formbook | 2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc

General

Target

2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe
Size

239KB
MD5

0acb5bcb968b08f9fa0275337eaf9d81
SHA1

9ff40194659288c71ee7ff01435eac29d5d55004
SHA256

2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc
SHA512

a6c9ee59f120f5400ea08726337ed52d982184d71809f12255f44643fb6170e996a0bd89b5465b6498854978e0acab09e7cb7d6b912bcd1396e848392b1e986a
SSDEEP

6144:QBn1gQ5lYu+gRaCuvlFMC5oTlyEwP5Od6mcELn3Wm:ggQ4DgRaxL5oJmP5O3jmm

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

utmeaaxkt.exeutmeaaxkt.exe

pid process

3044 utmeaaxkt.exe
3396 utmeaaxkt.exe

pid	process
3044	utmeaaxkt.exe
3396	utmeaaxkt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

utmeaaxkt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	utmeaaxkt.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

utmeaaxkt.exeutmeaaxkt.exeipconfig.exe

description	pid	process	target process
PID 3044 set thread context of 3396	3044	utmeaaxkt.exe	utmeaaxkt.exe
PID 3396 set thread context of 3064	3396	utmeaaxkt.exe	Explorer.EXE
PID 3292 set thread context of 3064	3292	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3292 ipconfig.exe

pid	process
3292	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

utmeaaxkt.exeipconfig.exe

pid	process
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

utmeaaxkt.exeutmeaaxkt.exeipconfig.exe

pid process

3044 utmeaaxkt.exe
3396 utmeaaxkt.exe
3396 utmeaaxkt.exe
3396 utmeaaxkt.exe
3292 ipconfig.exe
3292 ipconfig.exe
3292 ipconfig.exe
3292 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

utmeaaxkt.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 3396 utmeaaxkt.exe
Token: SeDebugPrivilege 3292 ipconfig.exe

pid	process
3064	Explorer.EXE

pid	process
3044	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3396	utmeaaxkt.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe
3292	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3396	utmeaaxkt.exe
Token: SeDebugPrivilege	3292	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exeutmeaaxkt.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4972 wrote to memory of 3044	4972	2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe	utmeaaxkt.exe
PID 4972 wrote to memory of 3044	4972	2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe	utmeaaxkt.exe
PID 4972 wrote to memory of 3044	4972	2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe	utmeaaxkt.exe
PID 3044 wrote to memory of 3396	3044	utmeaaxkt.exe	utmeaaxkt.exe
PID 3044 wrote to memory of 3396	3044	utmeaaxkt.exe	utmeaaxkt.exe
PID 3044 wrote to memory of 3396	3044	utmeaaxkt.exe	utmeaaxkt.exe
PID 3044 wrote to memory of 3396	3044	utmeaaxkt.exe	utmeaaxkt.exe
PID 3064 wrote to memory of 3292	3064	Explorer.EXE	ipconfig.exe
PID 3064 wrote to memory of 3292	3064	Explorer.EXE	ipconfig.exe
PID 3064 wrote to memory of 3292	3064	Explorer.EXE	ipconfig.exe
PID 3292 wrote to memory of 1552	3292	ipconfig.exe	Firefox.exe
PID 3292 wrote to memory of 1552	3292	ipconfig.exe	Firefox.exe
PID 3292 wrote to memory of 1552	3292	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe
"C:\Users\Admin\AppData\Local\Temp\2b11d3a570fd45fda3e8c062f447e09dbabcfafee5e89f4258c0ac7c6e294fdc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
"C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe" C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
"C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe" C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pmrftq.yd
Filesize
5KB

MD5
e8ebc5cd0631d44f074c42c7ee0d483a

SHA1
6743c1526437ffdf26e4eca9ae9e22a5501eb75e

SHA256
8bb81683329f68320da93751770f2ddc5b01615ace88d3c028c2346df13513db

SHA512
93636c03b0a35aa1192c34b733eececb4c433fa16bba51a57b9428d5e705f5eb6255b679c5df9495a962d1f52381f9f2b713e7a8100f648c69b364c8d4b1887f

Download Submit
C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
Filesize
46KB

MD5
8627b859df0f7adfe76b545c5b5ebf1f

SHA1
1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

SHA256
6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

SHA512
c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
Filesize
46KB

MD5
8627b859df0f7adfe76b545c5b5ebf1f

SHA1
1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

SHA256
6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

SHA512
c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\utmeaaxkt.exe
Filesize
46KB

MD5
8627b859df0f7adfe76b545c5b5ebf1f

SHA1
1d1ee3ad3452b25ca5e467bc5317d2e61819e39f

SHA256
6ae3660b761846df15f7cc42dd6ea7fd43039f55685ead53b820fd07b5589295

SHA512
c59c97a8c511f6913f099b890fea3cb1c1718733f3182887c5bc796f16dcfd3916b42de802f293a938e86b1ddc56f482d8d3dff3adbcc12fcbc6050a363f05c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zypmxv.wq
Filesize
185KB

MD5
48b7015056cb576386fea23bd3c8de63

SHA1
495cc01b56f6c46450bb347f6d0dab43af51853e

SHA256
f2fb694ed9980983d87b18d45f19eb94d9c38425e25ef26d06d058ad8411595a

SHA512
6c9d62953e4257929c685df596b2d4ff71c4339b216a7a810b351c7ac9cc66b9148b8114d8afda049e24738251edf1e477e9eb1c45da082da9af271c956c73d0

Download Submit
memory/3044-132-0x0000000000000000-mapping.dmp

Download
memory/3064-143-0x0000000007AF0000-0x0000000007C4D000-memory.dmp

Filesize
1.4MB

Download
memory/3064-151-0x0000000008010000-0x00000000080FE000-memory.dmp

Filesize
952KB

Download
memory/3064-150-0x0000000008010000-0x00000000080FE000-memory.dmp

Filesize
952KB

Download
memory/3292-147-0x00000000018C0000-0x0000000001C0A000-memory.dmp

Filesize
3.3MB

Download
memory/3292-144-0x0000000000000000-mapping.dmp

Download
memory/3292-146-0x0000000000EF0000-0x0000000000F1D000-memory.dmp

Filesize
180KB

Download
memory/3292-145-0x0000000000F40000-0x0000000000F4B000-memory.dmp

Filesize
44KB

Download
memory/3292-148-0x0000000000EF0000-0x0000000000F1D000-memory.dmp

Filesize
180KB

Download
memory/3292-149-0x00000000016F0000-0x000000000177F000-memory.dmp

Filesize
572KB

Download
memory/3396-141-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download
memory/3396-142-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/3396-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads