formbook | c8517f6c638a7d458d5dc46ba0c8b62c22165996339338788f9632cba03570c5

General

Target

71084394.exe
Size

340KB
MD5

071d5dc67ed8f6be856d7f23d77382fc
SHA1

66f71f1f920899aaffe32f996f25df8c031cbd8a
SHA256

c8517f6c638a7d458d5dc46ba0c8b62c22165996339338788f9632cba03570c5
SHA512

973b2c8a59dda6d40e75d45fabc72e9b0679373f604267837854d6ff8f6ecb4f02b855ab3210ca6b49f6315cdac69666d788f01cc60fd5d99fa638a16afa5b0e
SSDEEP

6144:9kwu1ri9AcbfpzRnOa4YS+UYzzrgezsk4VUIE6Xfjh8o/Y7qAKTFtsY7eREBOd:61riiODTUU1AUIE6XfT/CKRmfeBOd

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

cwjtwgru.execwjtwgru.exe

pid process

816 cwjtwgru.exe
5080 cwjtwgru.exe

pid	process
816	cwjtwgru.exe
5080	cwjtwgru.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cwjtwgru.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cwjtwgru.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cwjtwgru.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\frcjbs = "C:\\Users\\Admin\\AppData\\Roaming\\oodcsfypml\\gqbi.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\cwjtwgru.exe\" C:\\Users\\Admin\\AppData\\Local\\T"	cwjtwgru.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

cwjtwgru.execwjtwgru.exeexplorer.exe

description	pid	process	target process
PID 816 set thread context of 5080	816	cwjtwgru.exe	cwjtwgru.exe
PID 5080 set thread context of 2724	5080	cwjtwgru.exe	Explorer.EXE
PID 1292 set thread context of 2724	1292	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cwjtwgru.exeexplorer.exe

pid	process
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2724 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

cwjtwgru.execwjtwgru.exeexplorer.exe

pid process

816 cwjtwgru.exe
5080 cwjtwgru.exe
5080 cwjtwgru.exe
5080 cwjtwgru.exe
1292 explorer.exe
1292 explorer.exe
1292 explorer.exe
1292 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cwjtwgru.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 5080 cwjtwgru.exe
Token: SeDebugPrivilege 1292 explorer.exe

pid	process
2724	Explorer.EXE

pid	process
816	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
5080	cwjtwgru.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe

description	pid	process
Token: SeDebugPrivilege	5080	cwjtwgru.exe
Token: SeDebugPrivilege	1292	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

71084394.execwjtwgru.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 3564 wrote to memory of 816	3564	71084394.exe	cwjtwgru.exe
PID 3564 wrote to memory of 816	3564	71084394.exe	cwjtwgru.exe
PID 3564 wrote to memory of 816	3564	71084394.exe	cwjtwgru.exe
PID 816 wrote to memory of 5080	816	cwjtwgru.exe	cwjtwgru.exe
PID 816 wrote to memory of 5080	816	cwjtwgru.exe	cwjtwgru.exe
PID 816 wrote to memory of 5080	816	cwjtwgru.exe	cwjtwgru.exe
PID 816 wrote to memory of 5080	816	cwjtwgru.exe	cwjtwgru.exe
PID 2724 wrote to memory of 1292	2724	Explorer.EXE	explorer.exe
PID 2724 wrote to memory of 1292	2724	Explorer.EXE	explorer.exe
PID 2724 wrote to memory of 1292	2724	Explorer.EXE	explorer.exe
PID 1292 wrote to memory of 2476	1292	explorer.exe	Firefox.exe
PID 1292 wrote to memory of 2476	1292	explorer.exe	Firefox.exe
PID 1292 wrote to memory of 2476	1292	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\71084394.exe
  "C:\Users\Admin\AppData\Local\Temp\71084394.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe
    "C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe" C:\Users\Admin\AppData\Local\Temp\rrexulxkwf.e
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe
      "C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5080
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe

Filesize
287KB

MD5
dbcbf8f0ed1c6516183140ec6b43cb70

SHA1
86592b028bdea04cc22f7719d9b1ad056111a206

SHA256
3ca4fd53d2bf04262bc4c73f1daac1840dfd569902866d02ff0105496d66dad4

SHA512
2a81002fa5aa7f128f2b2a7c58b2771ebd8972df34a052461160bd413fb441d0f09bf10e6f87387097190be2151417d10f5fa91c3e3d7703d582186fac504e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe

Filesize
287KB

MD5
dbcbf8f0ed1c6516183140ec6b43cb70

SHA1
86592b028bdea04cc22f7719d9b1ad056111a206

SHA256
3ca4fd53d2bf04262bc4c73f1daac1840dfd569902866d02ff0105496d66dad4

SHA512
2a81002fa5aa7f128f2b2a7c58b2771ebd8972df34a052461160bd413fb441d0f09bf10e6f87387097190be2151417d10f5fa91c3e3d7703d582186fac504e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwjtwgru.exe

Filesize
287KB

MD5
dbcbf8f0ed1c6516183140ec6b43cb70

SHA1
86592b028bdea04cc22f7719d9b1ad056111a206

SHA256
3ca4fd53d2bf04262bc4c73f1daac1840dfd569902866d02ff0105496d66dad4

SHA512
2a81002fa5aa7f128f2b2a7c58b2771ebd8972df34a052461160bd413fb441d0f09bf10e6f87387097190be2151417d10f5fa91c3e3d7703d582186fac504e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrexulxkwf.e

Filesize
7KB

MD5
f13ad12221d1e97b4d65bf2e53b1f402

SHA1
9c6dfd899bec615fdea6f4e2b962068aab6c4988

SHA256
cb5c32c1b652404386ab6ff840c7eb441b011fbc0c2394fca6204de86f214235

SHA512
ebc39cb6786e5f26d22b0234adf88dd927ce484983f38c923dff3202079c983ecc05d7f5ac0cd1d77b7df50697b952792be8ea73a0e762bf7fb8895fb7d4a93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdyiryx.q

Filesize
185KB

MD5
cf0334f289bbb9d291df245b50345a61

SHA1
31089abeebfd120069ff4431ec58dc3f845345db

SHA256
9b2dce356e0b291300995dd2960eb5031d27165879b8c48fa263a83a1f617216

SHA512
a3da13f1323313bc486c7deea72ee37d55a6584a5f43912dd735248371fdb8d81fa9d0d83bcdb3d8fb2e02aa6514bf500c4204614e656dd9cbd2c2c11e5b895f

Download Submit
memory/816-132-0x0000000000000000-mapping.dmp

Download
memory/1292-147-0x0000000000A40000-0x0000000000E73000-memory.dmp

Filesize
4.2MB

Download
memory/1292-152-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/1292-150-0x0000000002F20000-0x0000000002FAF000-memory.dmp

Filesize
572KB

Download
memory/1292-144-0x0000000000000000-mapping.dmp

Download
memory/1292-149-0x00000000030F0000-0x000000000343A000-memory.dmp

Filesize
3.3MB

Download
memory/1292-148-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/2724-153-0x0000000007C30000-0x0000000007D5C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-151-0x0000000007C30000-0x0000000007D5C000-memory.dmp

Filesize
1.2MB

Download
memory/2724-143-0x0000000002D00000-0x0000000002E30000-memory.dmp

Filesize
1.2MB

Download
memory/5080-137-0x0000000000000000-mapping.dmp

Download
memory/5080-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/5080-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-142-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/5080-141-0x0000000001610000-0x000000000195A000-memory.dmp

Filesize
3.3MB

Download
memory/5080-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/5080-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads