formbook | 2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf

General

Target

SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe
Size

332KB
MD5

a3bd608d019d827e4eee68f67f39a444
SHA1

6e9874bac7b065a42110cef5c1b060de94123b2d
SHA256

2af0bbe87c28664ad5b453eae02d512f770962319673b9c494d85b717a6f9edf
SHA512

6b73f10a981a23c9ba0fee05d24b77b15220716172e8b48dc7d2e409e774e6fafbcdced2d5832a21f5863c38f51d553a51e1ad5ae15f7aae5d824366f2a289d8
SSDEEP

6144:9kwmZ6RfPyO6qBUnqk5yx+9JjOGNE1STKB7xUbGpn9C+xv0/159Xmj2pO6GInyw:qZ6RfPyO6ZqN7GNsTVxBp9PdK5XmK5p

Score

10^/10

formbook k6n9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k6n9

Decoy

NzUYPBPnE+UWNJX0b/5zZQ==

ZcsDmdfNeiREr4loZ9k=

p4Pecr+pmTFp+Az4AGoSpvqp

4jwUP0ApYThdpDmZcNp+xuej

0tmQjRQKSQbR0N86

MgfR+qwWljDdagbsn8Ukr8bc8A==

shQ3YCpOQPp/9g==

Q4mmwEidJLBJug25c6Vxcg==

OM1kEJDdGNpv7nMy

7FmP1iykTQZ7q0Hq5g==

9lVGWV44H63+A5oGc6Vxcg==

Bs97fiCGUye5Osm9xsOYZnb8SEC+YszE

xJMBmQj3MRDV7MBXzEep

mJpebAH7RkkGGbsZwZ/weg==

u6FXU+JCphyVyCsUBP0Spvqp

B/mwulPBDRm5q0Hq5g==

E+JiHcUb7gR+8A==

BgGOL5SLfQ9BzuPDxzeVKEIuOKDL

wZdfmzTbOcnEF3Mi1QnVpPCo

J63Z+Jv5L+JOhd+zc6Vxcg==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

igyfrxru.exeigyfrxru.exe

pid process

4824 igyfrxru.exe
2168 igyfrxru.exe

pid	process
4824	igyfrxru.exe
2168	igyfrxru.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

igyfrxru.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	igyfrxru.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

igyfrxru.exeigyfrxru.exeipconfig.exe

description	pid	process	target process
PID 4824 set thread context of 2168	4824	igyfrxru.exe	igyfrxru.exe
PID 2168 set thread context of 3048	2168	igyfrxru.exe	Explorer.EXE
PID 3264 set thread context of 3048	3264	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3264 ipconfig.exe

pid	process
3264	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

igyfrxru.exeipconfig.exe

pid	process
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

igyfrxru.exeigyfrxru.exeipconfig.exe

pid process

4824 igyfrxru.exe
2168 igyfrxru.exe
2168 igyfrxru.exe
2168 igyfrxru.exe
3264 ipconfig.exe
3264 ipconfig.exe
3264 ipconfig.exe
3264 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

igyfrxru.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 2168 igyfrxru.exe
Token: SeDebugPrivilege 3264 ipconfig.exe

pid	process
3048	Explorer.EXE

pid	process
4824	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
2168	igyfrxru.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe
3264	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	2168	igyfrxru.exe
Token: SeDebugPrivilege	3264	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exeigyfrxru.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 384 wrote to memory of 4824	384	SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe	igyfrxru.exe
PID 384 wrote to memory of 4824	384	SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe	igyfrxru.exe
PID 384 wrote to memory of 4824	384	SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe	igyfrxru.exe
PID 4824 wrote to memory of 2168	4824	igyfrxru.exe	igyfrxru.exe
PID 4824 wrote to memory of 2168	4824	igyfrxru.exe	igyfrxru.exe
PID 4824 wrote to memory of 2168	4824	igyfrxru.exe	igyfrxru.exe
PID 4824 wrote to memory of 2168	4824	igyfrxru.exe	igyfrxru.exe
PID 3048 wrote to memory of 3264	3048	Explorer.EXE	ipconfig.exe
PID 3048 wrote to memory of 3264	3048	Explorer.EXE	ipconfig.exe
PID 3048 wrote to memory of 3264	3048	Explorer.EXE	ipconfig.exe
PID 3264 wrote to memory of 3408	3264	ipconfig.exe	Firefox.exe
PID 3264 wrote to memory of 3408	3264	ipconfig.exe	Firefox.exe
PID 3264 wrote to memory of 3408	3264	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.77520.20069.28067.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
"C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe" C:\Users\Admin\AppData\Local\Temp\dkqqrn.zb
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
"C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caawwo.tq
Filesize
185KB

MD5
7e87de0d663de312611bb198817c039d

SHA1
5245d45abd227463d7e0734baa4b5e4a72f23117

SHA256
cf29186d98d627090bd497c3f53903bc30df30e58c2fbbd5e20c83f593a155ca

SHA512
c6b609aecf7b2d5d5c375fc638a139efe6203b6b8bc581629363aae6ee8b418dc70315bf8ce87737b0a1675a349568b837dbfeaba615d4d1f3ae1f4d65ec4f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkqqrn.zb
Filesize
5KB

MD5
e2c1f72715c1ba8a81a593353fa4ebeb

SHA1
0ef5aabb489a82704dea4ca6e33f8d65116848dd

SHA256
580a0fd8ac1f558a0421ab266eebb2ed92710f418e6dc769e3b48504970810ec

SHA512
f4082ea5c874165b59ceaa9b67a5daaec73f41e62ab312683aff119f90e1f61570e0e658fae945a1b3e7cdf28536e679e6a1263602a2bc58ec7659b7dabd4d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
Filesize
276KB

MD5
08188993d15fa1d98dfc42e3f4f0d15f

SHA1
0e0d702f549baa70ede7d529177e44c0e24c3952

SHA256
068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

SHA512
ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
Filesize
276KB

MD5
08188993d15fa1d98dfc42e3f4f0d15f

SHA1
0e0d702f549baa70ede7d529177e44c0e24c3952

SHA256
068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

SHA512
ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\igyfrxru.exe
Filesize
276KB

MD5
08188993d15fa1d98dfc42e3f4f0d15f

SHA1
0e0d702f549baa70ede7d529177e44c0e24c3952

SHA256
068e8af75d257328fd5c8d87c48920d53ff62956502148615df8160f70e03d33

SHA512
ab5db72f362af2e1fefa97e93247addc37c0df7f075d15c4fa379963ddf78b22fbda100305f94e211e8536ef57797a7ebf99c0192249bf3dc0455f93b46356e9

Download Submit
memory/2168-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-143-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2168-137-0x0000000000000000-mapping.dmp

Download
memory/2168-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-141-0x0000000000A60000-0x0000000000DAA000-memory.dmp

Filesize
3.3MB

Download
memory/2168-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-144-0x00000000084D0000-0x0000000008671000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x00000000031D0000-0x000000000334D000-memory.dmp

Filesize
1.5MB

Download
memory/3048-152-0x00000000031D0000-0x000000000334D000-memory.dmp

Filesize
1.5MB

Download
memory/3264-145-0x0000000000000000-mapping.dmp

Download
memory/3264-146-0x0000000000C60000-0x0000000000C6B000-memory.dmp

Filesize
44KB

Download
memory/3264-147-0x0000000000340000-0x000000000036D000-memory.dmp

Filesize
180KB

Download
memory/3264-148-0x0000000000E30000-0x000000000117A000-memory.dmp

Filesize
3.3MB

Download
memory/3264-149-0x0000000000B20000-0x0000000000BAF000-memory.dmp

Filesize
572KB

Download
memory/3264-151-0x0000000000340000-0x000000000036D000-memory.dmp

Filesize
180KB

Download
memory/4824-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads