formbook | 8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb

General

Target

Quotation 2101137.exe
Size

333KB
MD5

f1d95bc5972ece6c0ab4d64bd5c41721
SHA1

750d7f9bc16029e5e7229c88c3363e03e2b50e7d
SHA256

8cb7736a5f9c3be642d8ee0f07f7a293e210a7bc74cbbc9ba89e483ff22634cb
SHA512

1243b8c9c78c2df52cded73add252e0bbc60dcc4c52d3449ac406fdfc1a6b2b55e520aa7c3114b0c43f368f259df424376ad689240c5abaa7c54ff3e557e98aa
SSDEEP

6144:9kwb4cTPlzXPps8WC6KeBYfzFRyXxwwqIObWNlpPBV33nxqcI3hEONpJ364lH:P4cTPRXPps55gFaxLAbQTPBVgcI3CAp7

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

etehonor.exeetehonor.exe

pid process

2040 etehonor.exe
4504 etehonor.exe

pid	process
2040	etehonor.exe
4504	etehonor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

etehonor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	etehonor.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

etehonor.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hvtxxcgqiopcmw = "C:\\Users\\Admin\\AppData\\Roaming\\oigpqgqvlafd\\clbbmvmtrv.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\etehonor.exe\" C:\\Users\\Admin\\AppData"	etehonor.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

etehonor.exeetehonor.execolorcpl.exe

description	pid	process	target process
PID 2040 set thread context of 4504	2040	etehonor.exe	etehonor.exe
PID 4504 set thread context of 2984	4504	etehonor.exe	Explorer.EXE
PID 4752 set thread context of 2984	4752	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

etehonor.execolorcpl.exe

pid	process
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2984 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

etehonor.exeetehonor.execolorcpl.exe

pid process

2040 etehonor.exe
4504 etehonor.exe
4504 etehonor.exe
4504 etehonor.exe
4752 colorcpl.exe
4752 colorcpl.exe
4752 colorcpl.exe
4752 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

etehonor.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 4504 etehonor.exe
Token: SeDebugPrivilege 4752 colorcpl.exe

pid	process
2984	Explorer.EXE

pid	process
2040	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4504	etehonor.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe
4752	colorcpl.exe

description	pid	process
Token: SeDebugPrivilege	4504	etehonor.exe
Token: SeDebugPrivilege	4752	colorcpl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Quotation 2101137.exeetehonor.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1500 wrote to memory of 2040	1500	Quotation 2101137.exe	etehonor.exe
PID 1500 wrote to memory of 2040	1500	Quotation 2101137.exe	etehonor.exe
PID 1500 wrote to memory of 2040	1500	Quotation 2101137.exe	etehonor.exe
PID 2040 wrote to memory of 4504	2040	etehonor.exe	etehonor.exe
PID 2040 wrote to memory of 4504	2040	etehonor.exe	etehonor.exe
PID 2040 wrote to memory of 4504	2040	etehonor.exe	etehonor.exe
PID 2040 wrote to memory of 4504	2040	etehonor.exe	etehonor.exe
PID 2984 wrote to memory of 4752	2984	Explorer.EXE	colorcpl.exe
PID 2984 wrote to memory of 4752	2984	Explorer.EXE	colorcpl.exe
PID 2984 wrote to memory of 4752	2984	Explorer.EXE	colorcpl.exe
PID 4752 wrote to memory of 372	4752	colorcpl.exe	Firefox.exe
PID 4752 wrote to memory of 372	4752	colorcpl.exe	Firefox.exe
PID 4752 wrote to memory of 372	4752	colorcpl.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\etehonor.exe
    "C:\Users\Admin\AppData\Local\Temp\etehonor.exe" C:\Users\Admin\AppData\Local\Temp\qmhavanmg.g
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\etehonor.exe
      "C:\Users\Admin\AppData\Local\Temp\etehonor.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:4504
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\etehonor.exe

Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\etehonor.exe

Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\etehonor.exe

Filesize
276KB

MD5
b981aa3af96113599f9952f0c380a8b0

SHA1
8386d407ad52e511e50965554b8552d53a39178e

SHA256
a69001c5b0942e4ccd287b980c4e21ac24f3de0a360e83583be90e5c31dd39c3

SHA512
7597db69d6474edbf10ba6ed1ef16cacfb8a7b804cb77ab7fb2b901abac95851b04fdf9f675a1c35e81080a481761f8d20ce1cf35618c5e4558ba42d159ada62

Download Submit
C:\Users\Admin\AppData\Local\Temp\kirym.l

Filesize
185KB

MD5
9d9035fe8ddef2d013a41f6fe112413e

SHA1
b52dbfa2abd28ceefd50305715e6f852f7f30d31

SHA256
d6ac740ed55c3acbbfd751a97d8f0bab636a7ed093962599174cad423d2a4f01

SHA512
ef4df1daf8728d834194ef02371145db6cf683e690614d9b65c2a2c0f390a678d7ad081cba62efbd8a596a03f0c68b62ff47edef306d3324bc9e6b3f9cdd6682

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmhavanmg.g

Filesize
7KB

MD5
ede276b4d64c9a9dd29c4d5df7eae7a2

SHA1
4030970ffbc2f222787f5ad36d944e99e22339bc

SHA256
8478e027683e7a4546afda0573a0e098be7a585b5f6a1691f643f4e2de38c8e1

SHA512
7daed8eb66ed11ae8699e495fd76f91ab36ed5e6fe19ebb1e783ea7bb3466c2c6a96580f1167af5de901dfb85e0cec0cad5f6eaeb15cc9880c6bf46ce61fbaa4

Download Submit
memory/2040-132-0x0000000000000000-mapping.dmp

Download
memory/2984-151-0x0000000008A70000-0x0000000008B33000-memory.dmp

Filesize
780KB

Download
memory/2984-149-0x0000000008A70000-0x0000000008B33000-memory.dmp

Filesize
780KB

Download
memory/2984-143-0x00000000086C0000-0x000000000877D000-memory.dmp

Filesize
756KB

Download
memory/4504-142-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/4504-141-0x0000000000AF0000-0x0000000000E3A000-memory.dmp

Filesize
3.3MB

Download
memory/4504-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4504-137-0x0000000000000000-mapping.dmp

Download
memory/4752-144-0x0000000000000000-mapping.dmp

Download
memory/4752-145-0x0000000000410000-0x0000000000429000-memory.dmp

Filesize
100KB

Download
memory/4752-146-0x0000000000C60000-0x0000000000C8D000-memory.dmp

Filesize
180KB

Download
memory/4752-147-0x0000000002C30000-0x0000000002F7A000-memory.dmp

Filesize
3.3MB

Download
memory/4752-148-0x0000000002980000-0x0000000002A0F000-memory.dmp

Filesize
572KB

Download
memory/4752-150-0x0000000000C60000-0x0000000000C8D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads