formbook | 80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

General

Target

RFQ-PR. No.1599-Rev.2.exe
Size

304KB
MD5

ee8704b53daeab3de3fe710d1e4ab2a3
SHA1

e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1
SHA256

80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154
SHA512

5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164
SSDEEP

6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx

Score

10^/10

formbook fkku rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

gpfwnssmn.exegpfwnssmn.exe

pid process

2836 gpfwnssmn.exe
3744 gpfwnssmn.exe

pid	process
2836	gpfwnssmn.exe
3744	gpfwnssmn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gpfwnssmn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gpfwnssmn.exe

Loads dropped DLL 1 IoCs

Processes:

gpfwnssmn.exe

pid process

3916 gpfwnssmn.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gpfwnssmn.exegpfwnssmn.execontrol.exe

description	pid	process	target process
PID 2836 set thread context of 3916	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 3916 set thread context of 3064	3916	gpfwnssmn.exe	Explorer.EXE
PID 1084 set thread context of 3064	1084	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4504 2836 WerFault.exe gpfwnssmn.exe

pid	pid_target	process	target process
4504	2836	WerFault.exe	gpfwnssmn.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

gpfwnssmn.execontrol.exe

pid	process
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
3916	gpfwnssmn.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe
1084	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

gpfwnssmn.execontrol.exe

pid process

3916 gpfwnssmn.exe
3916 gpfwnssmn.exe
3916 gpfwnssmn.exe
1084 control.exe
1084 control.exe
1084 control.exe
1084 control.exe

pid	process
3064	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

gpfwnssmn.exeExplorer.EXEcontrol.exe

description	pid	process
Token: SeDebugPrivilege	3916	gpfwnssmn.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeDebugPrivilege	1084	control.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

RFQ-PR. No.1599-Rev.2.exegpfwnssmn.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1016 wrote to memory of 2836	1016	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1016 wrote to memory of 2836	1016	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 1016 wrote to memory of 2836	1016	RFQ-PR. No.1599-Rev.2.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3744	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3744	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3744	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3916	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3916	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3916	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 2836 wrote to memory of 3916	2836	gpfwnssmn.exe	gpfwnssmn.exe
PID 3064 wrote to memory of 1084	3064	Explorer.EXE	control.exe
PID 3064 wrote to memory of 1084	3064	Explorer.EXE	control.exe
PID 3064 wrote to memory of 1084	3064	Explorer.EXE	control.exe
PID 1084 wrote to memory of 4300	1084	control.exe	Firefox.exe
PID 1084 wrote to memory of 4300	1084	control.exe	Firefox.exe
PID 1084 wrote to memory of 4300	1084	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-PR. No.1599-Rev.2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"
4⤵
- Executes dropped EXE
PID:3744

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
"C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 660
4⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2836 -ip 2836
1⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpfwnssmn.exe
Filesize
133KB

MD5
c471345270376292cb9d0d06c6826cab

SHA1
07ad686d2066faebc00d8d6ef397424d4a7aa5b6

SHA256
f66ecb8b6f0519026b21801c06e718ecb617b0e446a5c7e2e15530c9762979b0

SHA512
a72c47748140db65da1f4fe866059d0875b352d942992473c2386435a7f0986361a2589e2c88c181dc62fabea8e0659f593dd6b11072d90293a20ccacea14e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\psbdtvyueuq.pl
Filesize
185KB

MD5
14e0ff2d3eb981641fc311f9e8b8eabb

SHA1
e700ba68ceb24a2cbdd3a348bc067e483b22bf32

SHA256
50bd62fc543990c1e03cd7a8a503be72aea96360b7c073938e2248fc424d27ec

SHA512
55e99a474bc16ca80316deeb37e5e4a762637490a447c49cdd96eda5e47bf8c75710de7d496e947e500b57f81ed5dd319b15a32fe04d5cb1dee5d78def0a6571

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtbssxvgj.ifr
Filesize
4KB

MD5
a2e8545ef6276dd34d97d4e45bc1fd1e

SHA1
12657761cc68fbed8a1c390b761aae7f3be85ead

SHA256
ac5cdde24f5da63d78f1958de3ae7efdd8d9fe420c151bae74e01d7d1a614d57

SHA512
cb0d127206e777201891d02f8c85cd48620ac158c303d5fde5ed75abba203d6c9ff8ca8ea9e8472966cfad1524c3fe56df6aa71d31afed702728b97b1a6a92c3

Download Submit
memory/1084-148-0x0000000001010000-0x000000000103D000-memory.dmp

Filesize
180KB

Download
memory/1084-145-0x0000000000000000-mapping.dmp

Download
memory/1084-153-0x0000000001010000-0x000000000103D000-memory.dmp

Filesize
180KB

Download
memory/1084-151-0x0000000002D00000-0x0000000002D8F000-memory.dmp

Filesize
572KB

Download
memory/1084-149-0x0000000002E60000-0x00000000031AA000-memory.dmp

Filesize
3.3MB

Download
memory/1084-147-0x0000000000670000-0x0000000000697000-memory.dmp

Filesize
156KB

Download
memory/2836-132-0x0000000000000000-mapping.dmp

Download
memory/3064-144-0x00000000078E0000-0x0000000007A5D000-memory.dmp

Filesize
1.5MB

Download
memory/3064-150-0x00000000078E0000-0x0000000007A5D000-memory.dmp

Filesize
1.5MB

Download
memory/3064-152-0x0000000008280000-0x00000000083D6000-memory.dmp

Filesize
1.3MB

Download
memory/3064-154-0x0000000008280000-0x00000000083D6000-memory.dmp

Filesize
1.3MB

Download
memory/3916-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-138-0x0000000000000000-mapping.dmp

Download
memory/3916-143-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/3916-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3916-141-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/3916-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads