formbook | c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb

Analysis

max time kernel
152s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
Size

342KB
MD5

cd0e4cab67b7fd76ef5d6bdcb7f25a21
SHA1

a27ade3067d85e7ed462266b503caed5ef89d3dc
SHA256

c71e8cd3e58eaeab5de7d296fa62fd6fcad415facc687629d71b25bab56550eb
SHA512

c3ae7c68e14ddd2064c926d419ca88531d0344868792b81f8daab42c63aa28a096781fbb0cf38fd367cbf64d94ef073c17d17cef762b5e99bb110ebe00345195
SSDEEP

6144:ZBnbr9ZL8bW6Bg1GzljLDEkYiDifeaOcpTlSxbJ3bzGUAR6ZTu:HfL8bQalnDlRexQxNSlR7

Score

10^/10

formbook f4ca rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 2 IoCs

pid	Process
4304	jrjvptrkw.exe
4032	jrjvptrkw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	jrjvptrkw.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4304 set thread context of 4032	4304	jrjvptrkw.exe	87
PID 4032 set thread context of 1108	4032	jrjvptrkw.exe	67
PID 3296 set thread context of 1108	3296	wlanext.exe	67

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1108	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4304	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
4032	jrjvptrkw.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe
3296	wlanext.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	jrjvptrkw.exe
Token: SeDebugPrivilege	3296	wlanext.exe
Token: SeShutdownPrivilege	1108	Explorer.EXE
Token: SeCreatePagefilePrivilege	1108	Explorer.EXE
Token: SeShutdownPrivilege	1108	Explorer.EXE
Token: SeCreatePagefilePrivilege	1108	Explorer.EXE
Token: SeShutdownPrivilege	1108	Explorer.EXE
Token: SeCreatePagefilePrivilege	1108	Explorer.EXE
Token: SeShutdownPrivilege	1108	Explorer.EXE
Token: SeCreatePagefilePrivilege	1108	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4304	4580	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	86
PID 4580 wrote to memory of 4304	4580	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	86
PID 4580 wrote to memory of 4304	4580	cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe	86
PID 4304 wrote to memory of 4032	4304	jrjvptrkw.exe	87
PID 4304 wrote to memory of 4032	4304	jrjvptrkw.exe	87
PID 4304 wrote to memory of 4032	4304	jrjvptrkw.exe	87
PID 4304 wrote to memory of 4032	4304	jrjvptrkw.exe	87
PID 1108 wrote to memory of 3296	1108	Explorer.EXE	88
PID 1108 wrote to memory of 3296	1108	Explorer.EXE	88
PID 1108 wrote to memory of 3296	1108	Explorer.EXE	88
PID 3296 wrote to memory of 3116	3296	wlanext.exe	90
PID 3296 wrote to memory of 3116	3296	wlanext.exe	90
PID 3296 wrote to memory of 3116	3296	wlanext.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe
  "C:\Users\Admin\AppData\Local\Temp\cd0e4cab67b7fd76ef5d6bdcb7f25a21.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
    "C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe" C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.bts
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe
      "C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4032
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aomgdquqwa.bts

Filesize
5KB

MD5
70ac455f88e10ec69807e8d27c5b98a7

SHA1
57dbd9bc79b94886f79354ca2025232a5d0076fb

SHA256
157b2b1dcb46cfbd5f8ebbcc64bae4fdd45fb9f6843549d5efa39ff294156e68

SHA512
4e732530fa2d008d57f86a2f62010d04a67764c230e9f966cf30bdbef2064b0dfc05a983d7919af7db03c690584dd8115ea7dd4b3e34f28cd49cf318dc13b8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe

Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe

Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrjvptrkw.exe

Filesize
12KB

MD5
fd0ddc905a5457c8fdd921103f410846

SHA1
20517958c1cba91084f5011cccf3ece8fdc9a237

SHA256
07b65ff3ea050e07441aae8967be4843a74797d004f3aa0b700f5faa59caccec

SHA512
2c246fdd4852c364c87ee846682da0b05c419d327456f3ba5e8d00e45f7ac185f00507589219671b82bba4af32369100df577962d0e20f839cfeb8197c7c8c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgcugroogqm.cg

Filesize
185KB

MD5
e90088efd1be37bc124d82ce812bd327

SHA1
633c82a7f3334b6c48a23e96b9ff6116c7cdce27

SHA256
09b39f471b88b40e2c29f61d06005b27b799a6d274f0f74262d46d11f9a36d8d

SHA512
f93f6119cd5b8c04426b917f6cf6d2f16797970ea4ae00ed0e8014862651ce25a23a5ee60b36aacd37dd7691b3d3bd63c1bdd3a4b0b243456524aff40b7240a4

Download Submit
memory/1108-180-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-167-0x0000000008940000-0x0000000008A5C000-memory.dmp

Filesize
1.1MB

Download
memory/1108-195-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1108-194-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1108-193-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/1108-192-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/1108-143-0x0000000008810000-0x0000000008935000-memory.dmp

Filesize
1.1MB

Download
memory/1108-191-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-190-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-189-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-188-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-187-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-186-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-150-0x0000000008940000-0x0000000008A5C000-memory.dmp

Filesize
1.1MB

Download
memory/1108-152-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-151-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-153-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-154-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-156-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-155-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-157-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-158-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-159-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-160-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-161-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-162-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-163-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-164-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-181-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-177-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-182-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-168-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-169-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/1108-170-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1108-171-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1108-172-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1108-173-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1108-174-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/1108-175-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-176-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-166-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-178-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-179-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-165-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-183-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-185-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/1108-184-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/3296-149-0x00000000017B0000-0x000000000183F000-memory.dmp

Filesize
572KB

Download
memory/3296-148-0x0000000001240000-0x000000000126D000-memory.dmp

Filesize
180KB

Download
memory/3296-147-0x00000000018D0000-0x0000000001C1A000-memory.dmp

Filesize
3.3MB

Download
memory/3296-145-0x00000000003C0000-0x00000000003D7000-memory.dmp

Filesize
92KB

Download
memory/3296-146-0x0000000001240000-0x000000000126D000-memory.dmp

Filesize
180KB

Download
memory/4032-142-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4032-141-0x00000000014E0000-0x000000000182A000-memory.dmp

Filesize
3.3MB

Download
memory/4032-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4032-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download