formbook | 8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb

Analysis

max time kernel
149s
max time network
169s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation 2101137.exe
Size

333KB
MD5

f1d95bc5972ece6c0ab4d64bd5c41721
SHA1

750d7f9bc16029e5e7229c88c3363e03e2b50e7d
SHA256

8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb
SHA512

1243b8c9c78c2df52cded73add252e0bbc60dcc4c52d3449ac406fdfc1a6b2b55e520aa7c3114b0c43f368f259df424376ad689240c5abaa7c54ff3e557e98aa
SSDEEP

6144:9kwb4cTPlzXPps8WC6KeBYfzFRyXxwwqIObWNlpPBV33nxqcI3hEONpJ364lH:P4cTPRXPps55gFaxLAbQTPBVgcI3CAp7

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

etehonor.exeetehonor.exe

pid process

2008 etehonor.exe
1752 etehonor.exe

pid	process
2008	etehonor.exe
1752	etehonor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

etehonor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	etehonor.exe

Loads dropped DLL 4 IoCs

Processes:

Quotation 2101137.exeetehonor.exesvchost.exe

pid process

980 Quotation 2101137.exe
980 Quotation 2101137.exe
2008 etehonor.exe
1328 svchost.exe

pid	process
980	Quotation 2101137.exe
980	Quotation 2101137.exe
2008	etehonor.exe
1328	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

etehonor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hvtxxcgqiopcmw = "C:\\Users\\Admin\\AppData\\Roaming\\oigpqgqvlafd\\clbbmvmtrv.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\etehonor.exe\" C:\\Users\\Admin\\AppData"	etehonor.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

etehonor.exeetehonor.exesvchost.exe

description	pid	process	target process
PID 2008 set thread context of 1752	2008	etehonor.exe	etehonor.exe
PID 1752 set thread context of 1372	1752	etehonor.exe	Explorer.EXE
PID 1328 set thread context of 1372	1328	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

etehonor.exesvchost.exe

pid	process
1752	etehonor.exe
1752	etehonor.exe
1752	etehonor.exe
1752	etehonor.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

etehonor.exeetehonor.exesvchost.exe

pid process

2008 etehonor.exe
1752 etehonor.exe
1752 etehonor.exe
1752 etehonor.exe
1328 svchost.exe
1328 svchost.exe
1328 svchost.exe
1328 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

etehonor.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1752 etehonor.exe
Token: SeDebugPrivilege 1328 svchost.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
2008	etehonor.exe
1752	etehonor.exe
1752	etehonor.exe
1752	etehonor.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe
1328	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1752	etehonor.exe
Token: SeDebugPrivilege	1328	svchost.exe

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Quotation 2101137.exeetehonor.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 980 wrote to memory of 2008	980	Quotation 2101137.exe	etehonor.exe
PID 980 wrote to memory of 2008	980	Quotation 2101137.exe	etehonor.exe
PID 980 wrote to memory of 2008	980	Quotation 2101137.exe	etehonor.exe
PID 980 wrote to memory of 2008	980	Quotation 2101137.exe	etehonor.exe
PID 2008 wrote to memory of 1752	2008	etehonor.exe	etehonor.exe
PID 2008 wrote to memory of 1752	2008	etehonor.exe	etehonor.exe
PID 2008 wrote to memory of 1752	2008	etehonor.exe	etehonor.exe
PID 2008 wrote to memory of 1752	2008	etehonor.exe	etehonor.exe
PID 2008 wrote to memory of 1752	2008	etehonor.exe	etehonor.exe
PID 1372 wrote to memory of 1328	1372	Explorer.EXE	svchost.exe
PID 1372 wrote to memory of 1328	1372	Explorer.EXE	svchost.exe
PID 1372 wrote to memory of 1328	1372	Explorer.EXE	svchost.exe
PID 1372 wrote to memory of 1328	1372	Explorer.EXE	svchost.exe
PID 1328 wrote to memory of 560	1328	svchost.exe	Firefox.exe
PID 1328 wrote to memory of 560	1328	svchost.exe	Firefox.exe
PID 1328 wrote to memory of 560	1328	svchost.exe	Firefox.exe
PID 1328 wrote to memory of 560	1328	svchost.exe	Firefox.exe
PID 1328 wrote to memory of 560	1328	svchost.exe	Firefox.exe

C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\etehonor.exe
"C:\Users\Admin\AppData\Local\Temp\etehonor.exe" C:\Users\Admin\AppData\Local\Temp\qmhavanmg.g
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\etehonor.exe
"C:\Users\Admin\AppData\Local\Temp\etehonor.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\kirym.l
Filesize
185KB

MD5
9d9035fe8ddef2d013a41f6fe112413e

SHA1
b52dbfa2abd28ceefd50305715e6f852f7f30d31

SHA256
d6ac740ed55c3acbbfd751a97d8f0bab636a7ed093962599174cad423d2a4f01

SHA512
ef4df1daf8728d834194ef02371145db6cf683e690614d9b65c2a2c0f390a678d7ad081cba62efbd8a596a03f0c68b62ff47edef306d3324bc9e6b3f9cdd6682

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmhavanmg.g
Filesize
7KB

MD5
ede276b4d64c9a9dd29c4d5df7eae7a2

SHA1
4030970ffbc2f222787f5ad36d944e99e22339bc

SHA256
8478e027683e7a4546afda0573a0e098be7a585b5f6a1691f643f4e2de38c8e1

SHA512
7daed8eb66ed11ae8699e495fd76f91ab36ed5e6fe19ebb1e783ea7bb3466c2c6a96580f1167af5de901dfb85e0cec0cad5f6eaeb15cc9880c6bf46ce61fbaa4

Download Submit
\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
\Users\Admin\AppData\Local\Temp\etehonor.exe
Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/980-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1328-73-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1328-75-0x00000000004B0000-0x000000000053F000-memory.dmp

Filesize
572KB

Download
memory/1328-77-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1328-74-0x0000000000690000-0x0000000000993000-memory.dmp

Filesize
3.0MB

Download
memory/1328-72-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/1328-71-0x0000000000000000-mapping.dmp

Download
memory/1372-70-0x00000000070D0000-0x00000000071F5000-memory.dmp

Filesize
1.1MB

Download
memory/1372-76-0x0000000007200000-0x0000000007341000-memory.dmp

Filesize
1.3MB

Download
memory/1372-79-0x0000000007200000-0x0000000007341000-memory.dmp

Filesize
1.3MB

Download
memory/1752-69-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1752-64-0x00000000004012B0-mapping.dmp

Download
memory/1752-68-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1752-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1752-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-57-0x0000000000000000-mapping.dmp

Download