formbook | b3bcb18dda143e601f302a1cd248189f553d03ffbd707a05a3df3048f0c5b407

General

Target

scan001.exe
Size

338KB
MD5

e6c47976b4d53fd52464cfc18c8a57af
SHA1

31bf2e8c7b123cd7c04899fb64bbe3832823e217
SHA256

b3bcb18dda143e601f302a1cd248189f553d03ffbd707a05a3df3048f0c5b407
SHA512

28d927de8a6a44ea0eea2789b4f2d6b73a21a38072fdf28242a79fcdea06244229c088c922e87fd8556c0dc774af97483ac66a73b3ef3a8d22b6858a37740753
SSDEEP

6144:9kwUZdjCHZAGW3UgK9Xa64EIcdM5Rqyz7t/SLkopNYXhH7jsL2Sk8csUv3YWlZ:QdjM6UgiXpycW3qaRkkyNq7jU2SVUv3B

Score

10^/10

formbook 9qtp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

9qtp

Decoy

0BbXnywB2jUlm9nKiMma

R5A2IaujqtD/dAqI8Y0IpQ==

hOvaxGAt51Bx33P7Vyt6XPnYWw==

IDg+M/RH+D5aQ18d8Y0IpQ==

W1xH1/2HTrysGWEUdK2equ4Y

qHgkqNn4xTo4

8S7brii3eMzty+KgvBqIXPnYWw==

j8x44wKIXrW2tRiH8Y0IpQ==

GywuINvBRm2eaNY=

dTja44gPmQhkiaLZ

s6aIdgBm7Dx5fsUB2rE=

m5h7cA6JHX1p5ylfoc4ouA==

uDxNFJgassFFTdQ=

RERUNcLCgdAOabklo1PDTjf5Uw==

pKeadO1BswJQKXZ0tAkBF9wkNVs=

xd7Yr00rxzGBNlS1XA==

01Jd2fhoQpThdH5Sc8sprQ==

oOSWBCeNDDWeB8M=

EV8ae4iFCmdrT78Zr6VnObkG

Ghkc7nZnXXPEOX1FUToisZc=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

cmstp.exe

flow pid process

6 1712 cmstp.exe
Executes dropped EXE 2 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.exe

pid process

2004 rorndxxfhn.exe
1552 rorndxxfhn.exe

flow	pid	process
6	1712	cmstp.exe

pid	process
2004	rorndxxfhn.exe
1552	rorndxxfhn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rorndxxfhn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	rorndxxfhn.exe

Loads dropped DLL 3 IoCs

Processes:

scan001.exerorndxxfhn.execmstp.exe

pid process

816 scan001.exe
2004 rorndxxfhn.exe
1712 cmstp.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
816	scan001.exe
2004	rorndxxfhn.exe
1712	cmstp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.execmstp.exe

description	pid	process	target process
PID 2004 set thread context of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 1552 set thread context of 1284	1552	rorndxxfhn.exe	Explorer.EXE
PID 1712 set thread context of 1284	1712	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmstp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

rorndxxfhn.execmstp.exe

pid	process
1552	rorndxxfhn.exe
1552	rorndxxfhn.exe
1552	rorndxxfhn.exe
1552	rorndxxfhn.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.execmstp.exe

pid process

2004 rorndxxfhn.exe
1552 rorndxxfhn.exe
1552 rorndxxfhn.exe
1552 rorndxxfhn.exe
1712 cmstp.exe
1712 cmstp.exe
1712 cmstp.exe
1712 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rorndxxfhn.execmstp.exe

description pid process

Token: SeDebugPrivilege 1552 rorndxxfhn.exe
Token: SeDebugPrivilege 1712 cmstp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1284 Explorer.EXE
1284 Explorer.EXE

pid	process
2004	rorndxxfhn.exe
1552	rorndxxfhn.exe
1552	rorndxxfhn.exe
1552	rorndxxfhn.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe
1712	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	1552	rorndxxfhn.exe
Token: SeDebugPrivilege	1712	cmstp.exe

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

pid	process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

scan001.exerorndxxfhn.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 816 wrote to memory of 2004	816	scan001.exe	rorndxxfhn.exe
PID 816 wrote to memory of 2004	816	scan001.exe	rorndxxfhn.exe
PID 816 wrote to memory of 2004	816	scan001.exe	rorndxxfhn.exe
PID 816 wrote to memory of 2004	816	scan001.exe	rorndxxfhn.exe
PID 2004 wrote to memory of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 2004 wrote to memory of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 2004 wrote to memory of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 2004 wrote to memory of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 2004 wrote to memory of 1552	2004	rorndxxfhn.exe	rorndxxfhn.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	cmstp.exe
PID 1712 wrote to memory of 1936	1712	cmstp.exe	Firefox.exe
PID 1712 wrote to memory of 1936	1712	cmstp.exe	Firefox.exe
PID 1712 wrote to memory of 1936	1712	cmstp.exe	Firefox.exe
PID 1712 wrote to memory of 1936	1712	cmstp.exe	Firefox.exe
PID 1712 wrote to memory of 1936	1712	cmstp.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\scan001.exe
"C:\Users\Admin\AppData\Local\Temp\scan001.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe" C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmp
Filesize
5KB

MD5
c1fac186d9e098f4b422cf4245f4081b

SHA1
4eb9905fdbfe9954f5abb9f362db88dd50b0093b

SHA256
7e6d984b161c2832970affedf1317440f118bb708c9bc54ccfc24a7a79e9f47b

SHA512
25709fb0cd239fc3704e6bd15cf2377220e2a982879de82aaeee0f6232ad653434754c1ac987d6a488961619cfb79aee5ad26bb2422cf18cd2bb8252987a465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tijpqhm.ko
Filesize
185KB

MD5
b0be4c47237b61396c8df065cc32bf99

SHA1
d17aa0a780f5b82effceee9201d5f2d81b7ad7bc

SHA256
8366c1427e0d2896cf00757f34cb5b2cb36cc102f5b640b22c91ef442bbe893a

SHA512
65772dab596ed616b5833a135c07fb38fdf363e9fd0d5dec2047b827348a9fb33d79f8d6ca06d90dba49953a2d76a82ca2cd83fb96ba9fa0a933d428f7c6cde9

Download Submit
\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
770KB

MD5
65f6090dfb069aca962a59f6df9e6113

SHA1
879bad504dfcce1a591c97817f3ff1e63931cfd2

SHA256
32a302d8c235226d8cdda4d957f151df3e5736fdce7886e6c794f0648b2eb106

SHA512
4c0e5e1103749356dceaaaa312e853bda83ec14f2f12288e9020cdf42b6e80d4caaec03d1ef7f34d81ddf2da88e6160c0c711380c2a7d89012e660406cdbb987

Download Submit
memory/816-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1284-78-0x00000000064C0000-0x000000000663A000-memory.dmp

Filesize
1.5MB

Download
memory/1284-76-0x00000000064C0000-0x000000000663A000-memory.dmp

Filesize
1.5MB

Download
memory/1284-69-0x0000000004EA0000-0x0000000005034000-memory.dmp

Filesize
1.6MB

Download
memory/1552-67-0x0000000000BC0000-0x0000000000EC3000-memory.dmp

Filesize
3.0MB

Download
memory/1552-68-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1552-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1552-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-63-0x00000000004012B0-mapping.dmp

Download
memory/1712-70-0x0000000000000000-mapping.dmp

Download
memory/1712-72-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/1712-73-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1712-74-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/1712-75-0x0000000001D80000-0x0000000001E0F000-memory.dmp

Filesize
572KB

Download
memory/1712-77-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/2004-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads