formbook | 8c87fd5bc9ad02c4af8718cdb2ec85119ab3af33fd4d47de448f577d09bfe031

General

Target

Quotation 2101137.exe
Size

333KB
MD5

d4ef93a94f7dd636dacd3a5b5c7daf7e
SHA1

64692d4ec2ba0c0dd96b092aa7dc87772e581d41
SHA256

8c87fd5bc9ad02c4af8718cdb2ec85119ab3af33fd4d47de448f577d09bfe031
SHA512

2ccd4d4a0fecdb9186e435813e157b8b848f1dc3408968efbe8c0358e74c17ec8e6e5da3301402e3b5684f8d24596e1776908fb4cce9b40d4ee1e6da96eb1859
SSDEEP

6144:9kwcvmPgPWJQ3nm9RVbB2bQcF7wPrvZn5cCfN7NFfo5Coled:smPwL3cRzk7wTZn5NV7XfMCoQd

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

kodrl.exekodrl.exe

pid process

1656 kodrl.exe
612 kodrl.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

kodrl.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation kodrl.exe

pid	process
1656	kodrl.exe
612	kodrl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	kodrl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kodrl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfel = "C:\\Users\\Admin\\AppData\\Roaming\\lsabogiu\\yswmvcmtoiviav.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kodrl.exe\" C:\\Users\\Admin\\AppData\\Lo"	kodrl.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kodrl.exekodrl.exeipconfig.exe

description	pid	process	target process
PID 1656 set thread context of 612	1656	kodrl.exe	kodrl.exe
PID 612 set thread context of 1396	612	kodrl.exe	Explorer.EXE
PID 4704 set thread context of 1396	4704	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4704 ipconfig.exe

pid	process
4704	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

kodrl.exeipconfig.exe

pid	process
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1396 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

kodrl.exekodrl.exeipconfig.exe

pid process

1656 kodrl.exe
612 kodrl.exe
612 kodrl.exe
612 kodrl.exe
4704 ipconfig.exe
4704 ipconfig.exe
4704 ipconfig.exe
4704 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kodrl.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 612 kodrl.exe
Token: SeDebugPrivilege 4704 ipconfig.exe

pid	process
1396	Explorer.EXE

pid	process
1656	kodrl.exe
612	kodrl.exe
612	kodrl.exe
612	kodrl.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe
4704	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	612	kodrl.exe
Token: SeDebugPrivilege	4704	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Quotation 2101137.exekodrl.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 1168 wrote to memory of 1656	1168	Quotation 2101137.exe	kodrl.exe
PID 1168 wrote to memory of 1656	1168	Quotation 2101137.exe	kodrl.exe
PID 1168 wrote to memory of 1656	1168	Quotation 2101137.exe	kodrl.exe
PID 1656 wrote to memory of 612	1656	kodrl.exe	kodrl.exe
PID 1656 wrote to memory of 612	1656	kodrl.exe	kodrl.exe
PID 1656 wrote to memory of 612	1656	kodrl.exe	kodrl.exe
PID 1656 wrote to memory of 612	1656	kodrl.exe	kodrl.exe
PID 1396 wrote to memory of 4704	1396	Explorer.EXE	ipconfig.exe
PID 1396 wrote to memory of 4704	1396	Explorer.EXE	ipconfig.exe
PID 1396 wrote to memory of 4704	1396	Explorer.EXE	ipconfig.exe
PID 4704 wrote to memory of 3492	4704	ipconfig.exe	Firefox.exe
PID 4704 wrote to memory of 3492	4704	ipconfig.exe	Firefox.exe
PID 4704 wrote to memory of 3492	4704	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation 2101137.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\kodrl.exe
    "C:\Users\Admin\AppData\Local\Temp\kodrl.exe" C:\Users\Admin\AppData\Local\Temp\sosggxhlea.z
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\kodrl.exe
      "C:\Users\Admin\AppData\Local\Temp\kodrl.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:612
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caostfnzkib.s

Filesize
185KB

MD5
95cfefe6ecff68d860d57af43b97c3ba

SHA1
fa92fb5095ef36510fdbb65469f12af395754e42

SHA256
efc2d5e908199ea7bd5818e6313063ac7d5d9884fafb2e2a6b1a22ce22067fde

SHA512
26a029c25bf8f17d95b792be175eaabffc4ed9e729847fdb275a58963e319641cb8e3c9840d4f02fd4ec914f784d8d54c21425fcd237d7654e516d14999478d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe

Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe

Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kodrl.exe

Filesize
276KB

MD5
8c626f5c086b561673dfd04dc1f5dec1

SHA1
ffd6f24f30bd0159055abe1c10499d2d26459fcd

SHA256
e41a621bca38410891a2e4651c24fc7c28b9afbee6b01e0e0fe37edb127fcbad

SHA512
2f127782109e6f1fe897c154f177140a5d14b7702df4c031c8a25158300ce4c847893dd5c74dff0f1cd4a5b91e9d9d64c2fce107f4e4c284ce4a1e4af6ee4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosggxhlea.z

Filesize
8KB

MD5
df720f7d4795e379dec05aee6f061084

SHA1
3ef67ddcb322fd54e2e527b17cc13285e569fa63

SHA256
2446ff29c919267d344e2d7138c79c789908ba1e465b971105c1895da1c44f26

SHA512
301a5bc0eebd2fed223e698b096cf46279791ef7044f7425d13989c8116515d573d91c47396221fb7e0ac153e52f2860bdbcc0883d01d8d791e84b30cacd66e0

Download Submit
memory/612-143-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/612-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/612-137-0x0000000000000000-mapping.dmp

Download
memory/612-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/612-141-0x00000000009C0000-0x0000000000D0A000-memory.dmp

Filesize
3.3MB

Download
memory/1396-144-0x0000000008280000-0x00000000083AA000-memory.dmp

Filesize
1.2MB

Download
memory/1396-150-0x0000000008960000-0x0000000008A72000-memory.dmp

Filesize
1.1MB

Download
memory/1396-152-0x0000000008960000-0x0000000008A72000-memory.dmp

Filesize
1.1MB

Download
memory/1656-132-0x0000000000000000-mapping.dmp

Download
memory/1656-140-0x00000000009E0000-0x00000000009E3000-memory.dmp

Filesize
12KB

Download
memory/4704-145-0x0000000000000000-mapping.dmp

Download
memory/4704-146-0x00000000007A0000-0x00000000007AB000-memory.dmp

Filesize
44KB

Download
memory/4704-147-0x0000000000130000-0x000000000015D000-memory.dmp

Filesize
180KB

Download
memory/4704-148-0x0000000000B20000-0x0000000000E6A000-memory.dmp

Filesize
3.3MB

Download
memory/4704-149-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/4704-151-0x0000000000130000-0x000000000015D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads