formbook | 8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244

General

Target

Quote.exe
Size

225KB
MD5

321f3295b04cccbbcff5a78a19a92c02
SHA1

18a59fbe2535105067608b8755aee0c2ec1e495a
SHA256

8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244
SHA512

1776e0abd19fa36adee495d6b6a39d233e847d717ce9ac6e3fd40398a80ee693380fc1ae2daefc938f6a36b413ca522f8250f241384ec3680815ec79afb6a8eb
SSDEEP

6144:QBn1Mv+a0+CnUDn3zBaySG9PY2B25IuoXqFv:g/a0hUDn1au9A2BiIk

Score

10^/10

formbook 0pnv rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

0pnv

Decoy

UeENxNlh2xN7FieUBpBO5lfm

VvcQB1LzT23hsKXRjUwN

UVO18MGf5AY=

oVF8eOF3t9kzAV7CeQ==

jxtEEGsdit4/yuxAdkB8E7LhuAs=

+Pyb8Pke6z59Fg==

pVcPluOJ7ka2WgGWOCCXNw==

5LDqHC4BbYeYhIb0

7pJjqueb8CWBTHLBDsSrEmnUoCy9ui4=

tB4+XKJLlrcv9ARTgCMfXbLhuAs=

4ZM3rO+R/mKOSkpPOQm3KYs=

sKlboNhxxswqHV+UYA==

Ld8s8DrxSqXbpro=

ZSMbPsuFz+gK3msQZB4=

W99Y4Ho8nu1UFo7EOCCXNw==

p48821D7QKXbpro=

Arvd0En7V5D3r1eofzZ8E7LhuAs=

dBc8LKJhweNJFVW7ewE=

BK3FWptVndAtAV7CeQ==

G9eJAmIDDXLur7g=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

7 1136 cmstp.exe
Executes dropped EXE 2 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.exe

pid process

1908 ymvuqqpv.exe
624 ymvuqqpv.exe

flow	pid	process
7	1136	cmstp.exe

pid	process
1908	ymvuqqpv.exe
624	ymvuqqpv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ymvuqqpv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	ymvuqqpv.exe

Loads dropped DLL 3 IoCs

Processes:

Quote.exeymvuqqpv.execmstp.exe

pid process

1164 Quote.exe
1908 ymvuqqpv.exe
1136 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1164	Quote.exe
1908	ymvuqqpv.exe
1136	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.execmstp.exe

description	pid	process	target process
PID 1908 set thread context of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 624 set thread context of 1432	624	ymvuqqpv.exe	Explorer.EXE
PID 1136 set thread context of 1432	1136	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ymvuqqpv.execmstp.exe

pid	process
624	ymvuqqpv.exe
624	ymvuqqpv.exe
624	ymvuqqpv.exe
624	ymvuqqpv.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.execmstp.exe

pid process

1908 ymvuqqpv.exe
624 ymvuqqpv.exe
624 ymvuqqpv.exe
624 ymvuqqpv.exe
1136 cmstp.exe
1136 cmstp.exe
1136 cmstp.exe
1136 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ymvuqqpv.execmstp.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 624 ymvuqqpv.exe
Token: SeDebugPrivilege 1136 cmstp.exe
Token: SeShutdownPrivilege 1432 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1432 Explorer.EXE
1432 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1432 Explorer.EXE
1432 Explorer.EXE

pid	process
1908	ymvuqqpv.exe
624	ymvuqqpv.exe
624	ymvuqqpv.exe
624	ymvuqqpv.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe
1136	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	624	ymvuqqpv.exe
Token: SeDebugPrivilege	1136	cmstp.exe
Token: SeShutdownPrivilege	1432	Explorer.EXE

pid	process
1432	Explorer.EXE
1432	Explorer.EXE

pid	process
1432	Explorer.EXE
1432	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Quote.exeymvuqqpv.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1164 wrote to memory of 1908	1164	Quote.exe	ymvuqqpv.exe
PID 1164 wrote to memory of 1908	1164	Quote.exe	ymvuqqpv.exe
PID 1164 wrote to memory of 1908	1164	Quote.exe	ymvuqqpv.exe
PID 1164 wrote to memory of 1908	1164	Quote.exe	ymvuqqpv.exe
PID 1908 wrote to memory of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 1908 wrote to memory of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 1908 wrote to memory of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 1908 wrote to memory of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 1908 wrote to memory of 624	1908	ymvuqqpv.exe	ymvuqqpv.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1432 wrote to memory of 1136	1432	Explorer.EXE	cmstp.exe
PID 1136 wrote to memory of 1980	1136	cmstp.exe	Firefox.exe
PID 1136 wrote to memory of 1980	1136	cmstp.exe	Firefox.exe
PID 1136 wrote to memory of 1980	1136	cmstp.exe	Firefox.exe
PID 1136 wrote to memory of 1980	1136	cmstp.exe	Firefox.exe
PID 1136 wrote to memory of 1980	1136	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Quote.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe" C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cy
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cy
Filesize
5KB

MD5
cacf272177d2135e35faf3aa93167540

SHA1
6ea6b033eff2b963d63a2e149b9b7525c41d80ae

SHA256
93480c540f9b82fe13ac54ecf95562de42054172efd179d797c4f6c7c97e07cf

SHA512
278aff52c4d882cfe98389ea4bcf53ac8d6245c12bb276f521b2852b12f01a241aa9d6e4de84a1c0b7d752f7cb93e1f31e794c82ee35096ba657fec18e5920a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzhmrrk.wkl
Filesize
185KB

MD5
37e9542038b738ed656949c9e64814fc

SHA1
b825cea9a9b826857ff404a6bbb4200f7b0dc837

SHA256
bd83a9cfee893492264750dd5c3582f86d47d37875ce280fb895c7909c8336dc

SHA512
53ce181e8a63de2bcc1cf6521bf6d2e963cab4530e1b4c139cdd4800fa0b131566036b0215904e03077075a4e13e4158010789f6f27d28c839d2ec6a06007583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
memory/624-66-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/624-67-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/624-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-65-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/624-62-0x00000000004012B0-mapping.dmp

Download
memory/624-68-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1136-72-0x0000000000300000-0x0000000000318000-memory.dmp

Filesize
96KB

Download
memory/1136-70-0x0000000000000000-mapping.dmp

Download
memory/1136-74-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1136-73-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1136-75-0x0000000000320000-0x00000000003AF000-memory.dmp

Filesize
572KB

Download
memory/1136-77-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1164-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1432-69-0x0000000006920000-0x0000000006A1F000-memory.dmp

Filesize
1020KB

Download
memory/1432-76-0x0000000006A20000-0x0000000006B15000-memory.dmp

Filesize
980KB

Download
memory/1432-78-0x0000000006A20000-0x0000000006B15000-memory.dmp

Filesize
980KB

Download
memory/1908-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads