formbook | 1c239056f12181094f66a4e7dd8a5ece180a9d9ad9793cf0dc1991dd0e53d585

General

Target

P_O__DAR.exe
Size

638KB
MD5

54461c7e27a4a8300849a2bf355e2f80
SHA1

062533436b05fa712687cf294db2d5b1ec3b7265
SHA256

6ec121caff8aebd600516a024a4d6f289e32dd8ab3581e2e641cf5309f4905d6
SHA512

cccad6007233a70642ec92622a091e489fc227df342f54137e7085b178978f4bd9b48b62664d025d0858c744145cabdb617df1f8761dda4bd416d9627ac7e8f4
SSDEEP

12288:EAOoU7mzbaCWo4lZ7v4V+rsUbXKENRT9AV5yKk4dKQ24:EAG7mzbCo4lZ7vLpXJzBA/yKkGp24

Score

10^/10

formbook bzp6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

bzp6

Decoy

cv3Tymnr/xzunez//TFYQoKp0Pfj

tUmgQu3m4ffj

nEv7UlMpk8u5csW5dJS/po1Hsh7r

vm+dyfje8fW5f49kA/Fau+xLYJlPVv0=

/7jzSKaswdGspw82DA==

WEBCaDa1z928jBdUWtn/O5+I

vrunlBev7DDHnf4R

8+BnVrB7/Uzl4A0JnaYLcw==

02sgf5VrD1ccjnNIztUUtas=

PwdKrCuRJGdBG6hwGw==

lGNYjlH5mc67hGn7T/xYNq6kVdJqMku5

OPhdW1IysvnSXL365hJEGqIlMHs=

hGfpAURoq6xxRCy0D5eFga4=

q4pklmD4j9uuXz7ENyuWHxkWSZlPVv0=

A7UeJSAFi92oeJfmPwA=

YUfI3A//bLibaIPtoRB2

vpFlpIlanKM6Vuge

NsghLA2JylkvtA==

Fh3CD1JtmB/+wJU=

58aByPTnXaeKGuUsavhr

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

okuhrowj.exeokuhrowj.exe

pid process

1036 okuhrowj.exe
4708 okuhrowj.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

okuhrowj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	okuhrowj.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

okuhrowj.exeokuhrowj.execontrol.exe

description	pid	process	target process
PID 1036 set thread context of 4708	1036	okuhrowj.exe	okuhrowj.exe
PID 4708 set thread context of 2640	4708	okuhrowj.exe	Explorer.EXE
PID 1460 set thread context of 2640	1460	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4576 4516 WerFault.exe

pid	pid_target	process	target process
4576	4516	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

okuhrowj.execontrol.exe

pid	process
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE

pid	process
2640	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

okuhrowj.exeokuhrowj.execontrol.exe

pid	process
1036	okuhrowj.exe
1036	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
4708	okuhrowj.exe
1460	control.exe
1460	control.exe
1460	control.exe
1460	control.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

okuhrowj.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4708	okuhrowj.exe
Token: SeDebugPrivilege	1460	control.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

okuhrowj.exe

pid process

1036 okuhrowj.exe
1036 okuhrowj.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

okuhrowj.exe

pid process

1036 okuhrowj.exe
1036 okuhrowj.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

P_O__DAR.exeokuhrowj.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4844 wrote to memory of 1036	4844	P_O__DAR.exe	okuhrowj.exe
PID 4844 wrote to memory of 1036	4844	P_O__DAR.exe	okuhrowj.exe
PID 4844 wrote to memory of 1036	4844	P_O__DAR.exe	okuhrowj.exe
PID 1036 wrote to memory of 4708	1036	okuhrowj.exe	okuhrowj.exe
PID 1036 wrote to memory of 4708	1036	okuhrowj.exe	okuhrowj.exe
PID 1036 wrote to memory of 4708	1036	okuhrowj.exe	okuhrowj.exe
PID 1036 wrote to memory of 4708	1036	okuhrowj.exe	okuhrowj.exe
PID 2640 wrote to memory of 1460	2640	Explorer.EXE	control.exe
PID 2640 wrote to memory of 1460	2640	Explorer.EXE	control.exe
PID 2640 wrote to memory of 1460	2640	Explorer.EXE	control.exe
PID 1460 wrote to memory of 3540	1460	control.exe	Firefox.exe
PID 1460 wrote to memory of 3540	1460	control.exe	Firefox.exe
PID 1460 wrote to memory of 3540	1460	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\P_O__DAR.exe
"C:\Users\Admin\AppData\Local\Temp\P_O__DAR.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe
"C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe" "C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe
"C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe" "C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4516 -ip 4516
1⤵
PID:1856

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4516 -s 2456
1⤵
- Program crash
PID:4576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fianubvi.lm
Filesize
61KB

MD5
d2d42fafcaa8bcf0484f27440a32a0a8

SHA1
9c48d0f702f4ae934512e651eab3605e2b604d58

SHA256
db6bc0d12caa7f609c2cd7fc7bb70113e1f2f0eaadcc410eda8406c7334dd7cc

SHA512
1e4b28eaf5aff21c045ec2a78e939fb44ffe01274bd8bcad3cdc55dfc0bfda7dcb2df169e1264c98981d2b1f3effb52c4646b2b3aa3c208fe1f145d5114559c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvlglcnd.dqo
Filesize
185KB

MD5
cb8affeff4e230f0ecb2cfa12a20f19a

SHA1
aeee9468907aa78217baf02e20b4bb2255298804

SHA256
72e0fece8ab603e7db2d2d0e198a24bd0e9735888e2f73fc9257fe9bee1d6561

SHA512
a0971c5473c91785d58145def24565b521d438605d500b1b8374ffb130c70f63fdb30e669ddd9128c5643394097193f4153f1029188e3d630e32de2e96feb0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\okuhrowj.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztfhvou.au3
Filesize
6KB

MD5
6fbdda3cf4d07cb8030f8f653d422029

SHA1
d96e37003ec50c66b3c60709a92efd5673bdf410

SHA256
a0b9f59ed883183ceb3a6704d0fc653f2c2b920b741834c9cda0ee702b9f17a6

SHA512
bf55e50ebb282e09b7fa9ae5dc8e1bf66fd1738b3e99fa5385410e00b853077c5b73c3afe006b3449713b09dafbcbac62642fe9a903b39f3e67380ec59e23de5

Download Submit
memory/1036-132-0x0000000000000000-mapping.dmp

Download
memory/1460-151-0x0000000000A50000-0x0000000000A7D000-memory.dmp

Filesize
180KB

Download
memory/1460-148-0x0000000002B10000-0x0000000002E5A000-memory.dmp

Filesize
3.3MB

Download
memory/1460-149-0x0000000000F20000-0x0000000000FAF000-memory.dmp

Filesize
572KB

Download
memory/1460-144-0x0000000000000000-mapping.dmp

Download
memory/1460-145-0x0000000000FD0000-0x0000000000FF7000-memory.dmp

Filesize
156KB

Download
memory/1460-146-0x0000000000A50000-0x0000000000A7D000-memory.dmp

Filesize
180KB

Download
memory/2640-150-0x0000000003630000-0x0000000003713000-memory.dmp

Filesize
908KB

Download
memory/2640-143-0x0000000003370000-0x0000000003423000-memory.dmp

Filesize
716KB

Download
memory/2640-152-0x0000000003630000-0x0000000003713000-memory.dmp

Filesize
908KB

Download
memory/4708-137-0x0000000000000000-mapping.dmp

Download
memory/4708-141-0x0000000001622000-0x0000000001624000-memory.dmp

Filesize
8KB

Download
memory/4708-142-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/4708-140-0x0000000001C50000-0x0000000001F9A000-memory.dmp

Filesize
3.3MB

Download
memory/4708-139-0x0000000001600000-0x000000000162F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads