formbook | f1c30b378d3eef6e701672f8af445260991df54f18a922ef13759c83e64386da

General

Target

payment_copy4_receipt.exe
Size

535KB
MD5

9c00e5d71c6c53c475e416ce9a99c09f
SHA1

2b38c81029cd53a3bb8d6c250f67d77b4f7b565d
SHA256

f1c30b378d3eef6e701672f8af445260991df54f18a922ef13759c83e64386da
SHA512

9b4970b6669fb196ed9ca6f906c94e0e7d417dbb87e96a513cd75d01514035ce479aa94f0c7fcd50cd66a6a2b00555723af4432192c117a5836f6c456d5ab2c4
SSDEEP

6144:lBnlWGbq9Dey0ua8QMaDeQ0mjqKzu6ueVivo3+QivOqN:w9aeErDaylRuuIJvD

Score

10^/10

formbook veh0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

veh0

Decoy

eulOjQZkipo8

QwbusPrEgpY4

wa2T8+F5rPaBwA==

pHqtrZbvmnkn

FofuGpY05AV1GXzK

QzOsho4z81BsDSpsVf4=

M7qvjwRJ9Uh9sjUPKjJhQHSPC95K0Mb3vQ==

RpDcjMjmrPaBwA==

DnavFlx/AnqVWGkqQw5YGE2yhnrr

fXToBli75WjZUWTwfg==

C+zIIgw1oRGbvqpcfiRFw+MQNA==

a7STeCtyL/CDTAp26zFXE7DXKQ==

DIbpI4a5R7OdZsE=

DoDgGKtSGd1qeqA59V1sAPqn0uBEjCo=

ZfDZ6qHkgbzS75ebtUeUKBg=

miCSMfAn3B8xP8LXw94C

L/zGMQOscy3C0Ox24IGsxQ==

rPlWqyNf+Q/FflzeWXbHY5qx

aDRsdSnOrAu32Q==

tTKuCn+pT5y4wzVmA07fcoyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

kwlekmutmm.exekwlekmutmm.exe

pid process

3408 kwlekmutmm.exe
1752 kwlekmutmm.exe

pid	process
3408	kwlekmutmm.exe
1752	kwlekmutmm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kwlekmutmm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	kwlekmutmm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kwlekmutmm.exekwlekmutmm.exe

description	pid	process	target process
PID 3408 set thread context of 1752	3408	kwlekmutmm.exe	kwlekmutmm.exe
PID 1752 set thread context of 2600	1752	kwlekmutmm.exe	Explorer.EXE
PID 1752 set thread context of 2600	1752	kwlekmutmm.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

kwlekmutmm.exe

pid	process
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

kwlekmutmm.exekwlekmutmm.exe

pid process

3408 kwlekmutmm.exe
1752 kwlekmutmm.exe
1752 kwlekmutmm.exe

pid	process
3408	kwlekmutmm.exe
1752	kwlekmutmm.exe
1752	kwlekmutmm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

kwlekmutmm.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1752	kwlekmutmm.exe
Token: SeShutdownPrivilege	2600	Explorer.EXE
Token: SeCreatePagefilePrivilege	2600	Explorer.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

payment_copy4_receipt.exekwlekmutmm.exe

description	pid	process	target process
PID 1052 wrote to memory of 3408	1052	payment_copy4_receipt.exe	kwlekmutmm.exe
PID 1052 wrote to memory of 3408	1052	payment_copy4_receipt.exe	kwlekmutmm.exe
PID 1052 wrote to memory of 3408	1052	payment_copy4_receipt.exe	kwlekmutmm.exe
PID 3408 wrote to memory of 1752	3408	kwlekmutmm.exe	kwlekmutmm.exe
PID 3408 wrote to memory of 1752	3408	kwlekmutmm.exe	kwlekmutmm.exe
PID 3408 wrote to memory of 1752	3408	kwlekmutmm.exe	kwlekmutmm.exe
PID 3408 wrote to memory of 1752	3408	kwlekmutmm.exe	kwlekmutmm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\payment_copy4_receipt.exe
"C:\Users\Admin\AppData\Local\Temp\payment_copy4_receipt.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe
"C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe" C:\Users\Admin\AppData\Local\Temp\wlkaev.ssw
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe
"C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe" C:\Users\Admin\AppData\Local\Temp\wlkaev.ssw
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dsbglzt.q
Filesize
185KB

MD5
b54079e086f261a71159bf3dbacbc457

SHA1
db14a14c685434d7db628513ea8d9e81628b457c

SHA256
54f91f33d8e88f9bc14b8787e0e2b1e1ef8d711225b735a626555ae142e87d62

SHA512
ff4e4677d41f82fdb75a01aec7566988d5a42f031ac9b98a96835e7b6acbfff7a8584f69d8256a5daf88dbfb1f7bb94f1ea008570d51bfd100b9512d10b3b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe
Filesize
122KB

MD5
b36a20f9ca4409b58323346ac424acd4

SHA1
a0faf11adc147bdc4971fcddd5369dcb441f6946

SHA256
94944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf

SHA512
efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe
Filesize
122KB

MD5
b36a20f9ca4409b58323346ac424acd4

SHA1
a0faf11adc147bdc4971fcddd5369dcb441f6946

SHA256
94944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf

SHA512
efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwlekmutmm.exe
Filesize
122KB

MD5
b36a20f9ca4409b58323346ac424acd4

SHA1
a0faf11adc147bdc4971fcddd5369dcb441f6946

SHA256
94944cde59010d13e199cfa5262af09490dcc41b1b9e2cb991275233665c98cf

SHA512
efcd83a66785d4c6f74e7d7b10adb65f96015e2fc335eb28b31853eb9844064eda47aef2fc0f5398bdbf0a57af5e5f98bfa063cd0f3b44da65324bb420e33ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlkaev.ssw
Filesize
5KB

MD5
7880cc4134ae413deabf7154d3c72142

SHA1
990536868b4cc56be1f052fce61b66f694406c76

SHA256
3cc20f8962b6a72203a1cfe725f8e82ea5c0cf7018d43ccc7216de935871dec7

SHA512
36b1e41bc6aa23a363f18b4474229c0809ac4c9d5864d37ecaffa45d262b2341811cdbaf6fe119bfeff9cde97c549e219f744dee59e63aa92ef804cccd692e3f

Download Submit
memory/1752-137-0x0000000000000000-mapping.dmp

Download
memory/1752-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-141-0x0000000000A00000-0x0000000000D4A000-memory.dmp

Filesize
3.3MB

Download
memory/1752-142-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1752-144-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/2600-143-0x0000000008E40000-0x0000000008FAA000-memory.dmp

Filesize
1.4MB

Download
memory/2600-145-0x0000000009080000-0x0000000009154000-memory.dmp

Filesize
848KB

Download
memory/3408-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads