formbook | 8c87fd5bc9ad02c4af8718cdb2ec85119ab3af33fd4d47de448f577d09bfe031

Analysis

max time kernel
179s
max time network
184s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation 2101137.exe
Size

333KB
MD5

d4ef93a94f7dd636dacd3a5b5c7daf7e
SHA1

64692d4ec2ba0c0dd96b092aa7dc87772e581d41
SHA256

8c87fd5bc9ad02c4af8718cdb2ec85119ab3af33fd4d47de448f577d09bfe031
SHA512

2ccd4d4a0fecdb9186e435813e157b8b848f1dc3408968efbe8c0358e74c17ec8e6e5da3301402e3b5684f8d24596e1776908fb4cce9b40d4ee1e6da96eb1859
SSDEEP

6144:9kwcvmPgPWJQ3nm9RVbB2bQcF7wPrvZn5cCfN7NFfo5Coled:smPwL3cRzk7wTZn5NV7XfMCoQd

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

kodrl.exekodrl.exe

pid process

1692 kodrl.exe
1676 kodrl.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kodrl.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation kodrl.exe
Loads dropped DLL 4 IoCs

Processes:

Quotation 2101137.exekodrl.exemsdt.exe

pid process

884 Quotation 2101137.exe
884 Quotation 2101137.exe
1692 kodrl.exe
1752 msdt.exe

pid	process
1692	kodrl.exe
1676	kodrl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	kodrl.exe

pid	process
884	Quotation 2101137.exe
884	Quotation 2101137.exe
1692	kodrl.exe
1752	msdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kodrl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfel = "C:\\Users\\Admin\\AppData\\Roaming\\lsabogiu\\yswmvcmtoiviav.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kodrl.exe\" C:\\Users\\Admin\\AppData\\Lo"	kodrl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kodrl.exekodrl.exemsdt.exe

description	pid	process	target process
PID 1692 set thread context of 1676	1692	kodrl.exe	kodrl.exe
PID 1676 set thread context of 1208	1676	kodrl.exe	Explorer.EXE
PID 1752 set thread context of 1208	1752	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

kodrl.exemsdt.exe

pid	process
1676	kodrl.exe
1676	kodrl.exe
1676	kodrl.exe
1676	kodrl.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

kodrl.exekodrl.exemsdt.exe

pid process

1692 kodrl.exe
1676 kodrl.exe
1676 kodrl.exe
1676 kodrl.exe
1752 msdt.exe
1752 msdt.exe
1752 msdt.exe
1752 msdt.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

kodrl.exemsdt.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1676 kodrl.exe
Token: SeDebugPrivilege 1752 msdt.exe
Token: SeShutdownPrivilege 1208 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1692	kodrl.exe
1676	kodrl.exe
1676	kodrl.exe
1676	kodrl.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe
1752	msdt.exe

description	pid	process
Token: SeDebugPrivilege	1676	kodrl.exe
Token: SeDebugPrivilege	1752	msdt.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Quotation 2101137.exekodrl.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 884 wrote to memory of 1692	884	Quotation 2101137.exe	kodrl.exe
PID 884 wrote to memory of 1692	884	Quotation 2101137.exe	kodrl.exe
PID 884 wrote to memory of 1692	884	Quotation 2101137.exe	kodrl.exe
PID 884 wrote to memory of 1692	884	Quotation 2101137.exe	kodrl.exe
PID 1692 wrote to memory of 1676	1692	kodrl.exe	kodrl.exe
PID 1692 wrote to memory of 1676	1692	kodrl.exe	kodrl.exe
PID 1692 wrote to memory of 1676	1692	kodrl.exe	kodrl.exe
PID 1692 wrote to memory of 1676	1692	kodrl.exe	kodrl.exe
PID 1692 wrote to memory of 1676	1692	kodrl.exe	kodrl.exe
PID 1208 wrote to memory of 1752	1208	Explorer.EXE	msdt.exe
PID 1208 wrote to memory of 1752	1208	Explorer.EXE	msdt.exe
PID 1208 wrote to memory of 1752	1208	Explorer.EXE	msdt.exe
PID 1208 wrote to memory of 1752	1208	Explorer.EXE	msdt.exe
PID 1752 wrote to memory of 1520	1752	msdt.exe	Firefox.exe
PID 1752 wrote to memory of 1520	1752	msdt.exe	Firefox.exe
PID 1752 wrote to memory of 1520	1752	msdt.exe	Firefox.exe
PID 1752 wrote to memory of 1520	1752	msdt.exe	Firefox.exe
PID 1752 wrote to memory of 1520	1752	msdt.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\kodrl.exe
"C:\Users\Admin\AppData\Local\Temp\kodrl.exe" C:\Users\Admin\AppData\Local\Temp\sosggxhlea.z
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\kodrl.exe
"C:\Users\Admin\AppData\Local\Temp\kodrl.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caostfnzkib.s
Filesize
185KB

MD5
95cfefe6ecff68d860d57af43b97c3ba

SHA1
fa92fb5095ef36510fdbb65469f12af395754e42

SHA256
efc2d5e908199ea7bd5818e6313063ac7d5d9884fafb2e2a6b1a22ce22067fde

SHA512
26a029c25bf8f17d95b792be175eaabffc4ed9e729847fdb275a58963e319641cb8e3c9840d4f02fd4ec914f784d8d54c21425fcd237d7654e516d14999478d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosggxhlea.z
Filesize
8KB

MD5
df720f7d4795e379dec05aee6f061084

SHA1
3ef67ddcb322fd54e2e527b17cc13285e569fa63

SHA256
2446ff29c919267d344e2d7138c79c789908ba1e465b971105c1895da1c44f26

SHA512
301a5bc0eebd2fed223e698b096cf46279791ef7044f7425d13989c8116515d573d91c47396221fb7e0ac153e52f2860bdbcc0883d01d8d791e84b30cacd66e0

Download Submit
\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
\Users\Admin\AppData\Local\Temp\kodrl.exe
Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
memory/884-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1208-80-0x0000000005DD0000-0x0000000005F3D000-memory.dmp

Filesize
1.4MB

Download
memory/1208-71-0x0000000003EB0000-0x0000000003FBB000-memory.dmp

Filesize
1.0MB

Download
memory/1208-78-0x0000000005DD0000-0x0000000005F3D000-memory.dmp

Filesize
1.4MB

Download
memory/1676-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-69-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1676-70-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1676-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-64-0x00000000004012B0-mapping.dmp

Download
memory/1692-66-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/1752-72-0x0000000000000000-mapping.dmp

Download
memory/1752-74-0x0000000000360000-0x0000000000454000-memory.dmp

Filesize
976KB

Download
memory/1752-75-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1752-76-0x00000000022C0000-0x00000000025C3000-memory.dmp

Filesize
3.0MB

Download
memory/1752-77-0x0000000001E90000-0x0000000001F1F000-memory.dmp

Filesize
572KB

Download
memory/1752-79-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download