formbook | 34ba86fe0e8ed621b916cf851855cd2c616af85a19534bfc25b5806ca43cbb58

General

Target

713290575.exe
Size

271KB
MD5

042c5506f6d384f18529e2247c09b2d1
SHA1

f6e91718b5bcf487e1fc040d228e87c7cdf72aae
SHA256

34ba86fe0e8ed621b916cf851855cd2c616af85a19534bfc25b5806ca43cbb58
SHA512

7d2fc7c1ebf7eea04c3846ff99ac7ba55a8f98225a4a3e679e55b3d9b9887487c822582cb4fb85493b66ac9c2d3e501872e8bfb2f6f87d36315051bf9f0cbaa3
SSDEEP

6144:QBn1ufsqsOrt2ureZR0SJ+9/NDEBeZSeR36:guEIt2urg2/NDEBeZrR36

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exe

pid process

1576 xyvpsaxhg.exe
668 xyvpsaxhg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

xyvpsaxhg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation xyvpsaxhg.exe
Loads dropped DLL 3 IoCs

Processes:

713290575.exexyvpsaxhg.exeipconfig.exe

pid process

1708 713290575.exe
1576 xyvpsaxhg.exe
1696 ipconfig.exe

pid	process
1576	xyvpsaxhg.exe
668	xyvpsaxhg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	xyvpsaxhg.exe

pid	process
1708	713290575.exe
1576	xyvpsaxhg.exe
1696	ipconfig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xyvpsaxhg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bpjpistakkuwv = "C:\\Users\\Admin\\AppData\\Roaming\\vmlabyfvgrncd\\xgjhkwlvohqq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xyvpsaxhg.exe\" C:\\Users\\Admin\\App"	xyvpsaxhg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exeipconfig.exe

description	pid	process	target process
PID 1576 set thread context of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 668 set thread context of 1236	668	xyvpsaxhg.exe	Explorer.EXE
PID 1696 set thread context of 1236	1696	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1696 ipconfig.exe

pid	process
1696	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

xyvpsaxhg.exeipconfig.exe

pid	process
668	xyvpsaxhg.exe
668	xyvpsaxhg.exe
668	xyvpsaxhg.exe
668	xyvpsaxhg.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exeipconfig.exe

pid process

1576 xyvpsaxhg.exe
668 xyvpsaxhg.exe
668 xyvpsaxhg.exe
668 xyvpsaxhg.exe
1696 ipconfig.exe
1696 ipconfig.exe
1696 ipconfig.exe
1696 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xyvpsaxhg.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 668 xyvpsaxhg.exe
Token: SeDebugPrivilege 1696 ipconfig.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE

pid	process
1236	Explorer.EXE

pid	process
1576	xyvpsaxhg.exe
668	xyvpsaxhg.exe
668	xyvpsaxhg.exe
668	xyvpsaxhg.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe
1696	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	668	xyvpsaxhg.exe
Token: SeDebugPrivilege	1696	ipconfig.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

713290575.exexyvpsaxhg.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1708 wrote to memory of 1576	1708	713290575.exe	xyvpsaxhg.exe
PID 1708 wrote to memory of 1576	1708	713290575.exe	xyvpsaxhg.exe
PID 1708 wrote to memory of 1576	1708	713290575.exe	xyvpsaxhg.exe
PID 1708 wrote to memory of 1576	1708	713290575.exe	xyvpsaxhg.exe
PID 1576 wrote to memory of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 1576 wrote to memory of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 1576 wrote to memory of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 1576 wrote to memory of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 1576 wrote to memory of 668	1576	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 1236 wrote to memory of 1696	1236	Explorer.EXE	ipconfig.exe
PID 1236 wrote to memory of 1696	1236	Explorer.EXE	ipconfig.exe
PID 1236 wrote to memory of 1696	1236	Explorer.EXE	ipconfig.exe
PID 1236 wrote to memory of 1696	1236	Explorer.EXE	ipconfig.exe
PID 1696 wrote to memory of 1272	1696	ipconfig.exe	Firefox.exe
PID 1696 wrote to memory of 1272	1696	ipconfig.exe	Firefox.exe
PID 1696 wrote to memory of 1272	1696	ipconfig.exe	Firefox.exe
PID 1696 wrote to memory of 1272	1696	ipconfig.exe	Firefox.exe
PID 1696 wrote to memory of 1272	1696	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\713290575.exe
"C:\Users\Admin\AppData\Local\Temp\713290575.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe" C:\Users\Admin\AppData\Local\Temp\pqdivdru.j
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pqdivdru.j
Filesize
7KB

MD5
112c58cc0d7557c13b500fd901a97164

SHA1
8c02afae7fd6caee5a51ad36d161c176dc156010

SHA256
783d842d977cb802f87c2c4b503134b4d1d63a727fbe2ceedbf3d8fa0ff329d8

SHA512
8b6f76f58a6e086be78a99182f3e7f20437598af12c7fb0f86febf94c1617b4ef9476e405b5b46bba292936165433199b81c354c0b853f1f7ce914fa9893d7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjdkrussue.xr
Filesize
185KB

MD5
6145b59a27fbedf9d079a857efc172be

SHA1
7e06ebad08546e86ca4fbceb83cbfd3d10eb9fb7

SHA256
a44c5dd3f79e73d60592b495b63da598e57d05c67c914e16e3cc69a19ea1b72b

SHA512
ef245e314570861e2120a20e095abbdb6ce09289188f6ea53221fbd3e717a339eac8848154733eb3eba684558353d532f7348c00f7bf102fa54d7f92d69f5c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
memory/668-67-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/668-63-0x00000000004012B0-mapping.dmp

Download
memory/668-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/668-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/668-68-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1236-69-0x0000000005DF0000-0x0000000005F84000-memory.dmp

Filesize
1.6MB

Download
memory/1236-78-0x0000000007440000-0x00000000075B6000-memory.dmp

Filesize
1.5MB

Download
memory/1236-76-0x0000000007440000-0x00000000075B6000-memory.dmp

Filesize
1.5MB

Download
memory/1576-56-0x0000000000000000-mapping.dmp

Download
memory/1696-74-0x0000000002020000-0x0000000002323000-memory.dmp

Filesize
3.0MB

Download
memory/1696-73-0x00000000000B0000-0x00000000000DD000-memory.dmp

Filesize
180KB

Download
memory/1696-75-0x0000000000730000-0x00000000007BF000-memory.dmp

Filesize
572KB

Download
memory/1696-72-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/1696-77-0x00000000000B0000-0x00000000000DD000-memory.dmp

Filesize
180KB

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads