formbook | b72a5dfe57144f6949b0b8f3b0792c306dc6fadafc71d8919f7dd0fd2d4bb8c4

General

Target

3abebb8dc857936bb52c8279602d5c62.exe
Size

603KB
MD5

a6afef15d5eedcf2a0ff34083fc6c1ca
SHA1

5b06db1442948c2686ddc7a9c57aa05084ab259e
SHA256

b72a5dfe57144f6949b0b8f3b0792c306dc6fadafc71d8919f7dd0fd2d4bb8c4
SHA512

f846f6f0299bc9ac6955fe21eca2106436427f10746406a041856408ad0c90ed7694177b6044ba0117c0d09184c3d62adbea0a26156ba4f4d632a33e6adcb6e9
SSDEEP

12288:g4cYY+jIxUzR+tl70wrhRLjvlnL7xC4g2z3tUqPAO1ItKVLWbYUPXebv:g4/mxUEX70wbp7PTbtUwN1dVTbv

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

socrmpfr.exesocrmpfr.exe

pid process

3824 socrmpfr.exe
3208 socrmpfr.exe

pid	process
3824	socrmpfr.exe
3208	socrmpfr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

socrmpfr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	socrmpfr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

socrmpfr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sovu = "C:\\Users\\Admin\\AppData\\Roaming\\esfnmf\\unrknpdmiddr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\socrmpfr.exe\" \"C:\\Users\\Admin\\AppData\\Lo"	socrmpfr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

socrmpfr.exesocrmpfr.exesystray.exe

description	pid	process	target process
PID 3824 set thread context of 3208	3824	socrmpfr.exe	socrmpfr.exe
PID 3208 set thread context of 724	3208	socrmpfr.exe	Explorer.EXE
PID 4160 set thread context of 724	4160	systray.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

socrmpfr.exesystray.exe

pid	process
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

724 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

socrmpfr.exesocrmpfr.exesystray.exe

pid process

3824 socrmpfr.exe
3208 socrmpfr.exe
3208 socrmpfr.exe
3208 socrmpfr.exe
4160 systray.exe
4160 systray.exe
4160 systray.exe
4160 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

socrmpfr.exesystray.exe

description pid process

Token: SeDebugPrivilege 3208 socrmpfr.exe
Token: SeDebugPrivilege 4160 systray.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

socrmpfr.exe

pid process

3824 socrmpfr.exe
3824 socrmpfr.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

socrmpfr.exe

pid process

3824 socrmpfr.exe
3824 socrmpfr.exe

pid	process
724	Explorer.EXE

pid	process
3824	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
3208	socrmpfr.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe
4160	systray.exe

description	pid	process
Token: SeDebugPrivilege	3208	socrmpfr.exe
Token: SeDebugPrivilege	4160	systray.exe

pid	process
3824	socrmpfr.exe
3824	socrmpfr.exe

pid	process
3824	socrmpfr.exe
3824	socrmpfr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3abebb8dc857936bb52c8279602d5c62.exesocrmpfr.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 4228 wrote to memory of 3824	4228	3abebb8dc857936bb52c8279602d5c62.exe	socrmpfr.exe
PID 4228 wrote to memory of 3824	4228	3abebb8dc857936bb52c8279602d5c62.exe	socrmpfr.exe
PID 4228 wrote to memory of 3824	4228	3abebb8dc857936bb52c8279602d5c62.exe	socrmpfr.exe
PID 3824 wrote to memory of 3208	3824	socrmpfr.exe	socrmpfr.exe
PID 3824 wrote to memory of 3208	3824	socrmpfr.exe	socrmpfr.exe
PID 3824 wrote to memory of 3208	3824	socrmpfr.exe	socrmpfr.exe
PID 3824 wrote to memory of 3208	3824	socrmpfr.exe	socrmpfr.exe
PID 724 wrote to memory of 4160	724	Explorer.EXE	systray.exe
PID 724 wrote to memory of 4160	724	Explorer.EXE	systray.exe
PID 724 wrote to memory of 4160	724	Explorer.EXE	systray.exe
PID 4160 wrote to memory of 3492	4160	systray.exe	Firefox.exe
PID 4160 wrote to memory of 3492	4160	systray.exe	Firefox.exe
PID 4160 wrote to memory of 3492	4160	systray.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\3abebb8dc857936bb52c8279602d5c62.exe
"C:\Users\Admin\AppData\Local\Temp\3abebb8dc857936bb52c8279602d5c62.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe
"C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe" "C:\Users\Admin\AppData\Local\Temp\lzxpdrmwtx.au3"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe
"C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lzxpdrmwtx.au3
Filesize
6KB

MD5
2b46602819a00c8418da3f3790da3ff3

SHA1
9cbd4f7c37933c2b8fb34e4222da8c6186535d3c

SHA256
eca563ff13cedf08d45d4b4cdd0004860a3c89b353505144f062827111bca090

SHA512
6bbeaff927a9bc721bd1babf142115b40cabe4c0bf34bae71dca9bb6505b5734c213e06b4c395e7b3096b849417266f7041967fad8993e56faa10cbbde289316

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgtirweuef.b
Filesize
185KB

MD5
40150d5b4f1ef437b1db41433c82ee0c

SHA1
57718b42d5ca68470eab293687f55009bc4ef8c7

SHA256
c92ab315f7285a4306df26ea06791aa5a6be56efbf4f04e18f15b4c55d562d3c

SHA512
a0287bacef495d17c521b174b5f441abfd6e081134bedf8ae1ca192c9a037904852d673936b51b789164b02ab5cf4094ef440f5ae02d24e19604ba07383c9486

Download Submit
C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\socrmpfr.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqofdom.uji
Filesize
82KB

MD5
0a6b6133f2a6e9173ee4a7f02fd19091

SHA1
bbca30ea82b60789e27250e97f3a155e300c85b0

SHA256
a2bd733a219aa69b9f490dc4ee38b1bf23530f5f37e43fcf102ac969e881a511

SHA512
db7c10fb9b6b769fdca3fe1e4ad20088843526902bceac670c892a86119bf4d8a502d1879245cbc79029113953ebb7667f20d6cfa596986e38ab1e150bcead5b

Download Submit
memory/724-144-0x00000000084E0000-0x000000000863A000-memory.dmp

Filesize
1.4MB

Download
memory/724-152-0x0000000008080000-0x0000000008170000-memory.dmp

Filesize
960KB

Download
memory/724-150-0x0000000008080000-0x0000000008170000-memory.dmp

Filesize
960KB

Download
memory/3208-142-0x0000000001B30000-0x0000000001E7A000-memory.dmp

Filesize
3.3MB

Download
memory/3208-141-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3208-143-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download
memory/3208-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-138-0x0000000000000000-mapping.dmp

Download
memory/3824-132-0x0000000000000000-mapping.dmp

Download
memory/4160-145-0x0000000000000000-mapping.dmp

Download
memory/4160-146-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/4160-147-0x0000000000E90000-0x0000000000EBD000-memory.dmp

Filesize
180KB

Download
memory/4160-148-0x0000000002D20000-0x000000000306A000-memory.dmp

Filesize
3.3MB

Download
memory/4160-149-0x0000000002C90000-0x0000000002D1F000-memory.dmp

Filesize
572KB

Download
memory/4160-151-0x0000000000E90000-0x0000000000EBD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads