formbook | 4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7

General

Target

Grafinger-CVE2-530334.exe
Size

291KB
MD5

d7647797381bfa84ccd377fb5d1a6f34
SHA1

d0b980c107e2e20f9494b7fa534366db2a7e9a78
SHA256

4e099dee4b6248ffd4a4a86bee02311e91b065143138b6bd87e1fb5bb882bcd7
SHA512

a947ee1293ca383d83b03806b49951182b634a4429b9e76094c0d27b5e52fdaadd0e4e0340ced26ed7b5d91d22e575f58ec32d7e1a0c26671674b110dbb14d3c
SSDEEP

6144:+Ea0JTBoewUWcWkZGdREaQlCT/T++K3l5tP:lTBXwUWlk84tsC+AV

Score

10^/10

formbook g2dc persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g2dc

Decoy

OqIwFVmXHnPUgdurr7I=

0YwewYtWNLZdkF7Q

HFT6VwOYdkifOpbT1h9DcYQ=

D+zGTvGlpriTumzBbw==

gMSID89/QqMV8yjH

HN5/g0/3yJBsnZCig9Qf

Hl33xdRU8xaC1rY=

/rhq03DorPAUH2bSp6228fGQ

gBwzCyfHge9SumzBbw==

NuOmK9+fenLQa9urr7I=

cA4+yKM4IQjpFwMt1BQEUJ1q6y0=

gpK3pqdoVNu93yS0uhocUtQmtQ==

3i3tx82Rf7yQdIyeprA=

FTo+4qVlVK7gIgxi0g3bUA==

7kDtq4wo6+cV8yjH

Dc123pIo9vcNuR9pwkQ0pPpHvQ==

KYREtH0zKNiI374=

Tok2qF4n2XOiRw==

DYFtA6ZXUJfA3MLhRtTVTQ==

C8poIeeskBCxEYHIbQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

zyvnwa.exezyvnwa.exe

pid process

1920 zyvnwa.exe
1428 zyvnwa.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zyvnwa.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation zyvnwa.exe

pid	process
1920	zyvnwa.exe
1428	zyvnwa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	zyvnwa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zyvnwa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhjd = "C:\\Users\\Admin\\AppData\\Roaming\\cfugdnextqlgxw\\ijykjqpxoqu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zyvnwa.exe\" C:\\Users\\Admin\\AppDat"	zyvnwa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

zyvnwa.exezyvnwa.exeraserver.exe

description	pid	process	target process
PID 1920 set thread context of 1428	1920	zyvnwa.exe	zyvnwa.exe
PID 1428 set thread context of 684	1428	zyvnwa.exe	Explorer.EXE
PID 3264 set thread context of 684	3264	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

zyvnwa.exeraserver.exe

pid	process
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

684 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

zyvnwa.exezyvnwa.exeraserver.exe

pid process

1920 zyvnwa.exe
1428 zyvnwa.exe
1428 zyvnwa.exe
1428 zyvnwa.exe
3264 raserver.exe
3264 raserver.exe
3264 raserver.exe
3264 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zyvnwa.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1428 zyvnwa.exe
Token: SeDebugPrivilege 3264 raserver.exe

pid	process
684	Explorer.EXE

pid	process
1920	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
1428	zyvnwa.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe
3264	raserver.exe

description	pid	process
Token: SeDebugPrivilege	1428	zyvnwa.exe
Token: SeDebugPrivilege	3264	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Grafinger-CVE2-530334.exezyvnwa.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 764 wrote to memory of 1920	764	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 764 wrote to memory of 1920	764	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 764 wrote to memory of 1920	764	Grafinger-CVE2-530334.exe	zyvnwa.exe
PID 1920 wrote to memory of 1428	1920	zyvnwa.exe	zyvnwa.exe
PID 1920 wrote to memory of 1428	1920	zyvnwa.exe	zyvnwa.exe
PID 1920 wrote to memory of 1428	1920	zyvnwa.exe	zyvnwa.exe
PID 1920 wrote to memory of 1428	1920	zyvnwa.exe	zyvnwa.exe
PID 684 wrote to memory of 3264	684	Explorer.EXE	raserver.exe
PID 684 wrote to memory of 3264	684	Explorer.EXE	raserver.exe
PID 684 wrote to memory of 3264	684	Explorer.EXE	raserver.exe
PID 3264 wrote to memory of 2044	3264	raserver.exe	Firefox.exe
PID 3264 wrote to memory of 2044	3264	raserver.exe	Firefox.exe
PID 3264 wrote to memory of 2044	3264	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe
"C:\Users\Admin\AppData\Local\Temp\Grafinger-CVE2-530334.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
"C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe" C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwzirnlxdnc.hzv
Filesize
7KB

MD5
c635a7d44ed783fd6eaa8793f520770c

SHA1
d30c3ded3a72b62ed695078a5fd3889ac232628c

SHA256
d5cfc135d2d1e886ef30b01811e70c5e7a30f51df6eb81b5e88d101c0671a982

SHA512
22abbcbe4baa42af1d6ac502b242f37fdd4274ca44201478961f1c6628b1b369955c563b428bed82c63a5e50a3f9d9778e00e672fc588ca078b4245c6d9a7c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\helxebqi.pe
Filesize
185KB

MD5
732d96062d170b775e1480fe52604830

SHA1
8840025a51a7ed9db1e629c7206d7f4f62231c36

SHA256
e9264ef44e3ee51c13cb2544277d1ee5a8b3056be2a61f1b5df801dcaa4b926d

SHA512
89fee4787b1b1a74136708a67431d45d3f4dcbb55f7c8e68fc7852f94a3cb864ef54d5c32e2008257540cac094d8fca339199aa658913e6cef630a4cbf64a252

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zyvnwa.exe
Filesize
7KB

MD5
44714ec2edf686986c29dfc74912fdd3

SHA1
1ac35dcc2b2c9b2af8c82275a61f06bd9aaef395

SHA256
192bed619d217526221d6e8e273b986262d6c90d7355143965727ef4361655ae

SHA512
c01e21d354abbe67ba0b7fe1355a6ba0ce059ed882b042e3f9edb1b254aa360583ac529d3157c16e2c3f9af99c8a9b721d18ca283596a58ce1d243ac4f343f19

Download Submit
memory/684-143-0x00000000081F0000-0x000000000831F000-memory.dmp

Filesize
1.2MB

Download
memory/684-153-0x0000000008320000-0x0000000008437000-memory.dmp

Filesize
1.1MB

Download
memory/684-151-0x0000000008320000-0x0000000008437000-memory.dmp

Filesize
1.1MB

Download
memory/1428-142-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/1428-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1428-137-0x0000000000000000-mapping.dmp

Download
memory/1428-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1428-141-0x0000000001760000-0x0000000001AAA000-memory.dmp

Filesize
3.3MB

Download
memory/1920-132-0x0000000000000000-mapping.dmp

Download
memory/3264-148-0x0000000000E50000-0x0000000000E7D000-memory.dmp

Filesize
180KB

Download
memory/3264-149-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/3264-150-0x0000000002C10000-0x0000000002C9F000-memory.dmp

Filesize
572KB

Download
memory/3264-147-0x0000000000F30000-0x0000000000F4F000-memory.dmp

Filesize
124KB

Download
memory/3264-152-0x0000000000E50000-0x0000000000E7D000-memory.dmp

Filesize
180KB

Download
memory/3264-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads