formbook | 71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719

General

Target

71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe
Size

286KB
MD5

da72b1c1f701daef602285b17fb03558
SHA1

1ab39640c45a223523aea3aade91cb5853077163
SHA256

71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719
SHA512

f2e1b2c9a6e40d2d54cc95743a58be98f297620b9df088f64a30b915d8b7aa7bf66f58491f25b7651cc7e92d6ec48437709b6ff69880ccab3746c63d7f77e66b
SSDEEP

6144:HNeZmfWTNhVoufbOIJ8SzQpBCsmqeB0+KpagQcAux:HNlkhVXJUZmqeB0Xpagt

Score

10^/10

formbook gwk0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

gwk0

Decoy

oDlH1NVjFfPoy6/LYlSxvk/Qfw==

bYskCAkh38c2ECTz9YQ=

1wWdfZvr3EsYrlwj3g==

XfydE1dQvu4s

zeX7kMx6OhsU9psow2Ti

lq9Ai76NgOgnzWk+oRlawAPrqvRElx3p2w==

Ke/7xh+mVEk4+psow2Ti

6bXLvByG/x6eheI=

zf8GcoccwPYnuTPULRSTrDg59VE=

7ZvAfn57AFtZAu0j/4Y=

H81qu+C6iHRoMNyhE8oJa3RG/4kK

R/cSHmKjaY29hLUjI5s=

D0FNvdNbaIgSCH0gh0BZICue

SQCiHakfy/cu

4RzTSp9gFFDDIr1+

eCe3JHmOSCmwdzDvVcsUgm9G/4kK

FS/WOI+fWoO2j+E=

Il3uxdoUwvCgMxgXli6QZuJa0POeuA==

czFdQXLOmzr1w/w=

H1PxCKu7txFT9Y4ow2Ti

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 1 IoCs

pid	Process
1696	ymukngskr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Control Panel\International\Geo\Nation	ymukngskr.exe

Loads dropped DLL 4 IoCs

pid	Process
384	71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe
1696	ymukngskr.exe
1924	ymukngskr.exe
760	help.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1924	1696	ymukngskr.exe	29
PID 1924 set thread context of 1220	1924	ymukngskr.exe	16
PID 760 set thread context of 1220	760	help.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1924	ymukngskr.exe
1924	ymukngskr.exe
1924	ymukngskr.exe
1924	ymukngskr.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1220	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1924	ymukngskr.exe
1924	ymukngskr.exe
1924	ymukngskr.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	ymukngskr.exe
Token: SeDebugPrivilege	760	help.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1696	384	71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe	28
PID 384 wrote to memory of 1696	384	71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe	28
PID 384 wrote to memory of 1696	384	71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe	28
PID 384 wrote to memory of 1696	384	71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe	28
PID 1696 wrote to memory of 1924	1696	ymukngskr.exe	29
PID 1696 wrote to memory of 1924	1696	ymukngskr.exe	29
PID 1696 wrote to memory of 1924	1696	ymukngskr.exe	29
PID 1696 wrote to memory of 1924	1696	ymukngskr.exe	29
PID 1696 wrote to memory of 1924	1696	ymukngskr.exe	29
PID 1220 wrote to memory of 760	1220	Explorer.EXE	30
PID 1220 wrote to memory of 760	1220	Explorer.EXE	30
PID 1220 wrote to memory of 760	1220	Explorer.EXE	30
PID 1220 wrote to memory of 760	1220	Explorer.EXE	30
PID 760 wrote to memory of 1744	760	help.exe	33
PID 760 wrote to memory of 1744	760	help.exe	33
PID 760 wrote to memory of 1744	760	help.exe	33
PID 760 wrote to memory of 1744	760	help.exe	33
PID 760 wrote to memory of 1744	760	help.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe
  "C:\Users\Admin\AppData\Local\Temp\71ed7ee8f0dca2d6d7b8f03f862a3e730c2c48a84bee4cbf3b9bc35b9b0a5719.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe
    "C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe
      "C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1924
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eodedzor.g

Filesize
185KB

MD5
40f7c38fd9e079e87e17fcdd099dfb14

SHA1
200c85062a3de4636796f67b4a3b26fdc602192d

SHA256
17d2253bad321d809b95eafd085af45f054fce0a7927ee49baa9f60f06668ea9

SHA512
7221219b548d0924297e187d2ada645524cec425adeab2887b6c60511530cf3d72163bb45861a0f793f0e2cff36e844e015ec4a6720dfd1cb9125fb42690f3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\osvdf.o

Filesize
4KB

MD5
cf6fe9c0203a2f388a682c52a69c99a2

SHA1
5063d232f0c3253ceb423694255a1f6dae6ed3f3

SHA256
b99294260a73227b837b563c71385a8bbf90e8378abcd20af7f53d6c32db2804

SHA512
edd828fdb7a3be1104a55d8b1bf18603368f71108562a7d1070b319252098bb09378c69bd3509635b25f5196ee5348be4d7a9a4fcbd90a26a20522740b902d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe

Filesize
123KB

MD5
32df2d96576e5f6aa7610bafffa72234

SHA1
064d07b34a595b2f9e7dadac5813edeecd5d8c06

SHA256
284bb12e92333d48475e303bcd5823a4fe28835f9a5eb0d8ff3bfa3ea6d89892

SHA512
c99e8aeec7b75fb141873f9cb74b53a5352911e54a568ce27285f050e99dcef9c7cdd727e2bb9f2b7f56b2c682a4631abb69f5595cfa7a08ba3ad0b5a9ea1f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe

Filesize
123KB

MD5
32df2d96576e5f6aa7610bafffa72234

SHA1
064d07b34a595b2f9e7dadac5813edeecd5d8c06

SHA256
284bb12e92333d48475e303bcd5823a4fe28835f9a5eb0d8ff3bfa3ea6d89892

SHA512
c99e8aeec7b75fb141873f9cb74b53a5352911e54a568ce27285f050e99dcef9c7cdd727e2bb9f2b7f56b2c682a4631abb69f5595cfa7a08ba3ad0b5a9ea1f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymukngskr.exe

Filesize
123KB

MD5
32df2d96576e5f6aa7610bafffa72234

SHA1
064d07b34a595b2f9e7dadac5813edeecd5d8c06

SHA256
284bb12e92333d48475e303bcd5823a4fe28835f9a5eb0d8ff3bfa3ea6d89892

SHA512
c99e8aeec7b75fb141873f9cb74b53a5352911e54a568ce27285f050e99dcef9c7cdd727e2bb9f2b7f56b2c682a4631abb69f5595cfa7a08ba3ad0b5a9ea1f17

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
888KB

MD5
9c73b282279e74e40435132e61fda001

SHA1
63c7248e91b68fbde4641e3c5e2dc3e9d38671fa

SHA256
6710d91d77e1937dd5b46d96c0852042985dc78c4c51ce12d3e07a4cdb12c202

SHA512
02f9a01a3a5f74ef994ebb9e5f24c6870e2d48c8b99c429a63e74dad73fb581f0b52b2a86d651cafa414675b70a0e85b2e08c843d07e080fe69ee835e3c91108

Download Submit
\Users\Admin\AppData\Local\Temp\ymukngskr.exe

Filesize
123KB

MD5
32df2d96576e5f6aa7610bafffa72234

SHA1
064d07b34a595b2f9e7dadac5813edeecd5d8c06

SHA256
284bb12e92333d48475e303bcd5823a4fe28835f9a5eb0d8ff3bfa3ea6d89892

SHA512
c99e8aeec7b75fb141873f9cb74b53a5352911e54a568ce27285f050e99dcef9c7cdd727e2bb9f2b7f56b2c682a4631abb69f5595cfa7a08ba3ad0b5a9ea1f17

Download Submit
\Users\Admin\AppData\Local\Temp\ymukngskr.exe

Filesize
123KB

MD5
32df2d96576e5f6aa7610bafffa72234

SHA1
064d07b34a595b2f9e7dadac5813edeecd5d8c06

SHA256
284bb12e92333d48475e303bcd5823a4fe28835f9a5eb0d8ff3bfa3ea6d89892

SHA512
c99e8aeec7b75fb141873f9cb74b53a5352911e54a568ce27285f050e99dcef9c7cdd727e2bb9f2b7f56b2c682a4631abb69f5595cfa7a08ba3ad0b5a9ea1f17

Download Submit
memory/384-54-0x0000000074E01000-0x0000000074E03000-memory.dmp

Filesize
8KB

Download
memory/760-70-0x0000000000C90000-0x0000000000C96000-memory.dmp

Filesize
24KB

Download
memory/760-77-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/760-75-0x0000000000650000-0x00000000006DF000-memory.dmp

Filesize
572KB

Download
memory/760-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/760-71-0x0000000000CA0000-0x0000000000FA3000-memory.dmp

Filesize
3.0MB

Download
memory/760-69-0x0000000000000000-mapping.dmp

Download
memory/1220-68-0x00000000041D0000-0x00000000042CB000-memory.dmp

Filesize
1004KB

Download
memory/1220-73-0x000007FEF60A0000-0x000007FEF61E3000-memory.dmp

Filesize
1.3MB

Download
memory/1220-74-0x000007FEF9DC0000-0x000007FEF9DCA000-memory.dmp

Filesize
40KB

Download
memory/1220-76-0x0000000004BD0000-0x0000000004CFD000-memory.dmp

Filesize
1.2MB

Download
memory/1220-78-0x0000000004BD0000-0x0000000004CFD000-memory.dmp

Filesize
1.2MB

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1924-67-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1924-66-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/1924-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-63-0x00000000004012B0-mapping.dmp

Download

Analysis

Sharing