formbook | f11ff5bb01c4ad6c270b86f63b4209127d3521c98496f6bb2f021c99eaa881ba

General

Target

payment_copy3_receipt.exe
Size

535KB
MD5

ea670d2f2b5b772c59b790bcc65c59f6
SHA1

e173a6d224a97430b89bd06df5b2a4fb50b17a30
SHA256

f11ff5bb01c4ad6c270b86f63b4209127d3521c98496f6bb2f021c99eaa881ba
SHA512

b4567a35305637dc8380ca04d634cc291722063f89fe9150881314a24f985d4c218e95e9fec343269591db7a458915bd66946822403dcf86c51936121bc3b4bb
SSDEEP

6144:lBnlWGbqJ4rPFzGCMrjCA6YCZzhKpNv9l2Di9jGn5HdDJRwkOMsPPrs/Ja1UV:w84JrkYszhm32CcxddRws6j2J5V

Score

10^/10

formbook veh0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

veh0

Decoy

eulOjQZkipo8

QwbusPrEgpY4

wa2T8+F5rPaBwA==

pHqtrZbvmnkn

FofuGpY05AV1GXzK

QzOsho4z81BsDSpsVf4=

M7qvjwRJ9Uh9sjUPKjJhQHSPC95K0Mb3vQ==

RpDcjMjmrPaBwA==

DnavFlx/AnqVWGkqQw5YGE2yhnrr

fXToBli75WjZUWTwfg==

C+zIIgw1oRGbvqpcfiRFw+MQNA==

a7STeCtyL/CDTAp26zFXE7DXKQ==

DIbpI4a5R7OdZsE=

DoDgGKtSGd1qeqA59V1sAPqn0uBEjCo=

ZfDZ6qHkgbzS75ebtUeUKBg=

miCSMfAn3B8xP8LXw94C

L/zGMQOscy3C0Ox24IGsxQ==

rPlWqyNf+Q/FflzeWXbHY5qx

aDRsdSnOrAu32Q==

tTKuCn+pT5y4wzVmA07fcoyo

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

gdbqzvhlf.exegdbqzvhlf.exe

pid process

1188 gdbqzvhlf.exe
2724 gdbqzvhlf.exe

pid	process
1188	gdbqzvhlf.exe
2724	gdbqzvhlf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gdbqzvhlf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	gdbqzvhlf.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gdbqzvhlf.exegdbqzvhlf.exemsiexec.exe

description	pid	process	target process
PID 1188 set thread context of 2724	1188	gdbqzvhlf.exe	gdbqzvhlf.exe
PID 2724 set thread context of 2664	2724	gdbqzvhlf.exe	Explorer.EXE
PID 4032 set thread context of 2664	4032	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gdbqzvhlf.exemsiexec.exe

pid	process
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2664 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

gdbqzvhlf.exegdbqzvhlf.exemsiexec.exe

pid process

1188 gdbqzvhlf.exe
2724 gdbqzvhlf.exe
2724 gdbqzvhlf.exe
2724 gdbqzvhlf.exe
4032 msiexec.exe
4032 msiexec.exe
4032 msiexec.exe
4032 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

gdbqzvhlf.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 2724 gdbqzvhlf.exe
Token: SeDebugPrivilege 4032 msiexec.exe

pid	process
2664	Explorer.EXE

pid	process
1188	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
2724	gdbqzvhlf.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe
4032	msiexec.exe

description	pid	process
Token: SeDebugPrivilege	2724	gdbqzvhlf.exe
Token: SeDebugPrivilege	4032	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

payment_copy3_receipt.exegdbqzvhlf.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4996 wrote to memory of 1188	4996	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 4996 wrote to memory of 1188	4996	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 4996 wrote to memory of 1188	4996	payment_copy3_receipt.exe	gdbqzvhlf.exe
PID 1188 wrote to memory of 2724	1188	gdbqzvhlf.exe	gdbqzvhlf.exe
PID 1188 wrote to memory of 2724	1188	gdbqzvhlf.exe	gdbqzvhlf.exe
PID 1188 wrote to memory of 2724	1188	gdbqzvhlf.exe	gdbqzvhlf.exe
PID 1188 wrote to memory of 2724	1188	gdbqzvhlf.exe	gdbqzvhlf.exe
PID 2664 wrote to memory of 4032	2664	Explorer.EXE	msiexec.exe
PID 2664 wrote to memory of 4032	2664	Explorer.EXE	msiexec.exe
PID 2664 wrote to memory of 4032	2664	Explorer.EXE	msiexec.exe
PID 4032 wrote to memory of 1940	4032	msiexec.exe	Firefox.exe
PID 4032 wrote to memory of 1940	4032	msiexec.exe	Firefox.exe
PID 4032 wrote to memory of 1940	4032	msiexec.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\payment_copy3_receipt.exe
  "C:\Users\Admin\AppData\Local\Temp\payment_copy3_receipt.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe
    "C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe" C:\Users\Admin\AppData\Local\Temp\acigbevjnk.ssx
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe
      "C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe" C:\Users\Admin\AppData\Local\Temp\acigbevjnk.ssx
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acigbevjnk.ssx

Filesize
5KB

MD5
4b84cb079b66a1a1bc34c003fc9375d4

SHA1
eeedb238c3a4b621ae454cba34778f49437e5c9b

SHA256
ecc8ff975df6b10e9293a0213fe25598fe04f3980fe223c8dceabc08638e55eb

SHA512
dde231bc7e28e624223dad3eeb6a0dea49b192cfcbc6874209b522f32ce5800147415753cf2df1b54cd66663706ad6bcdd679ccb7e5da579ac5598a136ed8c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe

Filesize
122KB

MD5
9b4f91177569b7d97a8b1b8ae8c291d4

SHA1
a8c66d9a3ebdd6ae9a6c79bd55e30bd244fa81a8

SHA256
7dd47d3c356cb014a2e5164adbb9774d943066a9f2cde78fd9bd7b65a0bb83b4

SHA512
261e4cfa04ced36dbec76d4cb1d8a489b1f99c9eb7bf824ccab55b27771e5389e21b338987eeebe5cc87ef772377bd1110b7723c68d759fcf6d5066ebc1e20cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe

Filesize
122KB

MD5
9b4f91177569b7d97a8b1b8ae8c291d4

SHA1
a8c66d9a3ebdd6ae9a6c79bd55e30bd244fa81a8

SHA256
7dd47d3c356cb014a2e5164adbb9774d943066a9f2cde78fd9bd7b65a0bb83b4

SHA512
261e4cfa04ced36dbec76d4cb1d8a489b1f99c9eb7bf824ccab55b27771e5389e21b338987eeebe5cc87ef772377bd1110b7723c68d759fcf6d5066ebc1e20cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdbqzvhlf.exe

Filesize
122KB

MD5
9b4f91177569b7d97a8b1b8ae8c291d4

SHA1
a8c66d9a3ebdd6ae9a6c79bd55e30bd244fa81a8

SHA256
7dd47d3c356cb014a2e5164adbb9774d943066a9f2cde78fd9bd7b65a0bb83b4

SHA512
261e4cfa04ced36dbec76d4cb1d8a489b1f99c9eb7bf824ccab55b27771e5389e21b338987eeebe5cc87ef772377bd1110b7723c68d759fcf6d5066ebc1e20cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihzwvw.y

Filesize
185KB

MD5
3223247a4ab62d99368155add6efaa1b

SHA1
1e5aa46f6014d10451478cfdec15c524eb2cfd82

SHA256
0eb5a5244983d0d325bef373c5e8a4359cd1f46605eedc5d6698781fc7250b79

SHA512
7a6cbac212e389760d3042af7d72dc98f47c86b454e46a87b68b574296f1d4534411658bbc60d00de201f38a159140fbbc0e398679ca19b3bd4cd2caf3a54b75

Download Submit
memory/1188-132-0x0000000000000000-mapping.dmp

Download
memory/2664-151-0x00000000086C0000-0x00000000087FA000-memory.dmp

Filesize
1.2MB

Download
memory/2664-149-0x00000000086C0000-0x00000000087FA000-memory.dmp

Filesize
1.2MB

Download
memory/2664-143-0x00000000080B0000-0x0000000008164000-memory.dmp

Filesize
720KB

Download
memory/2724-142-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2724-141-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/2724-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-137-0x0000000000000000-mapping.dmp

Download
memory/4032-144-0x0000000000000000-mapping.dmp

Download
memory/4032-145-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/4032-146-0x0000000001230000-0x000000000125D000-memory.dmp

Filesize
180KB

Download
memory/4032-147-0x0000000003270000-0x00000000035BA000-memory.dmp

Filesize
3.3MB

Download
memory/4032-148-0x0000000002F90000-0x000000000301F000-memory.dmp

Filesize
572KB

Download
memory/4032-150-0x0000000001230000-0x000000000125D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads