formbook | c1609447bd7a2ee528d1f2145ebc3ad9a53efee61111824d22f935e497bac31f

General

Target

payment_copy2_receipt.exe
Size

535KB
MD5

9b8c61ded729ca6c9d5f7fded18eef27
SHA1

37fc137e9aa09fc01820cd90c851ca3aee6be72a
SHA256

c1609447bd7a2ee528d1f2145ebc3ad9a53efee61111824d22f935e497bac31f
SHA512

d2696cf0e8b169763a1ba52211edbbc729f4f3a2aee8b6c029138d0fa180000b1f1781e777edb7328520c057c522371a698279e5ad178fda5b961d127bca27f5
SSDEEP

6144:lBnlWGbqCEADGaF1B1XBx23XB0RQ4MXC+l1O45IDkQBha03YIjo4:wCEQGKy3R0qPHO45FQBhaM

Score

10^/10

formbook veh0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

veh0

Decoy

eulOjQZkipo8

QwbusPrEgpY4

wa2T8+F5rPaBwA==

pHqtrZbvmnkn

FofuGpY05AV1GXzK

QzOsho4z81BsDSpsVf4=

M7qvjwRJ9Uh9sjUPKjJhQHSPC95K0Mb3vQ==

RpDcjMjmrPaBwA==

DnavFlx/AnqVWGkqQw5YGE2yhnrr

fXToBli75WjZUWTwfg==

C+zIIgw1oRGbvqpcfiRFw+MQNA==

a7STeCtyL/CDTAp26zFXE7DXKQ==

DIbpI4a5R7OdZsE=

DoDgGKtSGd1qeqA59V1sAPqn0uBEjCo=

ZfDZ6qHkgbzS75ebtUeUKBg=

miCSMfAn3B8xP8LXw94C

L/zGMQOscy3C0Ox24IGsxQ==

rPlWqyNf+Q/FflzeWXbHY5qx

aDRsdSnOrAu32Q==

tTKuCn+pT5y4wzVmA07fcoyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

fcvvthv.exefcvvthv.exe

pid process

4360 fcvvthv.exe
1332 fcvvthv.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fcvvthv.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fcvvthv.exe

pid	process
4360	fcvvthv.exe
1332	fcvvthv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fcvvthv.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

fcvvthv.exefcvvthv.exemsdt.exe

description	pid	process	target process
PID 4360 set thread context of 1332	4360	fcvvthv.exe	fcvvthv.exe
PID 1332 set thread context of 2688	1332	fcvvthv.exe	Explorer.EXE
PID 1332 set thread context of 2688	1332	fcvvthv.exe	Explorer.EXE
PID 4148 set thread context of 2688	4148	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

fcvvthv.exemsdt.exe

pid	process
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
4148	msdt.exe
4148	msdt.exe
4148	msdt.exe
4148	msdt.exe
4148	msdt.exe
4148	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2688 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

fcvvthv.exefcvvthv.exemsdt.exe

pid process

4360 fcvvthv.exe
1332 fcvvthv.exe
1332 fcvvthv.exe
1332 fcvvthv.exe
1332 fcvvthv.exe
4148 msdt.exe
4148 msdt.exe

pid	process
2688	Explorer.EXE

pid	process
4360	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
1332	fcvvthv.exe
4148	msdt.exe
4148	msdt.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

fcvvthv.exemsdt.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1332	fcvvthv.exe
Token: SeDebugPrivilege	4148	msdt.exe
Token: SeShutdownPrivilege	2688	Explorer.EXE
Token: SeCreatePagefilePrivilege	2688	Explorer.EXE
Token: SeShutdownPrivilege	2688	Explorer.EXE
Token: SeCreatePagefilePrivilege	2688	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2688 Explorer.EXE

pid	process
2688	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

payment_copy2_receipt.exefcvvthv.exeExplorer.EXEfcvvthv.exe

description	pid	process	target process
PID 3056 wrote to memory of 4360	3056	payment_copy2_receipt.exe	fcvvthv.exe
PID 3056 wrote to memory of 4360	3056	payment_copy2_receipt.exe	fcvvthv.exe
PID 3056 wrote to memory of 4360	3056	payment_copy2_receipt.exe	fcvvthv.exe
PID 4360 wrote to memory of 1332	4360	fcvvthv.exe	fcvvthv.exe
PID 4360 wrote to memory of 1332	4360	fcvvthv.exe	fcvvthv.exe
PID 4360 wrote to memory of 1332	4360	fcvvthv.exe	fcvvthv.exe
PID 4360 wrote to memory of 1332	4360	fcvvthv.exe	fcvvthv.exe
PID 2688 wrote to memory of 1776	2688	Explorer.EXE	svchost.exe
PID 2688 wrote to memory of 1776	2688	Explorer.EXE	svchost.exe
PID 2688 wrote to memory of 1776	2688	Explorer.EXE	svchost.exe
PID 1332 wrote to memory of 4148	1332	fcvvthv.exe	msdt.exe
PID 1332 wrote to memory of 4148	1332	fcvvthv.exe	msdt.exe
PID 1332 wrote to memory of 4148	1332	fcvvthv.exe	msdt.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\payment_copy2_receipt.exe
  "C:\Users\Admin\AppData\Local\Temp\payment_copy2_receipt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe
    "C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe" C:\Users\Admin\AppData\Local\Temp\abggklv.q
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe
      "C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe" C:\Users\Admin\AppData\Local\Temp\abggklv.q
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1332
    - - C:\Windows\SysWOW64\msdt.exe
        
        "C:\Windows\SysWOW64\msdt.exe"
        5⤵
        Suspicious use of SetThreadContext
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\abggklv.q

Filesize
5KB

MD5
6d8e18d69240ffea42588dab287b1101

SHA1
cefd52a04f08ef59709db3ddbf7f9409d0c795be

SHA256
2ce4dd4327eb70e03e7d48d57bc1c46ec922b73fb7e9501c1f7a2580f19f7121

SHA512
0be89301e5319e37b9c6641bbf3689fb91bb79b7cca37034c4533fd87a4110f67d44d3130d0fded9448251f9c6344eb1ded6a540a2f9152bd85d3e59b5f10aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\assakziryna.z

Filesize
185KB

MD5
f4a6bf70e5353725edbd930f6311a876

SHA1
d329889e536cebf7e71e2bd7cb9b4f078e115e03

SHA256
a640df81745a2e0ea64055877f85f6b6b5e00512018da51af51b85ab5fb8ce0f

SHA512
bc962a3c95bdc9e9c30f73c7d53463f07c16b62cf7044ceb5d06a6fa5ce96a44bfb38b02113de92eb42d969499ef50248288e351130966f3ffd5389e31940dee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe

Filesize
122KB

MD5
353f7d8845e3dd77d50661a00ec7df55

SHA1
f9aa7d4b6ec63ad64ba14e8fc9c4068204590ebc

SHA256
38fad353228a143830ed3057a14dfd9a0853494be8cd7ed62cf2676f963a0963

SHA512
ad8cace8bc0a3889ffd76cccc0ef823dc316fa4db37f6a7a94278c3faca26a547b5278b3de615a23123dc6b0e2d61fdbfea0be5d48ed297001b080a813bb5233

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe

Filesize
122KB

MD5
353f7d8845e3dd77d50661a00ec7df55

SHA1
f9aa7d4b6ec63ad64ba14e8fc9c4068204590ebc

SHA256
38fad353228a143830ed3057a14dfd9a0853494be8cd7ed62cf2676f963a0963

SHA512
ad8cace8bc0a3889ffd76cccc0ef823dc316fa4db37f6a7a94278c3faca26a547b5278b3de615a23123dc6b0e2d61fdbfea0be5d48ed297001b080a813bb5233

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvvthv.exe

Filesize
122KB

MD5
353f7d8845e3dd77d50661a00ec7df55

SHA1
f9aa7d4b6ec63ad64ba14e8fc9c4068204590ebc

SHA256
38fad353228a143830ed3057a14dfd9a0853494be8cd7ed62cf2676f963a0963

SHA512
ad8cace8bc0a3889ffd76cccc0ef823dc316fa4db37f6a7a94278c3faca26a547b5278b3de615a23123dc6b0e2d61fdbfea0be5d48ed297001b080a813bb5233

Download Submit
memory/1332-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-144-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/1332-137-0x0000000000000000-mapping.dmp

Download
memory/1332-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1332-141-0x00000000009B0000-0x0000000000CFA000-memory.dmp

Filesize
3.3MB

Download
memory/1332-142-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/1332-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2688-156-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/2688-157-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/2688-162-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2688-147-0x0000000008B50000-0x0000000008CDF000-memory.dmp

Filesize
1.6MB

Download
memory/2688-161-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2688-160-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2688-159-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2688-158-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/2688-145-0x0000000008CE0000-0x0000000008DCE000-memory.dmp

Filesize
952KB

Download
memory/2688-153-0x0000000003330000-0x0000000003452000-memory.dmp

Filesize
1.1MB

Download
memory/2688-143-0x0000000008B50000-0x0000000008CDF000-memory.dmp

Filesize
1.6MB

Download
memory/2688-155-0x0000000003330000-0x0000000003452000-memory.dmp

Filesize
1.1MB

Download
memory/4148-154-0x0000000000380000-0x00000000003AD000-memory.dmp

Filesize
180KB

Download
memory/4148-152-0x0000000002410000-0x000000000249F000-memory.dmp

Filesize
572KB

Download
memory/4148-151-0x0000000002770000-0x0000000002ABA000-memory.dmp

Filesize
3.3MB

Download
memory/4148-150-0x0000000000380000-0x00000000003AD000-memory.dmp

Filesize
180KB

Download
memory/4148-149-0x0000000000620000-0x0000000000677000-memory.dmp

Filesize
348KB

Download
memory/4148-148-0x0000000000000000-mapping.dmp

Download
memory/4360-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads