formbook | 37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2

General

Target

NEW_ORDER_00041221.EXE.exe
Size

6KB
MD5

78715a3a620e1f4b1937a1bd7e764e57
SHA1

0b67de4eaccbfe16d41bedc538b2a64bffaecbb0
SHA256

37ad2a3bfe4e60fb4ad6f9edf3bd25602ebdbacf2ce429e96c3ec7b4213090e2
SHA512

b55a095194d506bd111fe9d93440ee97be0f9418256e839ee3ce892af1206711402c493bdbeca021d4187433c0f080febfa44451e03737c3ddf6f0b6c9ccd91a
SSDEEP

96:x+UKECqBC+bbhb4Lp5zV6ur8y2LnfoYYMxaDzNt:xgwHhcLp1V6ur+LfoYY5F

Score

10^/10

formbook gski persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

gski

Decoy

w4dqmeRbroucK1d6Rjoieflr

4aOmGT8hdudzUsv7ZSwieflr

3sTC4jMnhzX+pOJNTZ4=

JcH9cI2V8BEeA0eA

doY0NLSYANTXiHt9/fbsP706cA==

KhN1zCT4Nb5T//UnNQ==

y4/RV2RRqNEr0c4nzNWP

x8sfUpcmiXqxdfls0dSN

rlygM3RQmQ7DliRSBQUKpWJ/FuU=

s672RU9HtT3XWaTvdEidsoLRjZb5J5oE

uaT/Znv3O9WfXs8GBluj2Z2szeMP

QvElhI8JUPHBlRsjsodB5GmUzO0W

2uM5rt7BEpcswwJhDA8JnA8=

TDFfhORfvuRP//UnNQ==

MtPNDl4mh1dSxgZs0dSN

ejpoOLXE/Wa7zMwppl3JOt8faA==

8qPraI3lOFSrRmCSR4EnHQc=

+LOpAwtx0LfGnOJNTZ4=

wMQehpwddDxHII+rVCwieflr

8KPhZrjGG//aix1s0dSN

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	NEW_ORDER_00041221.EXE.exe

Loads dropped DLL 1 IoCs

pid	Process
756	cmmon32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Elxsztjeo = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mrlhuase\\Elxsztjeo.exe\""	NEW_ORDER_00041221.EXE.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 1296 set thread context of 1224	1296	NEW_ORDER_00041221.EXE.exe	9
PID 1296 set thread context of 1224	1296	NEW_ORDER_00041221.EXE.exe	9
PID 756 set thread context of 1224	756	cmmon32.exe	9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
628	powershell.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
1296	NEW_ORDER_00041221.EXE.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe
756	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	NEW_ORDER_00041221.EXE.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1296	NEW_ORDER_00041221.EXE.exe
Token: SeDebugPrivilege	756	cmmon32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 628	456	NEW_ORDER_00041221.EXE.exe	28
PID 456 wrote to memory of 628	456	NEW_ORDER_00041221.EXE.exe	28
PID 456 wrote to memory of 628	456	NEW_ORDER_00041221.EXE.exe	28
PID 456 wrote to memory of 628	456	NEW_ORDER_00041221.EXE.exe	28
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 456 wrote to memory of 1296	456	NEW_ORDER_00041221.EXE.exe	30
PID 1296 wrote to memory of 756	1296	NEW_ORDER_00041221.EXE.exe	31
PID 1296 wrote to memory of 756	1296	NEW_ORDER_00041221.EXE.exe	31
PID 1296 wrote to memory of 756	1296	NEW_ORDER_00041221.EXE.exe	31
PID 1296 wrote to memory of 756	1296	NEW_ORDER_00041221.EXE.exe	31
PID 756 wrote to memory of 1752	756	cmmon32.exe	34
PID 756 wrote to memory of 1752	756	cmmon32.exe	34
PID 756 wrote to memory of 1752	756	cmmon32.exe	34
PID 756 wrote to memory of 1752	756	cmmon32.exe	34
PID 756 wrote to memory of 1752	756	cmmon32.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe
  "C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA3AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe
    C:\Users\Admin\AppData\Local\Temp\NEW_ORDER_00041221.EXE.exe
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:756
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
ce5c15b5092877974d5b6476ad1cb2d7

SHA1
76a6fc307d1524081cba1886d312df97c9dd658f

SHA256
1f1a186ea26bd2462ea2a9cf35a816b92caf0897fdf332af3a61569e0ba97b24

SHA512
bb9ced38c63d2a29e18c38f60020cfdf0161384cd4ad6328352626643becdf49f6b4bef47012391720344fdd8ad520aa802dcbbed15b5026d27eb93b0a839c90

Download Submit
memory/456-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/456-56-0x0000000008140000-0x000000000820E000-memory.dmp

Filesize
824KB

Download
memory/456-57-0x0000000007E20000-0x0000000007EB2000-memory.dmp

Filesize
584KB

Download
memory/456-54-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download
memory/628-61-0x000000006E350000-0x000000006E8FB000-memory.dmp

Filesize
5.7MB

Download
memory/628-62-0x000000006E350000-0x000000006E8FB000-memory.dmp

Filesize
5.7MB

Download
memory/628-60-0x000000006E350000-0x000000006E8FB000-memory.dmp

Filesize
5.7MB

Download
memory/756-82-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/756-86-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/756-84-0x00000000006A0000-0x000000000072F000-memory.dmp

Filesize
572KB

Download
memory/756-83-0x00000000021D0000-0x00000000024D3000-memory.dmp

Filesize
3.0MB

Download
memory/756-81-0x0000000000330000-0x000000000033D000-memory.dmp

Filesize
52KB

Download
memory/1224-85-0x0000000007550000-0x000000000769E000-memory.dmp

Filesize
1.3MB

Download
memory/1224-77-0x0000000004BF0000-0x0000000004CA6000-memory.dmp

Filesize
728KB

Download
memory/1224-88-0x0000000007550000-0x000000000769E000-memory.dmp

Filesize
1.3MB

Download
memory/1224-74-0x0000000004DE0000-0x0000000004F22000-memory.dmp

Filesize
1.3MB

Download
memory/1296-71-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1296-76-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1296-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-80-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1296-73-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1296-72-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1296-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1296-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads