formbook | 0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872

General

Target

SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
Size

286KB
MD5

3e22bc223e94878c8b380d6bfc4bac20
SHA1

321b6e9c30f9391c3ca00e0025ee4cf19e17f4bf
SHA256

0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
SHA512

cf16b16a6d52de369d2d3ecc14378ac7e6a331ab942f7efb5b6db914ecb70c0849b4b8ee84bdca74792a71e629b8d0dfbfcf2a750c1996e850737aa144d58719
SSDEEP

6144:LBnbBIuIily2SrpGAthgLVgaxMACC/u8RJyU39soBvWT05r7n1:FJTly2SsAtmLVgaWlyu8RJN19W0Z

Score

10^/10

formbook k6n9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

6 1492 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

dvpitukm.exedvpitukm.exe

pid process

1268 dvpitukm.exe
584 dvpitukm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dvpitukm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation dvpitukm.exe
Loads dropped DLL 3 IoCs

Processes:

SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exedvpitukm.exerundll32.exe

pid process

1368 SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
1268 dvpitukm.exe
1492 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
6	1492	rundll32.exe

pid	process
1268	dvpitukm.exe
584	dvpitukm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	dvpitukm.exe

pid	process
1368	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
1268	dvpitukm.exe
1492	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dvpitukm.exedvpitukm.exerundll32.exe

description	pid	process	target process
PID 1268 set thread context of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 584 set thread context of 1280	584	dvpitukm.exe	Explorer.EXE
PID 1492 set thread context of 1280	1492	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

dvpitukm.exerundll32.exe

pid	process
584	dvpitukm.exe
584	dvpitukm.exe
584	dvpitukm.exe
584	dvpitukm.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dvpitukm.exedvpitukm.exerundll32.exe

pid process

1268 dvpitukm.exe
584 dvpitukm.exe
584 dvpitukm.exe
584 dvpitukm.exe
1492 rundll32.exe
1492 rundll32.exe
1492 rundll32.exe
1492 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dvpitukm.exerundll32.exe

description pid process

Token: SeDebugPrivilege 584 dvpitukm.exe
Token: SeDebugPrivilege 1492 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE

pid	process
1280	Explorer.EXE

pid	process
1268	dvpitukm.exe
584	dvpitukm.exe
584	dvpitukm.exe
584	dvpitukm.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe
1492	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	584	dvpitukm.exe
Token: SeDebugPrivilege	1492	rundll32.exe

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exedvpitukm.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1368 wrote to memory of 1268	1368	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 1368 wrote to memory of 1268	1368	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 1368 wrote to memory of 1268	1368	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 1368 wrote to memory of 1268	1368	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 1268 wrote to memory of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 1268 wrote to memory of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 1268 wrote to memory of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 1268 wrote to memory of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 1268 wrote to memory of 584	1268	dvpitukm.exe	dvpitukm.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1492	1280	Explorer.EXE	rundll32.exe
PID 1492 wrote to memory of 2036	1492	rundll32.exe	Firefox.exe
PID 1492 wrote to memory of 2036	1492	rundll32.exe	Firefox.exe
PID 1492 wrote to memory of 2036	1492	rundll32.exe	Firefox.exe
PID 1492 wrote to memory of 2036	1492	rundll32.exe	Firefox.exe
PID 1492 wrote to memory of 2036	1492	rundll32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe" C:\Users\Admin\AppData\Local\Temp\orqep.jth
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\kenub.qf
Filesize
185KB

MD5
c818f3bc9d6ea29a7b20570906050d82

SHA1
f2d2625d9d6b76618ef4df62c7d4c0e04addb9d6

SHA256
14d797382615a3fc8fb89645c75ac1c798ec8b3739382136c94b46e402bfe9c7

SHA512
5344c509cb96e7b31632530ca13f751338eddcca867a92b43cc87390b382b70c09864ca539445a149efa9e683bc5fda8a1e88fa750a3f1c17cc06e435c404e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orqep.jth
Filesize
5KB

MD5
98e03300f7458e503f470ab2d0a9267a

SHA1
3ff7e0bf8cd667c1dfdcf0674ab38139e0e29452

SHA256
1a8825d0fb3129eff34278938b36535d3fc9cb9e67d6ff39fbc6f2deddb306ac

SHA512
2648ef92a5aa218615794a1b7dcabfa8b0114931429062b9ae8bdc4412139c889e37f5e7f93d5d8bdc1a81d0803c9f713221ff1587a6f24236045399ca963958

Download Submit
\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
memory/584-67-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/584-63-0x00000000004012B0-mapping.dmp

Download
memory/584-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/584-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-68-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/584-69-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1268-56-0x0000000000000000-mapping.dmp

Download
memory/1280-77-0x0000000004B70000-0x0000000004C41000-memory.dmp

Filesize
836KB

Download
memory/1280-70-0x0000000004EB0000-0x0000000004FF3000-memory.dmp

Filesize
1.3MB

Download
memory/1280-79-0x0000000004B70000-0x0000000004C41000-memory.dmp

Filesize
836KB

Download
memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1492-71-0x0000000000000000-mapping.dmp

Download
memory/1492-73-0x0000000000EC0000-0x0000000000ECE000-memory.dmp

Filesize
56KB

Download
memory/1492-74-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1492-75-0x00000000022D0000-0x00000000025D3000-memory.dmp

Filesize
3.0MB

Download
memory/1492-76-0x0000000000950000-0x00000000009DF000-memory.dmp

Filesize
572KB

Download
memory/1492-78-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads