formbook | 34ba86fe0e8ed621b916cf851855cd2c616af85a19534bfc25b5806ca43cbb58

General

Target

713290575.exe
Size

271KB
MD5

042c5506f6d384f18529e2247c09b2d1
SHA1

f6e91718b5bcf487e1fc040d228e87c7cdf72aae
SHA256

34ba86fe0e8ed621b916cf851855cd2c616af85a19534bfc25b5806ca43cbb58
SHA512

7d2fc7c1ebf7eea04c3846ff99ac7ba55a8f98225a4a3e679e55b3d9b9887487c822582cb4fb85493b66ac9c2d3e501872e8bfb2f6f87d36315051bf9f0cbaa3
SSDEEP

6144:QBn1ufsqsOrt2ureZR0SJ+9/NDEBeZSeR36:guEIt2urg2/NDEBeZrR36

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exe

pid process

3200 xyvpsaxhg.exe
4920 xyvpsaxhg.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

xyvpsaxhg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation xyvpsaxhg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	xyvpsaxhg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xyvpsaxhg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpjpistakkuwv = "C:\\Users\\Admin\\AppData\\Roaming\\vmlabyfvgrncd\\xgjhkwlvohqq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xyvpsaxhg.exe\" C:\\Users\\Admin\\App"	xyvpsaxhg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exechkdsk.exe

description	pid	process	target process
PID 3200 set thread context of 4920	3200	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 4920 set thread context of 900	4920	xyvpsaxhg.exe	Explorer.EXE
PID 4920 set thread context of 900	4920	xyvpsaxhg.exe	Explorer.EXE
PID 2200 set thread context of 900	2200	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

xyvpsaxhg.exechkdsk.exe

pid	process
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

900 Explorer.EXE

pid	process
900	Explorer.EXE

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

xyvpsaxhg.exexyvpsaxhg.exechkdsk.exe

pid	process
3200	xyvpsaxhg.exe
3200	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
4920	xyvpsaxhg.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe
2200	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xyvpsaxhg.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 4920 xyvpsaxhg.exe
Token: SeDebugPrivilege 2200 chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	4920	xyvpsaxhg.exe
Token: SeDebugPrivilege	2200	chkdsk.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

713290575.exexyvpsaxhg.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 3712 wrote to memory of 3200	3712	713290575.exe	xyvpsaxhg.exe
PID 3712 wrote to memory of 3200	3712	713290575.exe	xyvpsaxhg.exe
PID 3712 wrote to memory of 3200	3712	713290575.exe	xyvpsaxhg.exe
PID 3200 wrote to memory of 4920	3200	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 3200 wrote to memory of 4920	3200	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 3200 wrote to memory of 4920	3200	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 3200 wrote to memory of 4920	3200	xyvpsaxhg.exe	xyvpsaxhg.exe
PID 900 wrote to memory of 2200	900	Explorer.EXE	chkdsk.exe
PID 900 wrote to memory of 2200	900	Explorer.EXE	chkdsk.exe
PID 900 wrote to memory of 2200	900	Explorer.EXE	chkdsk.exe
PID 2200 wrote to memory of 3464	2200	chkdsk.exe	Firefox.exe
PID 2200 wrote to memory of 3464	2200	chkdsk.exe	Firefox.exe
PID 2200 wrote to memory of 3464	2200	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\713290575.exe
"C:\Users\Admin\AppData\Local\Temp\713290575.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe" C:\Users\Admin\AppData\Local\Temp\pqdivdru.j
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
"C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pqdivdru.j
Filesize
7KB

MD5
112c58cc0d7557c13b500fd901a97164

SHA1
8c02afae7fd6caee5a51ad36d161c176dc156010

SHA256
783d842d977cb802f87c2c4b503134b4d1d63a727fbe2ceedbf3d8fa0ff329d8

SHA512
8b6f76f58a6e086be78a99182f3e7f20437598af12c7fb0f86febf94c1617b4ef9476e405b5b46bba292936165433199b81c354c0b853f1f7ce914fa9893d7bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjdkrussue.xr
Filesize
185KB

MD5
6145b59a27fbedf9d079a857efc172be

SHA1
7e06ebad08546e86ca4fbceb83cbfd3d10eb9fb7

SHA256
a44c5dd3f79e73d60592b495b63da598e57d05c67c914e16e3cc69a19ea1b72b

SHA512
ef245e314570861e2120a20e095abbdb6ce09289188f6ea53221fbd3e717a339eac8848154733eb3eba684558353d532f7348c00f7bf102fa54d7f92d69f5c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
C:\Users\Admin\AppData\Local\Temp\xyvpsaxhg.exe
Filesize
100KB

MD5
7d2f68788b3ee076fa9eb6484ee05bd9

SHA1
bd8580a0f568152464117fcf534af2b39b4bc7e3

SHA256
dfcafdc033e87358e4fc663167b213beaae80bc886a670f4ca535bdaaca6ba05

SHA512
2df7465c7ad674a02a2179ca2b6a397f743079a45bff64d415c7a328af64e3e2928ca0e9f63d19f871d20ee191e706b9fcf093ce7d676ba40d06e23caf000137

Download Submit
memory/900-142-0x0000000008570000-0x00000000086D3000-memory.dmp

Filesize
1.4MB

Download
memory/900-153-0x0000000008BD0000-0x0000000008CBD000-memory.dmp

Filesize
948KB

Download
memory/900-151-0x0000000008BD0000-0x0000000008CBD000-memory.dmp

Filesize
948KB

Download
memory/900-144-0x0000000008B00000-0x0000000008BCB000-memory.dmp

Filesize
812KB

Download
memory/2200-147-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2200-145-0x0000000000000000-mapping.dmp

Download
memory/2200-148-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/2200-149-0x00000000014A0000-0x00000000017EA000-memory.dmp

Filesize
3.3MB

Download
memory/2200-150-0x0000000001320000-0x00000000013AF000-memory.dmp

Filesize
572KB

Download
memory/2200-152-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/3200-132-0x0000000000000000-mapping.dmp

Download
memory/4920-141-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/4920-143-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/4920-140-0x0000000000DD0000-0x000000000111A000-memory.dmp

Filesize
3.3MB

Download
memory/4920-146-0x0000000000790000-0x00000000007BF000-memory.dmp

Filesize
188KB

Download
memory/4920-139-0x0000000000790000-0x00000000007BF000-memory.dmp

Filesize
188KB

Download
memory/4920-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads