formbook | 80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

General

Target

RFQ-PR. No.1599-Rev.2.exe
Size

304KB
MD5

ee8704b53daeab3de3fe710d1e4ab2a3
SHA1

e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
SHA256

80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
SHA512

5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164
SSDEEP

6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx

Score

10^/10

formbook fkku rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

6 672 cmstp.exe
Executes dropped EXE 1 IoCs

Processes:

gpfwnssmn.exe

pid process

1116 gpfwnssmn.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

gpfwnssmn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation gpfwnssmn.exe
Loads dropped DLL 4 IoCs

Processes:

RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exegpfwnssmn.execmstp.exe

pid process

1492 RFQ-PR. No.1599-Rev.2.exe
1116 gpfwnssmn.exe
284 gpfwnssmn.exe
672 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
6	672	cmstp.exe

pid	process
1116	gpfwnssmn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	gpfwnssmn.exe

pid	process
1492	RFQ-PR. No.1599-Rev.2.exe
1116	gpfwnssmn.exe
284	gpfwnssmn.exe
672	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gpfwnssmn.exegpfwnssmn.execmstp.exe

description	pid	process	target process
PID 1116 set thread context of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 284 set thread context of 1424	284	gpfwnssmn.exe	Explorer.EXE
PID 672 set thread context of 1424	672	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

gpfwnssmn.execmstp.exe

pid	process
284	gpfwnssmn.exe
284	gpfwnssmn.exe
284	gpfwnssmn.exe
284	gpfwnssmn.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe
672	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gpfwnssmn.execmstp.exe

pid process

284 gpfwnssmn.exe
284 gpfwnssmn.exe
284 gpfwnssmn.exe
672 cmstp.exe
672 cmstp.exe
672 cmstp.exe
672 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gpfwnssmn.execmstp.exe

description pid process

Token: SeDebugPrivilege 284 gpfwnssmn.exe
Token: SeDebugPrivilege 672 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE

pid	process
1424	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	284	gpfwnssmn.exe
Token: SeDebugPrivilege	672	cmstp.exe

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1492 wrote to memory of 1116	1492	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1492 wrote to memory of 1116	1492	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1492 wrote to memory of 1116	1492	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1492 wrote to memory of 1116	1492	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1116 wrote to memory of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 1116 wrote to memory of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 1116 wrote to memory of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 1116 wrote to memory of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 1116 wrote to memory of 284	1116	gpfwnssmn.exe	gpfwnssmn.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 1424 wrote to memory of 672	1424	Explorer.EXE	cmstp.exe
PID 672 wrote to memory of 1896	672	cmstp.exe	Firefox.exe
PID 672 wrote to memory of 1896	672	cmstp.exe	Firefox.exe
PID 672 wrote to memory of 1896	672	cmstp.exe	Firefox.exe
PID 672 wrote to memory of 1896	672	cmstp.exe	Firefox.exe
PID 672 wrote to memory of 1896	672	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\psbdtvyueuq.pl
Filesize
185KB

MD5
14e0ff2d3eb981641fc311f9e8b8eabb

SHA1
e700ba68ceb24a2cbdd3a348bc067e483b22bf32

SHA256
50bd62fc543990c1e03cd7a8a503be72aea96360b7c073938e2248fc424d27ec

SHA512
55e99a474bc16ca80316deeb37e5e4a762637490a447c49cdd96eda5e47bf8c75710de7d496e947e500b57f81ed5dd319b15a32fe04d5cb1dee5d78def0a6571

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtbssxvgj.ifr
Filesize
4KB

MD5
a2e8545ef6276dd34d97d4e45bc1fd1e

SHA1
12657761cc68fbed8a1c390b761aae7f3be85ead

SHA256
ac5cdde24f5da63d78f1958de3ae7efdd8d9fe420c151bae74e01d7d1a614d57

SHA512
cb0d127206e777201891d02f8c85cd48620ac158c303d5fde5ed75abba203d6c9ff8ca8ea9e8472966cfad1524c3fe56df6aa71d31afed702728b97b1a6a92c3

Download Submit
\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
memory/284-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/284-67-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/284-63-0x00000000004012B0-mapping.dmp

Download
memory/284-66-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/672-71-0x00000000009F0000-0x0000000000A08000-memory.dmp

Filesize
96KB

Download
memory/672-69-0x0000000000000000-mapping.dmp

Download
memory/672-72-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/672-73-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/672-74-0x00000000008F0000-0x000000000097F000-memory.dmp

Filesize
572KB

Download
memory/672-76-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1116-56-0x0000000000000000-mapping.dmp

Download
memory/1424-68-0x0000000006A20000-0x0000000006B34000-memory.dmp

Filesize
1.1MB

Download
memory/1424-75-0x0000000006D70000-0x0000000006EDA000-memory.dmp

Filesize
1.4MB

Download
memory/1424-77-0x0000000006D70000-0x0000000006EDA000-memory.dmp

Filesize
1.4MB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads