formbook | 3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8

General

Target

PO 0094899101.exe
Size

762KB
MD5

4c274f3bc91970597ea119c632c45860
SHA1

43fda1bfe6971a37106d9827433b07dae500fe30
SHA256

3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8
SHA512

bf9eec01cc9fe9e5b4ce24f10cfdf059bcc2d0a11ea8d3ea82aa8dbde5d1c4aa715a171dcec6786461d1f4dc6af9f396ad6dd6add188a111a5f972dd4dd8815e
SSDEEP

12288:YbIg+dWn45FiQxDCDTkEwYlaPU5vot96i0KeDC2/2ak6NqpIESRaJ2:YbZQtaQKlsU6tYiEC2FkMUSRaJ2

Score

10^/10

formbook elhb rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

elhb

Decoy

BxGzoacPQ3mFBGhbtixjHOm2l30=

dTRqRkWfuBbGMmsPJA==

Pix+zpOG6+Gk

N+3dNZ0ZjOtrRnnj

xUv06VOm45P441HWCmmfSum2l30=

Sx5JuwMfaRrJdK3r

cgU6nPNKa14KC4K40cp4wbkm/KpzfwM=

rV8A2UGJrlbYxa48P40=

Gz3szbYLIYI6l+4=

QU3ru637P+U4itwRQ3n7n2c=

DdkGzbEPU4Fy4h2bZLVXNzz0

QPUo8R5qn9KUnhRRtmVY8/Zp5Xw=

q+EX7juJsVR79msRSnsUxg==

/34eEpvsLS8lw7uom5U=

HEVrEXHlHMlNNp9IlsY+0Q==

KZ/SIWnI7eeog+pwY9uAw+PmmhfjXQ==

Kdn7YMcoXYWjHId+0jhkHem2l30=

R7lnYeAfO1MUHIWyz9c/aoIvHxSvQA==

P7ZYVqmG6+Gk

hlk7m1hdnb0=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

20 544 cmstp.exe
Executes dropped EXE 2 IoCs

Processes:

ykxby.exeykxby.exe

pid process

1812 ykxby.exe
4920 ykxby.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ykxby.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ykxby.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
20	544	cmstp.exe

pid	process
1812	ykxby.exe
4920	ykxby.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ykxby.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ykxby.exeykxby.execmstp.exe

description	pid	process	target process
PID 1812 set thread context of 4920	1812	ykxby.exe	ykxby.exe
PID 4920 set thread context of 2720	4920	ykxby.exe	Explorer.EXE
PID 544 set thread context of 2720	544	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

ykxby.execmstp.exe

pid	process
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2720 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

ykxby.exeykxby.execmstp.exe

pid process

1812 ykxby.exe
4920 ykxby.exe
4920 ykxby.exe
4920 ykxby.exe
544 cmstp.exe
544 cmstp.exe
544 cmstp.exe
544 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ykxby.execmstp.exe

description pid process

Token: SeDebugPrivilege 4920 ykxby.exe
Token: SeDebugPrivilege 544 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ykxby.exe

pid process

1812 ykxby.exe
1812 ykxby.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

ykxby.exe

pid process

1812 ykxby.exe
1812 ykxby.exe

pid	process
2720	Explorer.EXE

pid	process
1812	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
4920	ykxby.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe
544	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	4920	ykxby.exe
Token: SeDebugPrivilege	544	cmstp.exe

pid	process
1812	ykxby.exe
1812	ykxby.exe

pid	process
1812	ykxby.exe
1812	ykxby.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PO 0094899101.exeykxby.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4988 wrote to memory of 1812	4988	PO 0094899101.exe	ykxby.exe
PID 4988 wrote to memory of 1812	4988	PO 0094899101.exe	ykxby.exe
PID 4988 wrote to memory of 1812	4988	PO 0094899101.exe	ykxby.exe
PID 1812 wrote to memory of 4920	1812	ykxby.exe	ykxby.exe
PID 1812 wrote to memory of 4920	1812	ykxby.exe	ykxby.exe
PID 1812 wrote to memory of 4920	1812	ykxby.exe	ykxby.exe
PID 1812 wrote to memory of 4920	1812	ykxby.exe	ykxby.exe
PID 2720 wrote to memory of 544	2720	Explorer.EXE	cmstp.exe
PID 2720 wrote to memory of 544	2720	Explorer.EXE	cmstp.exe
PID 2720 wrote to memory of 544	2720	Explorer.EXE	cmstp.exe
PID 544 wrote to memory of 4628	544	cmstp.exe	Firefox.exe
PID 544 wrote to memory of 4628	544	cmstp.exe	Firefox.exe
PID 544 wrote to memory of 4628	544	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\PO 0094899101.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 0094899101.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\ykxby.exe
    "C:\Users\Admin\AppData\Local\Temp\ykxby.exe" "C:\Users\Admin\AppData\Local\Temp\pssvtgzot.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\ykxby.exe
      "C:\Users\Admin\AppData\Local\Temp\ykxby.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4920
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:4940
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1388
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1408
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:604
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:796
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jxkreh.id

Filesize
61KB

MD5
d976f55cc668d4fd0f150ebd3b3dd85f

SHA1
8bcf25212f41032e27410ab66a668696b22c48eb

SHA256
93e491790736026e3d3b23eadb63cdc0bd765f55bdeca4abf951ee3bc7336953

SHA512
2ad029d589208a59ae9e44b397c2e0d215d25476f1579a977cf07bf0d7fdfdd779d00a8247fca06bff8647191402c01b91258913a25ab1eff8002ad86a47b0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssvtgzot.au3

Filesize
6KB

MD5
fbd071486f8915a8a7af5bd9c6bf7838

SHA1
5d67412cd995935eebe1c58f22c23dab3f7f214f

SHA256
e6685a26958c3e0cdcf6377ed47ba1a4f9eb011757142224d6c015e8e69de545

SHA512
c2e971702115597fc98ee616f855108963e6cd56a57c93de5b4e5b972358dc92833c85216523083c60450b3312fefaa0325ec54ddb946fce775a0f707e181384

Download Submit
C:\Users\Admin\AppData\Local\Temp\tgwcmfcmx.o

Filesize
185KB

MD5
620cab103a3d3e1a7999d34686754bc2

SHA1
e527631a1bd6ef6e4f511707847d0ae87b77f24a

SHA256
e6c4681ef4b7c956f727612aeda75a16ed27e049ea40bf82a1e4321d1ecafc78

SHA512
b2c80d7ff576749a4d232ce313014ae8a6952ab4bfe2f3dd54e4aee2b118c215b46b3f3d859e39dd69c1555e08777219caedc32ebff345c4ab82271f2ba7861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykxby.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykxby.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykxby.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/544-152-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/544-148-0x0000000000F50000-0x0000000000F7D000-memory.dmp

Filesize
180KB

Download
memory/544-150-0x0000000002F40000-0x0000000002FCF000-memory.dmp

Filesize
572KB

Download
memory/544-149-0x00000000030F0000-0x000000000343A000-memory.dmp

Filesize
3.3MB

Download
memory/544-145-0x0000000000000000-mapping.dmp

Download
memory/544-147-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/2720-153-0x0000000008570000-0x00000000086D3000-memory.dmp

Filesize
1.4MB

Download
memory/2720-151-0x0000000008570000-0x00000000086D3000-memory.dmp

Filesize
1.4MB

Download
memory/2720-144-0x00000000030C0000-0x0000000003191000-memory.dmp

Filesize
836KB

Download
memory/4920-137-0x0000000000000000-mapping.dmp

Download
memory/4920-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4920-143-0x0000000001640000-0x0000000001650000-memory.dmp

Filesize
64KB

Download
memory/4920-141-0x0000000001AB0000-0x0000000001DFA000-memory.dmp

Filesize
3.3MB

Download
memory/4920-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4920-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads