formbook | 9fef2569a2570b70806120838c82b6012d36790205c82254b848ec862005ec3a

General

Target

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe
Size

254KB
MD5

2832483a7a311902ae9fa5d7b6cf6eda
SHA1

cebd82649420adacb8a382665f175d479c8655af
SHA256

9fef2569a2570b70806120838c82b6012d36790205c82254b848ec862005ec3a
SHA512

652a448d43b5e7eda69018eedb17297f963eb771606096413fb1b7ee4f7b4da35c80e1aebcacf1954456267e23a1507b08a3a35bb318c4573b492c3a867d7f50
SSDEEP

6144:LBnbpM4DXtWFfsHj8DANpiTGgfKxtQD+R075MLx0r:FpTDXmsHlNpYGgwt3R0leU

Score

10^/10

formbook k6n9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

uuuhdi.exeuuuhdi.exe

pid process

1428 uuuhdi.exe
308 uuuhdi.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

uuuhdi.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation uuuhdi.exe

pid	process
1428	uuuhdi.exe
308	uuuhdi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	uuuhdi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

uuuhdi.exeuuuhdi.exeraserver.exe

description	pid	process	target process
PID 1428 set thread context of 308	1428	uuuhdi.exe	uuuhdi.exe
PID 308 set thread context of 652	308	uuuhdi.exe	Explorer.EXE
PID 216 set thread context of 652	216	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

uuuhdi.exeraserver.exe

pid	process
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

652 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

uuuhdi.exeuuuhdi.exeraserver.exe

pid process

1428 uuuhdi.exe
308 uuuhdi.exe
308 uuuhdi.exe
308 uuuhdi.exe
216 raserver.exe
216 raserver.exe
216 raserver.exe
216 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uuuhdi.exeraserver.exe

description pid process

Token: SeDebugPrivilege 308 uuuhdi.exe
Token: SeDebugPrivilege 216 raserver.exe

pid	process
652	Explorer.EXE

pid	process
1428	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
308	uuuhdi.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe
216	raserver.exe

description	pid	process
Token: SeDebugPrivilege	308	uuuhdi.exe
Token: SeDebugPrivilege	216	raserver.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exeuuuhdi.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 4252 wrote to memory of 1428	4252	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe	uuuhdi.exe
PID 4252 wrote to memory of 1428	4252	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe	uuuhdi.exe
PID 4252 wrote to memory of 1428	4252	SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe	uuuhdi.exe
PID 1428 wrote to memory of 308	1428	uuuhdi.exe	uuuhdi.exe
PID 1428 wrote to memory of 308	1428	uuuhdi.exe	uuuhdi.exe
PID 1428 wrote to memory of 308	1428	uuuhdi.exe	uuuhdi.exe
PID 1428 wrote to memory of 308	1428	uuuhdi.exe	uuuhdi.exe
PID 652 wrote to memory of 216	652	Explorer.EXE	raserver.exe
PID 652 wrote to memory of 216	652	Explorer.EXE	raserver.exe
PID 652 wrote to memory of 216	652	Explorer.EXE	raserver.exe
PID 216 wrote to memory of 824	216	raserver.exe	Firefox.exe
PID 216 wrote to memory of 824	216	raserver.exe	Firefox.exe
PID 216 wrote to memory of 824	216	raserver.exe	Firefox.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.29757.14304.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe
"C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe" C:\Users\Admin\AppData\Local\Temp\ucdbctarxpf.l
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe
"C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe" C:\Users\Admin\AppData\Local\Temp\ucdbctarxpf.l
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mtrejouuny.riz
Filesize
185KB

MD5
834dc81ea166733d19d40f1b54c8d841

SHA1
1f372d9fb11d3551d8520dbb6324cabbc3e6ef31

SHA256
f54b89443e3ea7b2712ff8438f9642e62c649905d9ffab018db90f29fe0409b3

SHA512
2e9c4e064ebb4570636cae1180a0a88adbf85f3b16d6b26721483ba20988f3141f6db389ac6e260dfdad210170c2e4ca242527b77218a0fb13f9841008a07a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucdbctarxpf.l
Filesize
5KB

MD5
b02aae771648f0dd5c1d58dd0d0003ef

SHA1
11a183c4fc6f9adb065ca4f6c0ad59bf8a8ca5e2

SHA256
06f15230786edf12f6bc3b9eec8a70763acbbb43b86885d4cebfa53fa7f07e12

SHA512
e43828e5bd4c82c8fc2e0ac0af53e8c00b10b2ef3cb50c683f57d491d625f89d7e26208b89711eea598dc3b50b558c05c700c68cbb758e9cd7eb89ead4d884e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe
Filesize
58KB

MD5
0c69cbb68ffdfc24b3267782ba276862

SHA1
a84f0f14572a044441966a24102b63ad88b27a7a

SHA256
a0d5e4772b9e5f60c55ac720e045714197f7dac3d883d5d791ce4c3bc5015ec4

SHA512
b0f2fc93a1bd2d5e1b9138e83a2c2de2a77b7f14599a3137caa8b5522b71f57456113e62823f8a3522fae0994f8f832ec2b43c277ebcab31016a55978cc9b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe
Filesize
58KB

MD5
0c69cbb68ffdfc24b3267782ba276862

SHA1
a84f0f14572a044441966a24102b63ad88b27a7a

SHA256
a0d5e4772b9e5f60c55ac720e045714197f7dac3d883d5d791ce4c3bc5015ec4

SHA512
b0f2fc93a1bd2d5e1b9138e83a2c2de2a77b7f14599a3137caa8b5522b71f57456113e62823f8a3522fae0994f8f832ec2b43c277ebcab31016a55978cc9b4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuuhdi.exe
Filesize
58KB

MD5
0c69cbb68ffdfc24b3267782ba276862

SHA1
a84f0f14572a044441966a24102b63ad88b27a7a

SHA256
a0d5e4772b9e5f60c55ac720e045714197f7dac3d883d5d791ce4c3bc5015ec4

SHA512
b0f2fc93a1bd2d5e1b9138e83a2c2de2a77b7f14599a3137caa8b5522b71f57456113e62823f8a3522fae0994f8f832ec2b43c277ebcab31016a55978cc9b4e7

Download Submit
memory/216-144-0x0000000000000000-mapping.dmp

Download
memory/216-150-0x0000000000CE0000-0x0000000000D0D000-memory.dmp

Filesize
180KB

Download
memory/216-148-0x0000000002A80000-0x0000000002B0F000-memory.dmp

Filesize
572KB

Download
memory/216-147-0x0000000002D20000-0x000000000306A000-memory.dmp

Filesize
3.3MB

Download
memory/216-146-0x0000000000CE0000-0x0000000000D0D000-memory.dmp

Filesize
180KB

Download
memory/216-145-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/308-137-0x0000000000000000-mapping.dmp

Download
memory/308-141-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/308-142-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/308-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/308-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/652-143-0x0000000002F40000-0x000000000308B000-memory.dmp

Filesize
1.3MB

Download
memory/652-149-0x00000000034B0000-0x0000000003590000-memory.dmp

Filesize
896KB

Download
memory/652-151-0x00000000034B0000-0x0000000003590000-memory.dmp

Filesize
896KB

Download
memory/1428-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads