formbook | 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609

General

Target

Shipping docs xlsx.exe
Size

239KB
MD5

61672650363565ad7ce71c5a261a5e7e
SHA1

da70e0ed691217615c57963c58e18de927c13294
SHA256

37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609
SHA512

17b7867c3329a1ccd514cb265622d9bcf8a817d29b49e7c9fd12e49ae905ef09683da32e41ed57054f0451b3fc7f562ad999c59558948659e63cfe17f23fc824
SSDEEP

6144:QBn10ffIoo3VeRy65qQvT1GLwbTWYM89y7rOjPwA:gSR5qubqS96SD

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

lkhgcvox.exelkhgcvox.exe

pid process

1892 lkhgcvox.exe
4688 lkhgcvox.exe

pid	process
1892	lkhgcvox.exe
4688	lkhgcvox.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lkhgcvox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lkhgcvox.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lkhgcvox.exelkhgcvox.exeraserver.exe

description	pid	process	target process
PID 1892 set thread context of 4688	1892	lkhgcvox.exe	lkhgcvox.exe
PID 4688 set thread context of 2584	4688	lkhgcvox.exe	Explorer.EXE
PID 4284 set thread context of 2584	4284	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

lkhgcvox.exeraserver.exe

pid	process
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe
4284	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2584 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

lkhgcvox.exelkhgcvox.exeraserver.exe

pid process

1892 lkhgcvox.exe
4688 lkhgcvox.exe
4688 lkhgcvox.exe
4688 lkhgcvox.exe
4284 raserver.exe
4284 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lkhgcvox.exeraserver.exe

description pid process

Token: SeDebugPrivilege 4688 lkhgcvox.exe
Token: SeDebugPrivilege 4284 raserver.exe

pid	process
2584	Explorer.EXE

pid	process
1892	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4688	lkhgcvox.exe
4284	raserver.exe
4284	raserver.exe

description	pid	process
Token: SeDebugPrivilege	4688	lkhgcvox.exe
Token: SeDebugPrivilege	4284	raserver.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Shipping docs xlsx.exelkhgcvox.exeExplorer.EXE

description	pid	process	target process
PID 1320 wrote to memory of 1892	1320	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1320 wrote to memory of 1892	1320	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1320 wrote to memory of 1892	1320	Shipping docs xlsx.exe	lkhgcvox.exe
PID 1892 wrote to memory of 4688	1892	lkhgcvox.exe	lkhgcvox.exe
PID 1892 wrote to memory of 4688	1892	lkhgcvox.exe	lkhgcvox.exe
PID 1892 wrote to memory of 4688	1892	lkhgcvox.exe	lkhgcvox.exe
PID 1892 wrote to memory of 4688	1892	lkhgcvox.exe	lkhgcvox.exe
PID 2584 wrote to memory of 4284	2584	Explorer.EXE	raserver.exe
PID 2584 wrote to memory of 4284	2584	Explorer.EXE	raserver.exe
PID 2584 wrote to memory of 4284	2584	Explorer.EXE	raserver.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\Shipping docs xlsx.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping docs xlsx.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe
    "C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe
      "C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4688
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lgjvm.n

Filesize
5KB

MD5
b5bd1d788ff15db30c33fc6ab63d79cd

SHA1
647cd1cb32eb40fac0c78407e336c904c4326d6d

SHA256
83adcbc73426996a6391f3563af4108fc6fb2d7e3bb43e5964e9a9c638d9b6aa

SHA512
d366cf00d10f6e8353ca0fcb3b1d6a8e54640d3e4092936f269215b53968b3e8981d76389062e10026175bc0fca224be78da6407ad8ab98ee9e669c0b1dea8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuyts.s

Filesize
185KB

MD5
678721f9a827cc3b51fc472868a84b2a

SHA1
34618073c825161e7d5db23915bda774ef3d12da

SHA256
57595f7432ea33ae2250dc281b6d5c0c87d59de5e0e900fbb50101951f43f1d3

SHA512
4fc867e187a67bfb9d12e9b8ddb55543f9b7b492ae0d1591e042330b70c6c6f2ceb7d75ca535b33c74dbe287fb7b7eab34b2e458373df8e76f1bbbf3eba48727

Download Submit
memory/1892-132-0x0000000000000000-mapping.dmp

Download
memory/2584-143-0x0000000006E30000-0x0000000006FA9000-memory.dmp

Filesize
1.5MB

Download
memory/2584-153-0x00000000083B0000-0x0000000008519000-memory.dmp

Filesize
1.4MB

Download
memory/2584-146-0x0000000006E30000-0x0000000006FA9000-memory.dmp

Filesize
1.5MB

Download
memory/2584-151-0x00000000083B0000-0x0000000008519000-memory.dmp

Filesize
1.4MB

Download
memory/4284-152-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/4284-150-0x00000000021F0000-0x000000000227F000-memory.dmp

Filesize
572KB

Download
memory/4284-144-0x0000000000000000-mapping.dmp

Download
memory/4284-149-0x00000000023C0000-0x000000000270A000-memory.dmp

Filesize
3.3MB

Download
memory/4284-147-0x0000000000760000-0x000000000077F000-memory.dmp

Filesize
124KB

Download
memory/4284-148-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/4688-137-0x0000000000000000-mapping.dmp

Download
memory/4688-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-142-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4688-141-0x0000000000A20000-0x0000000000D6A000-memory.dmp

Filesize
3.3MB

Download
memory/4688-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4688-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads