formbook | d4764983c36112e601465b868a7300521a22603ad82be39dc5f3a796dbafc1d3

General

Target

Order Specications.exe
Size

238KB
MD5

c72a49e97664c9b70f96c90495bd9224
SHA1

16ffe09a3e7376946751825dabd50534f7d2a3f2
SHA256

d4764983c36112e601465b868a7300521a22603ad82be39dc5f3a796dbafc1d3
SHA512

abbf1e9b8643889dd5115817dad630d3b7162c45d92a8fb43fa7221ce0107cf5e67908d64aaf78c2e4c84ec05077a10bf9f887e44a7a270caa5b99ba8d86c3a1
SSDEEP

6144:QBn1QmZY0qzXqPLoZiQpUNmkoRH9yrDwbP8EDHjd:gBZY0CDpUNm5dyvnk

Score

10^/10

formbook 0pnv rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

0pnv

Decoy

UeENxNlh2xN7FieUBpBO5lfm

VvcQB1LzT23hsKXRjUwN

UVO18MGf5AY=

oVF8eOF3t9kzAV7CeQ==

jxtEEGsdit4/yuxAdkB8E7LhuAs=

+Pyb8Pke6z59Fg==

pVcPluOJ7ka2WgGWOCCXNw==

5LDqHC4BbYeYhIb0

7pJjqueb8CWBTHLBDsSrEmnUoCy9ui4=

tB4+XKJLlrcv9ARTgCMfXbLhuAs=

4ZM3rO+R/mKOSkpPOQm3KYs=

sKlboNhxxswqHV+UYA==

Ld8s8DrxSqXbpro=

ZSMbPsuFz+gK3msQZB4=

W99Y4Ho8nu1UFo7EOCCXNw==

p48821D7QKXbpro=

Arvd0En7V5D3r1eofzZ8E7LhuAs=

dBc8LKJhweNJFVW7ewE=

BK3FWptVndAtAV7CeQ==

G9eJAmIDDXLur7g=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

vynlrafu.exevynlrafu.exe

pid process

2832 vynlrafu.exe
1424 vynlrafu.exe

pid	process
2832	vynlrafu.exe
1424	vynlrafu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vynlrafu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	vynlrafu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vynlrafu.exevynlrafu.exeraserver.exe

description	pid	process	target process
PID 2832 set thread context of 1424	2832	vynlrafu.exe	vynlrafu.exe
PID 1424 set thread context of 2720	1424	vynlrafu.exe	Explorer.EXE
PID 3476 set thread context of 2720	3476	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

vynlrafu.exeraserver.exe

pid	process
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2720 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

vynlrafu.exevynlrafu.exeraserver.exe

pid process

2832 vynlrafu.exe
1424 vynlrafu.exe
1424 vynlrafu.exe
1424 vynlrafu.exe
3476 raserver.exe
3476 raserver.exe
3476 raserver.exe
3476 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vynlrafu.exeraserver.exe

description pid process

Token: SeDebugPrivilege 1424 vynlrafu.exe
Token: SeDebugPrivilege 3476 raserver.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2720 Explorer.EXE

pid	process
2720	Explorer.EXE

pid	process
2832	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
1424	vynlrafu.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe
3476	raserver.exe

description	pid	process
Token: SeDebugPrivilege	1424	vynlrafu.exe
Token: SeDebugPrivilege	3476	raserver.exe

pid	process
2720	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order Specications.exevynlrafu.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 3732 wrote to memory of 2832	3732	Order Specications.exe	vynlrafu.exe
PID 3732 wrote to memory of 2832	3732	Order Specications.exe	vynlrafu.exe
PID 3732 wrote to memory of 2832	3732	Order Specications.exe	vynlrafu.exe
PID 2832 wrote to memory of 1424	2832	vynlrafu.exe	vynlrafu.exe
PID 2832 wrote to memory of 1424	2832	vynlrafu.exe	vynlrafu.exe
PID 2832 wrote to memory of 1424	2832	vynlrafu.exe	vynlrafu.exe
PID 2832 wrote to memory of 1424	2832	vynlrafu.exe	vynlrafu.exe
PID 2720 wrote to memory of 3476	2720	Explorer.EXE	raserver.exe
PID 2720 wrote to memory of 3476	2720	Explorer.EXE	raserver.exe
PID 2720 wrote to memory of 3476	2720	Explorer.EXE	raserver.exe
PID 3476 wrote to memory of 2144	3476	raserver.exe	Firefox.exe
PID 3476 wrote to memory of 2144	3476	raserver.exe	Firefox.exe
PID 3476 wrote to memory of 2144	3476	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\Order Specications.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specications.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
"C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe" C:\Users\Admin\AppData\Local\Temp\gmqmvhirk.scu
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
"C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gmqmvhirk.scu
Filesize
5KB

MD5
ceb2a424550ffe45f0df57f51816bb3f

SHA1
b323f0167b310b55571dbd3bdf4b72269891dbb6

SHA256
96f74554c362e8267c1ce06da0f0a9048d16ad0a6ebaac6109327b0a94e2ff9c

SHA512
53d3839181c0438b9006572bc581faf592fe35729bf31318816e47504b0c698e8e395ff708b893f8e15c0a2cfbb61dde6eb6dbe5353ca9be9cbe28c5a82fed43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofnacjjcgr.qj
Filesize
185KB

MD5
723c3f7e57771c4a878680d082509ff0

SHA1
4ddc6be498b71669d9d273cc4eb997b3abf60132

SHA256
6a4615cfb82812ea5b53525e0a7a6dd083ed6268e35e4b7b7038fdc154f472e3

SHA512
631b86cd51af3dcabe1075006b1e40bb10298128d16e1d56bbd613e32baedc7212d87acf1b42839d83d28a334a169f8d1d956fb6b7b8d375f338d817fbb61256

Download Submit
C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
Filesize
37KB

MD5
56b0afc73d669c9f01d559f5e5020c4a

SHA1
ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6

SHA256
8e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d

SHA512
51f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
Filesize
37KB

MD5
56b0afc73d669c9f01d559f5e5020c4a

SHA1
ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6

SHA256
8e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d

SHA512
51f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vynlrafu.exe
Filesize
37KB

MD5
56b0afc73d669c9f01d559f5e5020c4a

SHA1
ef30befa63ad63cfd0cb92fa6dd8198181cdb7b6

SHA256
8e3a42a6113bc57ea15981b9f66ae4f0f4718e029ae5fb82ff6fc1db352e821d

SHA512
51f02610e82fb74b5934f4ee6a3c0712823c028ed914ab71291aa4bbd256fb6e3e4d8c334691830e2ea168e4e992ee7029805532929c70c706350e97f0c50c14

Download Submit
memory/1424-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1424-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1424-141-0x0000000001420000-0x000000000176A000-memory.dmp

Filesize
3.3MB

Download
memory/1424-137-0x0000000000000000-mapping.dmp

Download
memory/1424-143-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1424-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2720-152-0x0000000008B00000-0x0000000008C13000-memory.dmp

Filesize
1.1MB

Download
memory/2720-144-0x0000000002FE0000-0x0000000003149000-memory.dmp

Filesize
1.4MB

Download
memory/2720-154-0x0000000008B00000-0x0000000008C13000-memory.dmp

Filesize
1.1MB

Download
memory/2832-132-0x0000000000000000-mapping.dmp

Download
memory/3476-149-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/3476-150-0x0000000002B20000-0x0000000002E6A000-memory.dmp

Filesize
3.3MB

Download
memory/3476-148-0x0000000000010000-0x000000000002F000-memory.dmp

Filesize
124KB

Download
memory/3476-151-0x0000000002950000-0x00000000029DF000-memory.dmp

Filesize
572KB

Download
memory/3476-153-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/3476-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads