formbook | 67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901

General

Target

INVOICEKOMB20220001-03-10-22.pdf.exe
Size

1.2MB
MD5

cbe324036a077d5b84d4c22788ff0027
SHA1

5526abc6eb697c083d3071bd5b6cf8fb67f617af
SHA256

67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
SHA512

dd81a4fb9c160d96c9443e0e310c203f79573a71c54d404a0ada191d2d6224f440c899482df8d06a1ea871a98ae3e9c3e40d606b127be33478ed1d8afb955896
SSDEEP

24576:0AOcZ2i7W4sb3Vm6XYbh1GIoQHXehUcztVqEubl83o9Zkbg5:iv5EKhQOKWfqEUU2ZkM

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3696-140-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3696-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3696-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3468-149-0x0000000000930000-0x000000000095F000-memory.dmp	formbook
behavioral2/memory/3468-153-0x0000000000930000-0x000000000095F000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

kvkpltj.exe

pid process

5096 kvkpltj.exe

pid	process
5096	kvkpltj.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	INVOICEKOMB20220001-03-10-22.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kvkpltj.exeRegSvcs.exehelp.exe

description	pid	process	target process
PID 5096 set thread context of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 3696 set thread context of 3060	3696	RegSvcs.exe	Explorer.EXE
PID 3468 set thread context of 3060	3468	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	INVOICEKOMB20220001-03-10-22.pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

RegSvcs.exehelp.exe

pid	process
3696	RegSvcs.exe
3696	RegSvcs.exe
3696	RegSvcs.exe
3696	RegSvcs.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe
3468	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exehelp.exe

pid process

3696 RegSvcs.exe
3696 RegSvcs.exe
3696 RegSvcs.exe
3468 help.exe
3468 help.exe

pid	process
3060	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RegSvcs.exeExplorer.EXEhelp.exe

description	pid	process
Token: SeDebugPrivilege	3696	RegSvcs.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeDebugPrivilege	3468	help.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exekvkpltj.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1332 wrote to memory of 3100	1332	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1332 wrote to memory of 3100	1332	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 1332 wrote to memory of 3100	1332	INVOICEKOMB20220001-03-10-22.pdf.exe	WScript.exe
PID 3100 wrote to memory of 5096	3100	WScript.exe	kvkpltj.exe
PID 3100 wrote to memory of 5096	3100	WScript.exe	kvkpltj.exe
PID 3100 wrote to memory of 5096	3100	WScript.exe	kvkpltj.exe
PID 5096 wrote to memory of 1348	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 1348	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 1348	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 5096 wrote to memory of 3696	5096	kvkpltj.exe	RegSvcs.exe
PID 3060 wrote to memory of 3468	3060	Explorer.EXE	help.exe
PID 3060 wrote to memory of 3468	3060	Explorer.EXE	help.exe
PID 3060 wrote to memory of 3468	3060	Explorer.EXE	help.exe
PID 3468 wrote to memory of 3652	3468	help.exe	cmd.exe
PID 3468 wrote to memory of 3652	3468	help.exe	cmd.exe
PID 3468 wrote to memory of 3652	3468	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe"
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
"C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe" rncmatmqvf.src
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\muqal.hko
Filesize
371KB

MD5
01089645fc52b19921f23b83030e8d3d

SHA1
a5218ba5f4f551b100bb8344eba21a05f2e59ca1

SHA256
ab19240660f7105fd6b10c78a0e680bd62c7a7e27044fe768222050c3a46239d

SHA512
8639a003f916c68a841d23fff3d26a0fecd43fb74b61a816e0aef236a9c9348d6a9625a4e0c19db8f9f8b3d342ac981535479152194a11c13144c5260851eee1

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\rncmatmqvf.src
Filesize
199.4MB

MD5
b08d93f474f93437234952ee10d683a1

SHA1
495c4b4e35397d05fcc5794a4212d88813122f47

SHA256
b2f3178a3244c0a3212a36af3bfb4064e0b83271a1f5c95ac9213a2ae527ef74

SHA512
75740ee71896b50d33388b5a0da0aa3b374266f60c3542f71d6ca7d9fcf6ab8610d555a7c07ce7e5f6419575d2310b6a02d8aa9b1db3a4799242a4a94c19c6a2

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe
Filesize
29KB

MD5
227aa95434fd067fb526d1d5fe99bd13

SHA1
64b5f54a1166e976b855df86eec3326b57f0bbfd

SHA256
4d6709916c6c310172df66122d6c3373cded99c46b6beae078bf0b7f36072d40

SHA512
20b1db0192958fdd8d451faf23159771fe5db4abfdb6fbdad1c3a9fd1277879c4ffec3c84037fe2b987c8c0b89a2b57b2914aaa99097f896a129b7938ed9228f

Download Submit
C:\Users\Admin\AppData\Roaming\4_41\vdawpc.xml
Filesize
48KB

MD5
6578e73332fcb06109246e684f411292

SHA1
eeb7a9df0ee6bbc82b20886574fc5af0f4130ef0

SHA256
c8ceba6692fec5da092951ebb7aad343178a8213cd9f730ba12ffb5f0f9aeb33

SHA512
33418dd335730759fd1b6b861453eb7a9673ab7abafa2908d8c441f9ed6ac7a2f92a85aeb42f6146aee672fea53598899f625c8f87e3407b42d13f5a147bc6e8

Download Submit
memory/3060-146-0x0000000002BE0000-0x0000000002D3D000-memory.dmp

Filesize
1.4MB

Download
memory/3060-155-0x00000000082D0000-0x0000000008404000-memory.dmp

Filesize
1.2MB

Download
memory/3060-154-0x00000000082D0000-0x0000000008404000-memory.dmp

Filesize
1.2MB

Download
memory/3100-132-0x0000000000000000-mapping.dmp

Download
memory/3468-149-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download
memory/3468-147-0x0000000000000000-mapping.dmp

Download
memory/3468-148-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download
memory/3468-151-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download
memory/3468-152-0x0000000001100000-0x0000000001194000-memory.dmp

Filesize
592KB

Download
memory/3468-153-0x0000000000930000-0x000000000095F000-memory.dmp

Filesize
188KB

Download
memory/3652-150-0x0000000000000000-mapping.dmp

Download
memory/3696-144-0x0000000001650000-0x000000000199A000-memory.dmp

Filesize
3.3MB

Download
memory/3696-145-0x00000000015F0000-0x0000000001605000-memory.dmp

Filesize
84KB

Download
memory/3696-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-140-0x0000000000000000-mapping.dmp

Download
memory/5096-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads