formbook | b3bcb18dda143e601f302a1cd248189f553d03ffbd707a05a3df3048f0c5b407

General

Target

scan001.exe
Size

338KB
MD5

e6c47976b4d53fd52464cfc18c8a57af
SHA1

31bf2e8c7b123cd7c04899fb64bbe3832823e217
SHA256

b3bcb18dda143e601f302a1cd248189f553d03ffbd707a05a3df3048f0c5b407
SHA512

28d927de8a6a44ea0eea2789b4f2d6b73a21a38072fdf28242a79fcdea06244229c088c922e87fd8556c0dc774af97483ac66a73b3ef3a8d22b6858a37740753
SSDEEP

6144:9kwUZdjCHZAGW3UgK9Xa64EIcdM5Rqyz7t/SLkopNYXhH7jsL2Sk8csUv3YWlZ:QdjM6UgiXpycW3qaRkkyNq7jU2SVUv3B

Score

10^/10

formbook 9qtp rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

9qtp

Decoy

0BbXnywB2jUlm9nKiMma

R5A2IaujqtD/dAqI8Y0IpQ==

hOvaxGAt51Bx33P7Vyt6XPnYWw==

IDg+M/RH+D5aQ18d8Y0IpQ==

W1xH1/2HTrysGWEUdK2equ4Y

qHgkqNn4xTo4

8S7brii3eMzty+KgvBqIXPnYWw==

j8x44wKIXrW2tRiH8Y0IpQ==

GywuINvBRm2eaNY=

dTja44gPmQhkiaLZ

s6aIdgBm7Dx5fsUB2rE=

m5h7cA6JHX1p5ylfoc4ouA==

uDxNFJgassFFTdQ=

RERUNcLCgdAOabklo1PDTjf5Uw==

pKeadO1BswJQKXZ0tAkBF9wkNVs=

xd7Yr00rxzGBNlS1XA==

01Jd2fhoQpThdH5Sc8sprQ==

oOSWBCeNDDWeB8M=

EV8ae4iFCmdrT78Zr6VnObkG

Ghkc7nZnXXPEOX1FUToisZc=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.exe

pid process

1340 rorndxxfhn.exe
4684 rorndxxfhn.exe

pid	process
1340	rorndxxfhn.exe
4684	rorndxxfhn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rorndxxfhn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rorndxxfhn.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.exemsdt.exe

description	pid	process	target process
PID 1340 set thread context of 4684	1340	rorndxxfhn.exe	rorndxxfhn.exe
PID 4684 set thread context of 760	4684	rorndxxfhn.exe	Explorer.EXE
PID 888 set thread context of 760	888	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

rorndxxfhn.exemsdt.exe

pid	process
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

760 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

rorndxxfhn.exerorndxxfhn.exemsdt.exe

pid process

1340 rorndxxfhn.exe
4684 rorndxxfhn.exe
4684 rorndxxfhn.exe
4684 rorndxxfhn.exe
888 msdt.exe
888 msdt.exe
888 msdt.exe
888 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rorndxxfhn.exemsdt.exe

description pid process

Token: SeDebugPrivilege 4684 rorndxxfhn.exe
Token: SeDebugPrivilege 888 msdt.exe

pid	process
760	Explorer.EXE

pid	process
1340	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
4684	rorndxxfhn.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe
888	msdt.exe

description	pid	process
Token: SeDebugPrivilege	4684	rorndxxfhn.exe
Token: SeDebugPrivilege	888	msdt.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

scan001.exerorndxxfhn.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 4324 wrote to memory of 1340	4324	scan001.exe	rorndxxfhn.exe
PID 4324 wrote to memory of 1340	4324	scan001.exe	rorndxxfhn.exe
PID 4324 wrote to memory of 1340	4324	scan001.exe	rorndxxfhn.exe
PID 1340 wrote to memory of 4684	1340	rorndxxfhn.exe	rorndxxfhn.exe
PID 1340 wrote to memory of 4684	1340	rorndxxfhn.exe	rorndxxfhn.exe
PID 1340 wrote to memory of 4684	1340	rorndxxfhn.exe	rorndxxfhn.exe
PID 1340 wrote to memory of 4684	1340	rorndxxfhn.exe	rorndxxfhn.exe
PID 760 wrote to memory of 888	760	Explorer.EXE	msdt.exe
PID 760 wrote to memory of 888	760	Explorer.EXE	msdt.exe
PID 760 wrote to memory of 888	760	Explorer.EXE	msdt.exe
PID 888 wrote to memory of 212	888	msdt.exe	Firefox.exe
PID 888 wrote to memory of 212	888	msdt.exe	Firefox.exe
PID 888 wrote to memory of 212	888	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\scan001.exe
"C:\Users\Admin\AppData\Local\Temp\scan001.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe" C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmp
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
"C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btrmcxtbyq.qmp
Filesize
5KB

MD5
c1fac186d9e098f4b422cf4245f4081b

SHA1
4eb9905fdbfe9954f5abb9f362db88dd50b0093b

SHA256
7e6d984b161c2832970affedf1317440f118bb708c9bc54ccfc24a7a79e9f47b

SHA512
25709fb0cd239fc3704e6bd15cf2377220e2a982879de82aaeee0f6232ad653434754c1ac987d6a488961619cfb79aee5ad26bb2422cf18cd2bb8252987a465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rorndxxfhn.exe
Filesize
286KB

MD5
472c69eb31dc3dba99eb29db51070929

SHA1
6a63502ef54448442431d9faa07566e7d683620a

SHA256
e7f945e8ce246c1c00c4672bf542505b4995da2e24665f284ef25cbb7eb2b639

SHA512
cbffce25139a47d14b763be56164cd8087ff548876918b5d17d3a167f4351d7d082992781094658eb7fc1b1d0eaa89d25478f1ddd658dd256fbf9ad6b4225ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tijpqhm.ko
Filesize
185KB

MD5
b0be4c47237b61396c8df065cc32bf99

SHA1
d17aa0a780f5b82effceee9201d5f2d81b7ad7bc

SHA256
8366c1427e0d2896cf00757f34cb5b2cb36cc102f5b640b22c91ef442bbe893a

SHA512
65772dab596ed616b5833a135c07fb38fdf363e9fd0d5dec2047b827348a9fb33d79f8d6ca06d90dba49953a2d76a82ca2cd83fb96ba9fa0a933d428f7c6cde9

Download Submit
memory/760-153-0x0000000007E40000-0x0000000007FB4000-memory.dmp

Filesize
1.5MB

Download
memory/760-152-0x0000000007E40000-0x0000000007FB4000-memory.dmp

Filesize
1.5MB

Download
memory/760-143-0x0000000002410000-0x00000000024DC000-memory.dmp

Filesize
816KB

Download
memory/888-147-0x0000000000240000-0x0000000000297000-memory.dmp

Filesize
348KB

Download
memory/888-151-0x00000000026A0000-0x000000000272F000-memory.dmp

Filesize
572KB

Download
memory/888-150-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/888-144-0x0000000000000000-mapping.dmp

Download
memory/888-149-0x0000000002800000-0x0000000002B4A000-memory.dmp

Filesize
3.3MB

Download
memory/888-148-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/1340-132-0x0000000000000000-mapping.dmp

Download
memory/4684-137-0x0000000000000000-mapping.dmp

Download
memory/4684-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4684-146-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4684-142-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

Filesize
64KB

Download
memory/4684-141-0x00000000011E0000-0x000000000152A000-memory.dmp

Filesize
3.3MB

Download
memory/4684-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4684-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads