formbook | 8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244

General

Target

Quote.exe
Size

225KB
MD5

321f3295b04cccbbcff5a78a19a92c02
SHA1

18a59fbe2535105067608b8755aee0c2ec1e495a
SHA256

8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244
SHA512

1776e0abd19fa36adee495d6b6a39d233e847d717ce9ac6e3fd40398a80ee693380fc1ae2daefc938f6a36b413ca522f8250f241384ec3680815ec79afb6a8eb
SSDEEP

6144:QBn1Mv+a0+CnUDn3zBaySG9PY2B25IuoXqFv:g/a0hUDn1au9A2BiIk

Score

10^/10

formbook 0pnv rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

0pnv

Decoy

UeENxNlh2xN7FieUBpBO5lfm

VvcQB1LzT23hsKXRjUwN

UVO18MGf5AY=

oVF8eOF3t9kzAV7CeQ==

jxtEEGsdit4/yuxAdkB8E7LhuAs=

+Pyb8Pke6z59Fg==

pVcPluOJ7ka2WgGWOCCXNw==

5LDqHC4BbYeYhIb0

7pJjqueb8CWBTHLBDsSrEmnUoCy9ui4=

tB4+XKJLlrcv9ARTgCMfXbLhuAs=

4ZM3rO+R/mKOSkpPOQm3KYs=

sKlboNhxxswqHV+UYA==

Ld8s8DrxSqXbpro=

ZSMbPsuFz+gK3msQZB4=

W99Y4Ho8nu1UFo7EOCCXNw==

p48821D7QKXbpro=

Arvd0En7V5D3r1eofzZ8E7LhuAs=

dBc8LKJhweNJFVW7ewE=

BK3FWptVndAtAV7CeQ==

G9eJAmIDDXLur7g=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.exe

pid process

804 ymvuqqpv.exe
5116 ymvuqqpv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ymvuqqpv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ymvuqqpv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.exerundll32.exe

description	pid	process	target process
PID 804 set thread context of 5116	804	ymvuqqpv.exe	ymvuqqpv.exe
PID 5116 set thread context of 2440	5116	ymvuqqpv.exe	Explorer.EXE
PID 3304 set thread context of 2440	3304	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

ymvuqqpv.exerundll32.exe

pid	process
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2440 Explorer.EXE

pid	process
2440	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

ymvuqqpv.exeymvuqqpv.exerundll32.exe

pid	process
804	ymvuqqpv.exe
804	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
5116	ymvuqqpv.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe
3304	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ymvuqqpv.exerundll32.exe

description pid process

Token: SeDebugPrivilege 5116 ymvuqqpv.exe
Token: SeDebugPrivilege 3304 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5116	ymvuqqpv.exe
Token: SeDebugPrivilege	3304	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Quote.exeymvuqqpv.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3796 wrote to memory of 804	3796	Quote.exe	ymvuqqpv.exe
PID 3796 wrote to memory of 804	3796	Quote.exe	ymvuqqpv.exe
PID 3796 wrote to memory of 804	3796	Quote.exe	ymvuqqpv.exe
PID 804 wrote to memory of 5116	804	ymvuqqpv.exe	ymvuqqpv.exe
PID 804 wrote to memory of 5116	804	ymvuqqpv.exe	ymvuqqpv.exe
PID 804 wrote to memory of 5116	804	ymvuqqpv.exe	ymvuqqpv.exe
PID 804 wrote to memory of 5116	804	ymvuqqpv.exe	ymvuqqpv.exe
PID 2440 wrote to memory of 3304	2440	Explorer.EXE	rundll32.exe
PID 2440 wrote to memory of 3304	2440	Explorer.EXE	rundll32.exe
PID 2440 wrote to memory of 3304	2440	Explorer.EXE	rundll32.exe
PID 3304 wrote to memory of 5088	3304	rundll32.exe	Firefox.exe
PID 3304 wrote to memory of 5088	3304	rundll32.exe	Firefox.exe
PID 3304 wrote to memory of 5088	3304	rundll32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Quote.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe" C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cy
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
"C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ajpcdhql.cy
Filesize
5KB

MD5
cacf272177d2135e35faf3aa93167540

SHA1
6ea6b033eff2b963d63a2e149b9b7525c41d80ae

SHA256
93480c540f9b82fe13ac54ecf95562de42054172efd179d797c4f6c7c97e07cf

SHA512
278aff52c4d882cfe98389ea4bcf53ac8d6245c12bb276f521b2852b12f01a241aa9d6e4de84a1c0b7d752f7cb93e1f31e794c82ee35096ba657fec18e5920a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzhmrrk.wkl
Filesize
185KB

MD5
37e9542038b738ed656949c9e64814fc

SHA1
b825cea9a9b826857ff404a6bbb4200f7b0dc837

SHA256
bd83a9cfee893492264750dd5c3582f86d47d37875ce280fb895c7909c8336dc

SHA512
53ce181e8a63de2bcc1cf6521bf6d2e963cab4530e1b4c139cdd4800fa0b131566036b0215904e03077075a4e13e4158010789f6f27d28c839d2ec6a06007583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymvuqqpv.exe
Filesize
13KB

MD5
03de537afe7cd5629ac193ec751781da

SHA1
f538844fb828c89c57f0a38cb104c9494a579a72

SHA256
285d3ad53a34aee72b74016f675e15b85d508411c3bf54a6c961c86a5e15d89e

SHA512
dc2cf6b16007c7ec4e2d15649a73c0f8b74e455bfecb8aeb2f3cebc454bd38f68bbfa8d0aeeefc06937d2e781b29ac611d8472ae1454cf2f42c77577cdd48fec

Download Submit
memory/804-132-0x0000000000000000-mapping.dmp

Download
memory/2440-152-0x0000000007D70000-0x0000000007EBD000-memory.dmp

Filesize
1.3MB

Download
memory/2440-150-0x0000000007D70000-0x0000000007EBD000-memory.dmp

Filesize
1.3MB

Download
memory/2440-143-0x00000000029F0000-0x0000000002B3E000-memory.dmp

Filesize
1.3MB

Download
memory/3304-147-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3304-151-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3304-149-0x0000000002540000-0x00000000025CF000-memory.dmp

Filesize
572KB

Download
memory/3304-144-0x0000000000000000-mapping.dmp

Download
memory/3304-148-0x00000000026B0000-0x00000000029FA000-memory.dmp

Filesize
3.3MB

Download
memory/3304-146-0x00000000000B0000-0x00000000000C4000-memory.dmp

Filesize
80KB

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download
memory/5116-145-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download
memory/5116-142-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/5116-141-0x00000000003C2000-0x00000000003C4000-memory.dmp

Filesize
8KB

Download
memory/5116-140-0x0000000000D20000-0x000000000106A000-memory.dmp

Filesize
3.3MB

Download
memory/5116-139-0x00000000003A0000-0x00000000003CF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads