formbook | 4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc

General

Target

RCY-ENG-SPA-44-22-SPARES.exe
Size

566KB
MD5

6a884bb90de45f882b333131a56b30d3
SHA1

2bb5a01be489174666024a97573c4a725415ceef
SHA256

4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc
SHA512

e7ad8ad36ddd750efddb400c134d30dc90b47974860ea0248464245520aae67f4b14a94b980b43323051c0e84a9149ac760ae83b39c8ac0cac24eb1c2a7f8f24
SSDEEP

12288:G1str70ixogYv28Q05rjBKS+r9AH0Ue2:Gir9ulvLLRwqH0P2

Score

10^/10

formbook ermr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HZ7DEFSH6XUD = "C:\\Program Files (x86)\\M7nddpl\\Cookiesmbiplx.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RCY-ENG-SPA-44-22-SPARES.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Control Panel\International\Geo\Nation	RCY-ENG-SPA-44-22-SPARES.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1544 cmd.exe

pid	process
1544	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exeRCY-ENG-SPA-44-22-SPARES.exesvchost.exe

description	pid	process	target process
PID 1000 set thread context of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1084 set thread context of 1200	1084	RCY-ENG-SPA-44-22-SPARES.exe	Explorer.EXE
PID 1084 set thread context of 1200	1084	RCY-ENG-SPA-44-22-SPARES.exe	Explorer.EXE
PID 812 set thread context of 1200	812	svchost.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\M7nddpl\Cookiesmbiplx.exe svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\M7nddpl\Cookiesmbiplx.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exesvchost.exe

pid	process
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE

pid	process
1200	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exesvchost.exe

pid	process
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
1084	RCY-ENG-SPA-44-22-SPARES.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe
812	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1084	RCY-ENG-SPA-44-22-SPARES.exe
Token: SeDebugPrivilege	812	svchost.exe
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1000 wrote to memory of 1084	1000	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 1200 wrote to memory of 812	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 812	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 812	1200	Explorer.EXE	svchost.exe
PID 1200 wrote to memory of 812	1200	Explorer.EXE	svchost.exe
PID 812 wrote to memory of 1544	812	svchost.exe	cmd.exe
PID 812 wrote to memory of 1544	812	svchost.exe	cmd.exe
PID 812 wrote to memory of 1544	812	svchost.exe	cmd.exe
PID 812 wrote to memory of 1544	812	svchost.exe	cmd.exe
PID 812 wrote to memory of 756	812	svchost.exe	Firefox.exe
PID 812 wrote to memory of 756	812	svchost.exe	Firefox.exe
PID 812 wrote to memory of 756	812	svchost.exe	Firefox.exe
PID 812 wrote to memory of 756	812	svchost.exe	Firefox.exe
PID 812 wrote to memory of 756	812	svchost.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe
"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe
"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
3⤵
- Deletes itself
PID:1544

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/812-68-0x0000000000000000-mapping.dmp

Download
memory/812-76-0x00000000000E0000-0x000000000010D000-memory.dmp

Filesize
180KB

Download
memory/812-74-0x0000000000660000-0x00000000006F0000-memory.dmp

Filesize
576KB

Download
memory/812-73-0x00000000000E0000-0x000000000010D000-memory.dmp

Filesize
180KB

Download
memory/812-72-0x0000000000960000-0x0000000000C63000-memory.dmp

Filesize
3.0MB

Download
memory/812-70-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1000-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1000-54-0x0000000000D00000-0x0000000000D94000-memory.dmp

Filesize
592KB

Download
memory/1084-60-0x0000000000420330-mapping.dmp

Download
memory/1084-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1084-66-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1084-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1084-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1084-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1084-63-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1084-62-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1084-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1200-64-0x0000000007600000-0x0000000007741000-memory.dmp

Filesize
1.3MB

Download
memory/1200-75-0x0000000007750000-0x0000000007875000-memory.dmp

Filesize
1.1MB

Download
memory/1200-67-0x00000000064E0000-0x00000000065A2000-memory.dmp

Filesize
776KB

Download
memory/1200-77-0x0000000007750000-0x0000000007875000-memory.dmp

Filesize
1.1MB

Download
memory/1544-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads