formbook | 4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc

General

Target

RCY-ENG-SPA-44-22-SPARES.exe
Size

566KB
MD5

6a884bb90de45f882b333131a56b30d3
SHA1

2bb5a01be489174666024a97573c4a725415ceef
SHA256

4d19688eba48474ab160de7ebf85fa55f2f2fc50f678ce822f8ede4beaf427cc
SHA512

e7ad8ad36ddd750efddb400c134d30dc90b47974860ea0248464245520aae67f4b14a94b980b43323051c0e84a9149ac760ae83b39c8ac0cac24eb1c2a7f8f24
SSDEEP

12288:G1str70ixogYv28Q05rjBKS+r9AH0Ue2:Gir9ulvLLRwqH0P2

Score

10^/10

formbook ermr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RCY-ENG-SPA-44-22-SPARES.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	RCY-ENG-SPA-44-22-SPARES.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\I8TPYBG0XJN = "C:\\Program Files (x86)\\Xmvkdxxo\\04iijrp-.exe"	netsh.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exeRCY-ENG-SPA-44-22-SPARES.exenetsh.exe

description	pid	process	target process
PID 456 set thread context of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 4972 set thread context of 2380	4972	RCY-ENG-SPA-44-22-SPARES.exe	Explorer.EXE
PID 2800 set thread context of 2380	2800	netsh.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

netsh.exe

description ioc process

File opened for modification C:\Program Files (x86)\Xmvkdxxo\04iijrp-.exe netsh.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Xmvkdxxo\04iijrp-.exe	netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

netsh.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exenetsh.exe

pid	process
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
4972	RCY-ENG-SPA-44-22-SPARES.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe
2800	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2380 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exenetsh.exe

pid process

4972 RCY-ENG-SPA-44-22-SPARES.exe
4972 RCY-ENG-SPA-44-22-SPARES.exe
4972 RCY-ENG-SPA-44-22-SPARES.exe
2800 netsh.exe
2800 netsh.exe
2800 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exenetsh.exe

description pid process

Token: SeDebugPrivilege 4972 RCY-ENG-SPA-44-22-SPARES.exe
Token: SeDebugPrivilege 2800 netsh.exe

pid	process
2380	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4972	RCY-ENG-SPA-44-22-SPARES.exe
Token: SeDebugPrivilege	2800	netsh.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

RCY-ENG-SPA-44-22-SPARES.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 456 wrote to memory of 4972	456	RCY-ENG-SPA-44-22-SPARES.exe	RCY-ENG-SPA-44-22-SPARES.exe
PID 2380 wrote to memory of 2800	2380	Explorer.EXE	netsh.exe
PID 2380 wrote to memory of 2800	2380	Explorer.EXE	netsh.exe
PID 2380 wrote to memory of 2800	2380	Explorer.EXE	netsh.exe
PID 2800 wrote to memory of 1852	2800	netsh.exe	cmd.exe
PID 2800 wrote to memory of 1852	2800	netsh.exe	cmd.exe
PID 2800 wrote to memory of 1852	2800	netsh.exe	cmd.exe
PID 2800 wrote to memory of 812	2800	netsh.exe	Firefox.exe
PID 2800 wrote to memory of 812	2800	netsh.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe
"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe
"C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RCY-ENG-SPA-44-22-SPARES.exe"
3⤵
PID:1852

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/456-132-0x0000000000D00000-0x0000000000D94000-memory.dmp

Filesize
592KB

Download
memory/456-133-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/456-134-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1852-145-0x0000000000000000-mapping.dmp

Download
memory/2380-141-0x00000000089E0000-0x0000000008B6C000-memory.dmp

Filesize
1.5MB

Download
memory/2380-149-0x00000000035A0000-0x0000000003655000-memory.dmp

Filesize
724KB

Download
memory/2380-150-0x00000000035A0000-0x0000000003655000-memory.dmp

Filesize
724KB

Download
memory/2800-147-0x0000000001130000-0x00000000011C0000-memory.dmp

Filesize
576KB

Download
memory/2800-142-0x0000000000000000-mapping.dmp

Download
memory/2800-144-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/2800-143-0x00000000008E0000-0x00000000008FE000-memory.dmp

Filesize
120KB

Download
memory/2800-146-0x0000000001220000-0x000000000156A000-memory.dmp

Filesize
3.3MB

Download
memory/2800-148-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/4972-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4972-135-0x0000000000000000-mapping.dmp

Download
memory/4972-138-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4972-140-0x0000000001250000-0x0000000001261000-memory.dmp

Filesize
68KB

Download
memory/4972-139-0x00000000016D0000-0x0000000001A1A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads