formbook | 4c143b9e9804d87732fa2ca95ddc355cb0b5944ad57f33b6fe08fac0947d32f5

General

Target

Ödeme Tavsiye Notu - 0000274553.PDF.exe
Size

535KB
MD5

40f56e889ab81bdb74a78010b3fe006b
SHA1

03fb1836e3ea68ed18a41b10ce530d09f3ff3308
SHA256

4c143b9e9804d87732fa2ca95ddc355cb0b5944ad57f33b6fe08fac0947d32f5
SHA512

f3b0bfd497390cfaf0e3eadc6f54f3ad804812d2cdd46654916f580bddb4be10e50d42535c96a1aa14256884490045317e5756662d460fbb592077b6d4af9894
SSDEEP

12288:slzAKpkuaBv1XP2uqLerOEU0iFr2FDaJ3:slDpQ/WXEU0iUDG

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

svenboa.exesvenboa.exe

pid process

3988 svenboa.exe
3088 svenboa.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

svenboa.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation svenboa.exe

pid	process
3988	svenboa.exe
3088	svenboa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svenboa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svenboa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apce = "C:\\Users\\Admin\\AppData\\Roaming\\vndynyjhjpjxs\\qdhypphyeracdw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\svenboa.exe\" C:\\Users\\Admin\\App"	svenboa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

svenboa.exesvenboa.exeNETSTAT.EXE

description	pid	process	target process
PID 3988 set thread context of 3088	3988	svenboa.exe	svenboa.exe
PID 3088 set thread context of 2180	3088	svenboa.exe	Explorer.EXE
PID 2376 set thread context of 2180	2376	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2376 NETSTAT.EXE

pid	process
2376	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

svenboa.exeNETSTAT.EXE

pid	process
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2180 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

svenboa.exesvenboa.exeNETSTAT.EXE

pid process

3988 svenboa.exe
3088 svenboa.exe
3088 svenboa.exe
3088 svenboa.exe
2376 NETSTAT.EXE
2376 NETSTAT.EXE
2376 NETSTAT.EXE
2376 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svenboa.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3088 svenboa.exe
Token: SeDebugPrivilege 2376 NETSTAT.EXE

pid	process
2180	Explorer.EXE

pid	process
3988	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
3088	svenboa.exe
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE
2376	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	3088	svenboa.exe
Token: SeDebugPrivilege	2376	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Ödeme Tavsiye Notu - 0000274553.PDF.exesvenboa.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2688 wrote to memory of 3988	2688	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 2688 wrote to memory of 3988	2688	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 2688 wrote to memory of 3988	2688	Ödeme Tavsiye Notu - 0000274553.PDF.exe	svenboa.exe
PID 3988 wrote to memory of 3088	3988	svenboa.exe	svenboa.exe
PID 3988 wrote to memory of 3088	3988	svenboa.exe	svenboa.exe
PID 3988 wrote to memory of 3088	3988	svenboa.exe	svenboa.exe
PID 3988 wrote to memory of 3088	3988	svenboa.exe	svenboa.exe
PID 2180 wrote to memory of 2376	2180	Explorer.EXE	NETSTAT.EXE
PID 2180 wrote to memory of 2376	2180	Explorer.EXE	NETSTAT.EXE
PID 2180 wrote to memory of 2376	2180	Explorer.EXE	NETSTAT.EXE
PID 2376 wrote to memory of 1612	2376	NETSTAT.EXE	Firefox.exe
PID 2376 wrote to memory of 1612	2376	NETSTAT.EXE	Firefox.exe
PID 2376 wrote to memory of 1612	2376	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\Ödeme Tavsiye Notu - 0000274553.PDF.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\svenboa.exe
    "C:\Users\Admin\AppData\Local\Temp\svenboa.exe" C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyv
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\svenboa.exe
      "C:\Users\Admin\AppData\Local\Temp\svenboa.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3088
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rjoqr.i

Filesize
185KB

MD5
5a363369f79b9aa5fb7f30c36255cdca

SHA1
ab1c4fa718eae050ffd726f23a25dac9c05f6408

SHA256
7d0d734491e4b96aa91ddb7da56c78d6d5e6f43476c4b496b8061b5859794dca

SHA512
c10b5c08482e4acbac15f125a4d9ee19fa2af67d02809794d9b9218cb50b9b0d9b229542ee959e74806ddd69264f6fb444548f616017acac3664a8839ad3e9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\stgmpxbhdcx.tyv

Filesize
7KB

MD5
916c81137e81c83b2301ded71317eaf8

SHA1
54b3b7538b9cf0648c615ab02020414213b80e98

SHA256
18c6e9457b9571852cb9857037dcc3b17c9bcdaf50d56da147440624fad58fdf

SHA512
5f4a9e7999a0b41e60c50d8bf36ef6c1e9435057f8999460822c9b40b7e189963a508458b9fc9d4eaadc831f3ea4b785cba8c28d320c3f8180aa99b89701e52d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe

Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe

Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svenboa.exe

Filesize
287KB

MD5
ee906eb277fa085c43d530fef366449c

SHA1
43faf3d997e01f647f654b606d4f4e130b7d74a3

SHA256
b1941867cd5af254cafe02824733f022da84f8d826851004b39bb3535977366b

SHA512
bf234d8a8ed84c9025cdd5e386c2293a6d0cdf9450512375253edf336b3c11fd2f3e7a34a0fb096700f6432d03fcf5468bfa0f294d49bf2d55a258553ad5a24d

Download Submit
memory/2180-154-0x0000000003610000-0x0000000003751000-memory.dmp

Filesize
1.3MB

Download
memory/2180-152-0x0000000003610000-0x0000000003751000-memory.dmp

Filesize
1.3MB

Download
memory/2180-144-0x0000000003180000-0x00000000032D6000-memory.dmp

Filesize
1.3MB

Download
memory/2376-148-0x0000000000610000-0x000000000061B000-memory.dmp

Filesize
44KB

Download
memory/2376-153-0x0000000000BA0000-0x0000000000BCD000-memory.dmp

Filesize
180KB

Download
memory/2376-151-0x0000000001340000-0x00000000013CF000-memory.dmp

Filesize
572KB

Download
memory/2376-150-0x0000000001510000-0x000000000185A000-memory.dmp

Filesize
3.3MB

Download
memory/2376-149-0x0000000000BA0000-0x0000000000BCD000-memory.dmp

Filesize
180KB

Download
memory/2376-145-0x0000000000000000-mapping.dmp

Download
memory/3088-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/3088-147-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3088-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-143-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/3088-141-0x00000000011D0000-0x000000000151A000-memory.dmp

Filesize
3.3MB

Download
memory/3088-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3088-137-0x0000000000000000-mapping.dmp

Download
memory/3988-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads