG

AL1jTUvMB9LU8JUx7U44xdsQ

9rY39HDHSAvJ3wT5a5h0NXS4FX8=

uNfEhR+jBsooG0Q=

z4kkKTW4P6VO8hXISnhTWQ==

yU0Km8lo11zmnlU=

FL1xdvfWE7Z172AKWeU=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 1 IoCs

pid	Process
5116	xrpje.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	vbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	xrpje.exe

Loads dropped DLL 1 IoCs

pid	Process
4500	xrpje.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 4500	5116	xrpje.exe	89
PID 4500 set thread context of 3044	4500	xrpje.exe	45
PID 2076 set thread context of 3044	2076	systray.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4500	xrpje.exe
4500	xrpje.exe
4500	xrpje.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe
2076	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	xrpje.exe
Token: SeDebugPrivilege	2076	systray.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 5116	3292	vbc.exe	82
PID 3292 wrote to memory of 5116	3292	vbc.exe	82
PID 3292 wrote to memory of 5116	3292	vbc.exe	82
PID 5116 wrote to memory of 4500	5116	xrpje.exe	89
PID 5116 wrote to memory of 4500	5116	xrpje.exe	89
PID 5116 wrote to memory of 4500	5116	xrpje.exe	89
PID 5116 wrote to memory of 4500	5116	xrpje.exe	89
PID 3044 wrote to memory of 2076	3044	Explorer.EXE	90
PID 3044 wrote to memory of 2076	3044	Explorer.EXE	90
PID 3044 wrote to memory of 2076	3044	Explorer.EXE	90
PID 2076 wrote to memory of 3120	2076	systray.exe	94
PID 2076 wrote to memory of 3120	2076	systray.exe	94
PID 2076 wrote to memory of 3120	2076	systray.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\xrpje.exe
    "C:\Users\Admin\AppData\Local\Temp\xrpje.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\xrpje.exe
      "C:\Users\Admin\AppData\Local\Temp\xrpje.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4500
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dycyll.lq

Filesize
4KB

MD5
48e824cd961aa0f2f17d151b4da25e25

SHA1
98a68dab4d4dea91e4e6f2596d6f47c820099dfb

SHA256
3364246677c80caf5c99e5ce742fb93dfe62fb52c3de0988bfc0e29a0a8a16c7

SHA512
7b960f89ca66a4f3a4a76474a3fa9b25812d686502d21572db898cb989e0307167548081faf8141e6d23e00171b47e8ef7c0592cce124d550b1eedb4c99fc8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kownbk.r

Filesize
185KB

MD5
0a865da1252230876fe9732ccf483914

SHA1
ac61992c616bdbd5c2614de1ea54f4aa7e84836f

SHA256
47362192a651b6cea6616bb2ce2df72cdc6b57cde30bf144bca0b1264dba6155

SHA512
ed3b0d82eb7546d5f39ea33c5d896f1dee9e6c8ef495b0c32fdb1d0fbc5aa9961742d7f852fbf730b1ba9a9b033465af806be12a7eba5dd1140a39c30ea15d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrpje.exe

Filesize
6KB

MD5
9612a9401bf45d0047275eb556b1d193

SHA1
d44b2b6810d2c1cfc332c107294479d7925f6898

SHA256
fc804dd726e45bcb1813c6f9d252258a7f86e83ca7439e0ab6a50efa2a8ca47f

SHA512
97f528a665b7ba8e4f3ace7bab82474c43ed9288209cc92c93dbaa9210113bf97c71ec900f3e5b97360836e71c57c75b15efec180b7a5a069aecc67893a23145

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrpje.exe

Filesize
6KB

MD5
9612a9401bf45d0047275eb556b1d193

SHA1
d44b2b6810d2c1cfc332c107294479d7925f6898

SHA256
fc804dd726e45bcb1813c6f9d252258a7f86e83ca7439e0ab6a50efa2a8ca47f

SHA512
97f528a665b7ba8e4f3ace7bab82474c43ed9288209cc92c93dbaa9210113bf97c71ec900f3e5b97360836e71c57c75b15efec180b7a5a069aecc67893a23145

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrpje.exe

Filesize
6KB

MD5
9612a9401bf45d0047275eb556b1d193

SHA1
d44b2b6810d2c1cfc332c107294479d7925f6898

SHA256
fc804dd726e45bcb1813c6f9d252258a7f86e83ca7439e0ab6a50efa2a8ca47f

SHA512
97f528a665b7ba8e4f3ace7bab82474c43ed9288209cc92c93dbaa9210113bf97c71ec900f3e5b97360836e71c57c75b15efec180b7a5a069aecc67893a23145

Download Submit
memory/2076-147-0x0000000002BF0000-0x0000000002F3A000-memory.dmp

Filesize
3.3MB

Download
memory/2076-150-0x0000000000C30000-0x0000000000C5D000-memory.dmp

Filesize
180KB

Download
memory/2076-149-0x0000000002990000-0x0000000002A1F000-memory.dmp

Filesize
572KB

Download
memory/2076-148-0x0000000000C30000-0x0000000000C5D000-memory.dmp

Filesize
180KB

Download
memory/2076-144-0x0000000000000000-mapping.dmp

Download
memory/2076-146-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/3044-152-0x0000000007E20000-0x0000000007F5C000-memory.dmp

Filesize
1.2MB

Download
memory/3044-151-0x0000000007E20000-0x0000000007F5C000-memory.dmp

Filesize
1.2MB

Download
memory/3044-143-0x0000000007D10000-0x0000000007E20000-memory.dmp

Filesize
1.1MB

Download
memory/4500-137-0x0000000000000000-mapping.dmp

Download
memory/4500-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-142-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/4500-141-0x0000000001720000-0x0000000001A6A000-memory.dmp

Filesize
3.3MB

Download
memory/4500-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/5116-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing