formbook | 0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872

General

Target

SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
Size

286KB
MD5

3e22bc223e94878c8b380d6bfc4bac20
SHA1

321b6e9c30f9391c3ca00e0025ee4cf19e17f4bf
SHA256

0d09e99b2a15cae89b2b6c61ae744d8437b2289615d909ee58ee52ac865b5872
SHA512

cf16b16a6d52de369d2d3ecc14378ac7e6a331ab942f7efb5b6db914ecb70c0849b4b8ee84bdca74792a71e629b8d0dfbfcf2a750c1996e850737aa144d58719
SSDEEP

6144:LBnbBIuIily2SrpGAthgLVgaxMACC/u8RJyU39soBvWT05r7n1:FJTly2SsAtmLVgaWlyu8RJN19W0Z

Score

10^/10

formbook k6n9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

dvpitukm.exedvpitukm.exe

pid process

4532 dvpitukm.exe
4804 dvpitukm.exe

pid	process
4532	dvpitukm.exe
4804	dvpitukm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dvpitukm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dvpitukm.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dvpitukm.exedvpitukm.execolorcpl.exe

description	pid	process	target process
PID 4532 set thread context of 4804	4532	dvpitukm.exe	dvpitukm.exe
PID 4804 set thread context of 2456	4804	dvpitukm.exe	Explorer.EXE
PID 4696 set thread context of 2456	4696	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

dvpitukm.execolorcpl.exe

pid	process
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2456 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

dvpitukm.exedvpitukm.execolorcpl.exe

pid process

4532 dvpitukm.exe
4804 dvpitukm.exe
4804 dvpitukm.exe
4804 dvpitukm.exe
4696 colorcpl.exe
4696 colorcpl.exe
4696 colorcpl.exe
4696 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dvpitukm.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 4804 dvpitukm.exe
Token: SeDebugPrivilege 4696 colorcpl.exe

pid	process
2456	Explorer.EXE

pid	process
4532	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4804	dvpitukm.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe
4696	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	4804	dvpitukm.exe
Token: SeDebugPrivilege	4696	colorcpl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exedvpitukm.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2748 wrote to memory of 4532	2748	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 2748 wrote to memory of 4532	2748	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 2748 wrote to memory of 4532	2748	SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe	dvpitukm.exe
PID 4532 wrote to memory of 4804	4532	dvpitukm.exe	dvpitukm.exe
PID 4532 wrote to memory of 4804	4532	dvpitukm.exe	dvpitukm.exe
PID 4532 wrote to memory of 4804	4532	dvpitukm.exe	dvpitukm.exe
PID 4532 wrote to memory of 4804	4532	dvpitukm.exe	dvpitukm.exe
PID 2456 wrote to memory of 4696	2456	Explorer.EXE	colorcpl.exe
PID 2456 wrote to memory of 4696	2456	Explorer.EXE	colorcpl.exe
PID 2456 wrote to memory of 4696	2456	Explorer.EXE	colorcpl.exe
PID 4696 wrote to memory of 3032	4696	colorcpl.exe	Firefox.exe
PID 4696 wrote to memory of 3032	4696	colorcpl.exe	Firefox.exe
PID 4696 wrote to memory of 3032	4696	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.5046.9762.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe" C:\Users\Admin\AppData\Local\Temp\orqep.jth
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
"C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvpitukm.exe
Filesize
100KB

MD5
1faa45e14fe03e78207dd61fc06cebcc

SHA1
a4543f2d4229c545470b6ea0a9d6a5757c98136c

SHA256
896f581caa303ac112cee949c891885e7e3b84e66fc840c9e94169ba9d35e069

SHA512
3f3d7c10f589daedbad35ccc6d77e6c4eef8ae39abe0f735be5a3d8bcd74727d5ecfb05652ac48ad8d1a4d6d9d641c136dbc4ee069d073904dd7d10542d47217

Download Submit
C:\Users\Admin\AppData\Local\Temp\kenub.qf
Filesize
185KB

MD5
c818f3bc9d6ea29a7b20570906050d82

SHA1
f2d2625d9d6b76618ef4df62c7d4c0e04addb9d6

SHA256
14d797382615a3fc8fb89645c75ac1c798ec8b3739382136c94b46e402bfe9c7

SHA512
5344c509cb96e7b31632530ca13f751338eddcca867a92b43cc87390b382b70c09864ca539445a149efa9e683bc5fda8a1e88fa750a3f1c17cc06e435c404e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orqep.jth
Filesize
5KB

MD5
98e03300f7458e503f470ab2d0a9267a

SHA1
3ff7e0bf8cd667c1dfdcf0674ab38139e0e29452

SHA256
1a8825d0fb3129eff34278938b36535d3fc9cb9e67d6ff39fbc6f2deddb306ac

SHA512
2648ef92a5aa218615794a1b7dcabfa8b0114931429062b9ae8bdc4412139c889e37f5e7f93d5d8bdc1a81d0803c9f713221ff1587a6f24236045399ca963958

Download Submit
memory/2456-154-0x0000000007CC0000-0x0000000007D9D000-memory.dmp

Filesize
884KB

Download
memory/2456-152-0x0000000007CC0000-0x0000000007D9D000-memory.dmp

Filesize
884KB

Download
memory/2456-144-0x00000000080E0000-0x0000000008212000-memory.dmp

Filesize
1.2MB

Download
memory/4532-132-0x0000000000000000-mapping.dmp

Download
memory/4696-149-0x0000000000460000-0x000000000048D000-memory.dmp

Filesize
180KB

Download
memory/4696-153-0x0000000000460000-0x000000000048D000-memory.dmp

Filesize
180KB

Download
memory/4696-151-0x0000000002190000-0x000000000221F000-memory.dmp

Filesize
572KB

Download
memory/4696-150-0x0000000002460000-0x00000000027AA000-memory.dmp

Filesize
3.3MB

Download
memory/4696-145-0x0000000000000000-mapping.dmp

Download
memory/4696-148-0x0000000000530000-0x0000000000549000-memory.dmp

Filesize
100KB

Download
memory/4804-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/4804-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4804-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-143-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/4804-141-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download
memory/4804-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4804-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads