formbook | 4c143b9e9804d87732fa2ca95ddc355cb0b5944ad57f33b6fe08fac0947d32f5

General

Target

Ödeme Tavsiye Notu - 0000274553.PDF.exe
Size

535KB
MD5

40f56e889ab81bdb74a78010b3fe006b
SHA1

03fb1836e3ea68ed18a41b10ce530d09f3ff3308
SHA256

4c143b9e9804d87732fa2ca95ddc355cb0b5944ad57f33b6fe08fac0947d32f5
SHA512

f3b0bfd497390cfaf0e3eadc6f54f3ad804812d2cdd46654916f580bddb4be10e50d42535c96a1aa14256884490045317e5756662d460fbb592077b6d4af9894
SSDEEP

12288:slzAKpkuaBv1XP2uqLerOEU0iFr2FDaJ3:slDpQ/WXEU0iUDG

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

svenboa.exesvenboa.exe

pid process

1152 svenboa.exe
696 svenboa.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svenboa.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation svenboa.exe
Loads dropped DLL 3 IoCs

Processes:

Ödeme Tavsiye Notu - 0000274553.PDF.exesvenboa.exemsdt.exe

pid process

1492 Ödeme Tavsiye Notu - 0000274553.PDF.exe
1152 svenboa.exe
1276 msdt.exe

pid	process
1152	svenboa.exe
696	svenboa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	svenboa.exe

pid	process
1492	Ödeme Tavsiye Notu - 0000274553.PDF.exe
1152	svenboa.exe
1276	msdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svenboa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\apce = "C:\\Users\\Admin\\AppData\\Roaming\\vndynyjhjpjxs\\qdhypphyeracdw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\svenboa.exe\" C:\\Users\\Admin\\App"	svenboa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

svenboa.exesvenboa.exemsdt.exe

description	pid	process	target process
PID 1152 set thread context of 696	1152	svenboa.exe	svenboa.exe
PID 696 set thread context of 1424	696	svenboa.exe	Explorer.EXE
PID 1276 set thread context of 1424	1276	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

svenboa.exemsdt.exe

pid	process
696	svenboa.exe
696	svenboa.exe
696	svenboa.exe
696	svenboa.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

svenboa.exesvenboa.exemsdt.exe

pid process

1152 svenboa.exe
696 svenboa.exe
696 svenboa.exe
696 svenboa.exe
1276 msdt.exe
1276 msdt.exe
1276 msdt.exe
1276 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svenboa.exemsdt.exe

description pid process

Token: SeDebugPrivilege 696 svenboa.exe
Token: SeDebugPrivilege 1276 msdt.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1424 Explorer.EXE
1424 Explorer.EXE

pid	process
1424	Explorer.EXE

pid	process
1152	svenboa.exe
696	svenboa.exe
696	svenboa.exe
696	svenboa.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe
1276	msdt.exe

description	pid	process
Token: SeDebugPrivilege	696	svenboa.exe
Token: SeDebugPrivilege	1276	msdt.exe

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

pid	process
1424	Explorer.EXE
1424	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Ödeme Tavsiye Notu - 0000274553.PDF.exesvenboa.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1492 wrote to memory of 1152	1492	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 1492 wrote to memory of 1152	1492	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 1492 wrote to memory of 1152	1492	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 1492 wrote to memory of 1152	1492	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 1152 wrote to memory of 696	1152	svenboa.exe	svenboa.exe
PID 1152 wrote to memory of 696	1152	svenboa.exe	svenboa.exe
PID 1152 wrote to memory of 696	1152	svenboa.exe	svenboa.exe
PID 1152 wrote to memory of 696	1152	svenboa.exe	svenboa.exe
PID 1152 wrote to memory of 696	1152	svenboa.exe	svenboa.exe
PID 1424 wrote to memory of 1276	1424	Explorer.EXE	msdt.exe
PID 1424 wrote to memory of 1276	1424	Explorer.EXE	msdt.exe
PID 1424 wrote to memory of 1276	1424	Explorer.EXE	msdt.exe
PID 1424 wrote to memory of 1276	1424	Explorer.EXE	msdt.exe
PID 1276 wrote to memory of 1888	1276	msdt.exe	Firefox.exe
PID 1276 wrote to memory of 1888	1276	msdt.exe	Firefox.exe
PID 1276 wrote to memory of 1888	1276	msdt.exe	Firefox.exe
PID 1276 wrote to memory of 1888	1276	msdt.exe	Firefox.exe
PID 1276 wrote to memory of 1888	1276	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\svenboa.exe
"C:\Users\Admin\AppData\Local\Temp\svenboa.exe" C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyv
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\svenboa.exe
"C:\Users\Admin\AppData\Local\Temp\svenboa.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rjoqr.i
Filesize
185KB

MD5
5a363369f79b9aa5fb7f30c36255cdca

SHA1
ab1c4fa718eae050ffd726f23a25dac9c05f6408

SHA256
7d0d734491e4b96aa91ddb7da56c78d6d5e6f43476c4b496b8061b5859794dca

SHA512
c10b5c08482e4acbac15f125a4d9ee19fa2af67d02809794d9b9218cb50b9b0d9b229542ee959e74806ddd69264f6fb444548f616017acac3664a8839ad3e9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyv
Filesize
7KB

MD5
916c81137e81c83b2301ded71317eaf8

SHA1
54b3b7538b9cf0648c615ab02020414213b80e98

SHA256
18c6e9457b9571852cb9857037dcc3b17c9bcdaf50d56da147440624fad58fdf

SHA512
5f4a9e7999a0b41e60c50d8bf36ef6c1e9435057f8999460822c9b40b7e189963a508458b9fc9d4eaadc831f3ea4b785cba8c28d320c3f8180aa99b89701e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe
Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe
Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe
Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
810KB

MD5
c6ec991471d42128268ea10236d9cdb8

SHA1
d569350d02db6a118136220da8de40a9973084f1

SHA256
1b755cc3093dd45a0df857854aedfeb3c8f3622cff5bc491f2d492ebfa3ef8e0

SHA512
a67ed46547b9270c8a5a7a947b375cb6baf3211072f90170aae2bb6ce9c4fe9d7be3e9d782420dcfdbc19a1f232b3be561ca503b80e8dc3e036a62c54cad5b57

Download Submit
\Users\Admin\AppData\Local\Temp\svenboa.exe
Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
\Users\Admin\AppData\Local\Temp\svenboa.exe
Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
memory/696-67-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/696-68-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/696-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/696-69-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/696-63-0x00000000004012B0-mapping.dmp

Download
memory/1152-56-0x0000000000000000-mapping.dmp

Download
memory/1276-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1276-71-0x0000000000000000-mapping.dmp

Download
memory/1276-73-0x00000000007B0000-0x00000000008A4000-memory.dmp

Filesize
976KB

Download
memory/1276-75-0x0000000002320000-0x0000000002623000-memory.dmp

Filesize
3.0MB

Download
memory/1276-76-0x0000000001E80000-0x0000000001F0F000-memory.dmp

Filesize
572KB

Download
memory/1424-70-0x0000000006A20000-0x0000000006B4F000-memory.dmp

Filesize
1.2MB

Download
memory/1424-77-0x0000000006BE0000-0x0000000006CC6000-memory.dmp

Filesize
920KB

Download
memory/1424-78-0x0000000006BE0000-0x0000000006CC6000-memory.dmp

Filesize
920KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads