formbook | 3ab9378862ed7e3a174d4b022ed8b38eb0838d24ea2b6543be055552633e50b9

General

Target

MV ARM TBN - VESSEL PARTICULARS.exe
Size

247KB
MD5

6d0fd8a2f7410163581e6013d06336bf
SHA1

28a2160869dce2cb8623877c6beafa82f019fe37
SHA256

3ab9378862ed7e3a174d4b022ed8b38eb0838d24ea2b6543be055552633e50b9
SHA512

636bbc44ac34ebe539c9b269d3ef285b99c9da1a47ba8a188da8c848c6f5473f58ec4689bd76cba09eee46104b1e3e323a876c01b392b0ec9ebc7e37a3138853
SSDEEP

6144:UYMY+RpZxFZ8Es0cDemuioWg4Dh9KUax4UK3se6Yt+vp57aXrQKBwH:yosUlN36EqkJ8

Score

10^/10

formbook ermr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MV ARM TBN - VESSEL PARTICULARS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	MV ARM TBN - VESSEL PARTICULARS.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

MV ARM TBN - VESSEL PARTICULARS.exeMV ARM TBN - VESSEL PARTICULARS.exeipconfig.exe

description	pid	process	target process
PID 1912 set thread context of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 4232 set thread context of 2584	4232	MV ARM TBN - VESSEL PARTICULARS.exe	Explorer.EXE
PID 4232 set thread context of 2584	4232	MV ARM TBN - VESSEL PARTICULARS.exe	Explorer.EXE
PID 2628 set thread context of 2584	2628	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2628 ipconfig.exe

pid	process
2628	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

MV ARM TBN - VESSEL PARTICULARS.exeipconfig.exe

pid	process
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe
2628	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2584 Explorer.EXE

pid	process
2584	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MV ARM TBN - VESSEL PARTICULARS.exeipconfig.exe

pid	process
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
4232	MV ARM TBN - VESSEL PARTICULARS.exe
2628	ipconfig.exe
2628	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MV ARM TBN - VESSEL PARTICULARS.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 4232 MV ARM TBN - VESSEL PARTICULARS.exe
Token: SeDebugPrivilege 2628 ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	4232	MV ARM TBN - VESSEL PARTICULARS.exe
Token: SeDebugPrivilege	2628	ipconfig.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

MV ARM TBN - VESSEL PARTICULARS.exeExplorer.EXEMV ARM TBN - VESSEL PARTICULARS.exeipconfig.exe

description	pid	process	target process
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 1912 wrote to memory of 4232	1912	MV ARM TBN - VESSEL PARTICULARS.exe	MV ARM TBN - VESSEL PARTICULARS.exe
PID 2584 wrote to memory of 4568	2584	Explorer.EXE	msiexec.exe
PID 2584 wrote to memory of 4568	2584	Explorer.EXE	msiexec.exe
PID 2584 wrote to memory of 4568	2584	Explorer.EXE	msiexec.exe
PID 4232 wrote to memory of 2628	4232	MV ARM TBN - VESSEL PARTICULARS.exe	ipconfig.exe
PID 4232 wrote to memory of 2628	4232	MV ARM TBN - VESSEL PARTICULARS.exe	ipconfig.exe
PID 4232 wrote to memory of 2628	4232	MV ARM TBN - VESSEL PARTICULARS.exe	ipconfig.exe
PID 2628 wrote to memory of 3748	2628	ipconfig.exe	cmd.exe
PID 2628 wrote to memory of 3748	2628	ipconfig.exe	cmd.exe
PID 2628 wrote to memory of 3748	2628	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\MV ARM TBN - VESSEL PARTICULARS.exe
"C:\Users\Admin\AppData\Local\Temp\MV ARM TBN - VESSEL PARTICULARS.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\MV ARM TBN - VESSEL PARTICULARS.exe
"C:\Users\Admin\AppData\Local\Temp\MV ARM TBN - VESSEL PARTICULARS.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
4⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\MV ARM TBN - VESSEL PARTICULARS.exe"
5⤵
PID:3748

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-133-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-134-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/1912-132-0x0000000000810000-0x0000000000854000-memory.dmp

Filesize
272KB

Download
memory/2584-143-0x0000000002A40000-0x0000000002B1B000-memory.dmp

Filesize
876KB

Download
memory/2584-153-0x00000000081C0000-0x00000000082C6000-memory.dmp

Filesize
1.0MB

Download
memory/2584-152-0x00000000081C0000-0x00000000082C6000-memory.dmp

Filesize
1.0MB

Download
memory/2584-140-0x0000000007C90000-0x0000000007DB2000-memory.dmp

Filesize
1.1MB

Download
memory/2628-148-0x0000000001920000-0x0000000001C6A000-memory.dmp

Filesize
3.3MB

Download
memory/2628-150-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/2628-151-0x0000000001780000-0x0000000001810000-memory.dmp

Filesize
576KB

Download
memory/2628-147-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/2628-146-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/2628-145-0x0000000000000000-mapping.dmp

Download
memory/3748-149-0x0000000000000000-mapping.dmp

Download
memory/4232-144-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4232-139-0x00000000014C0000-0x00000000014D1000-memory.dmp

Filesize
68KB

Download
memory/4232-138-0x0000000001150000-0x000000000149A000-memory.dmp

Filesize
3.3MB

Download
memory/4232-141-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4232-142-0x0000000002DC0000-0x0000000002DD1000-memory.dmp

Filesize
68KB

Download
memory/4232-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4232-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads