formbook | 06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab

General

Target

61805394.exe
Size

602KB
MD5

8ee0d0f481f51693fa69d72953f4e23c
SHA1

dfc133a85bab835ea1dc541874e6517b7dfd2811
SHA256

06724c588f5b9381effa96ca72ae6c136b6ec64ae1e898942d34142e40078bab
SHA512

49c3dcabc703083500df5852594ddd62d877cbd3149a81e58512e323a720b4b29f39b237d3247e39bb732622e7d7e1d5c4f6d15b55c737b9ca2a5461bbf70683
SSDEEP

12288:GlVzqun0gtXT7WoabwmXJ2XbsE1NVcNLIFSzRd2fTV9Rf:GLLtnWZHXJX+Ns2LV9Rf

Score

10^/10

formbook yurm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

yurm

Decoy

X06d1tis1GUX/R0g87Ud

BKiZ33D1P766GVXO1ZwV

lAFdjB7CSxGX8Trz

Gc7dWizTVxWX8Trz

tDkr9JAfi1OHAW1PGOageIp4

bCpMtHKU3mVp8BY5sQ==

7WKpsMWt8nsrhJClJeOZNg==

0A9KTlETQ86Cmd8k0o5NP5RwCg==

aJ61paNJztSp42c=

CrgoA8ySIOsytCbO1ZwV

i46SnHYDD9tTIHI=

XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==

c4CZghuHvzW9A31gEz0d

QAjzz9qyRRWBNYseAI4M

Jpbmu4A1YvBvN3ruZgiRmJA5BCFd

PfoFXGNFhhuX8Trz

bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS

z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==

m7IShV4LSFxbqxhrVsZ1Ig==

BHRp7q0gtoRuqBRnVsZ1Ig==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

shwqxoomjp.exeshwqxoomjp.exe

pid process

2060 shwqxoomjp.exe
1420 shwqxoomjp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

shwqxoomjp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	shwqxoomjp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

shwqxoomjp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwqkusi = "C:\\Users\\Admin\\AppData\\Roaming\\jimxttidlplacq\\pbqj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\shwqxoomjp.exe\" \"C:\\Users\\Admin\\AppData\\"	shwqxoomjp.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

shwqxoomjp.exeshwqxoomjp.exeNETSTAT.EXE

description	pid	process	target process
PID 2060 set thread context of 1420	2060	shwqxoomjp.exe	shwqxoomjp.exe
PID 1420 set thread context of 3064	1420	shwqxoomjp.exe	Explorer.EXE
PID 1420 set thread context of 3064	1420	shwqxoomjp.exe	Explorer.EXE
PID 1032 set thread context of 3064	1032	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1032 NETSTAT.EXE

pid	process
1032	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

shwqxoomjp.exeNETSTAT.EXE

pid	process
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE

pid	process
3064	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

shwqxoomjp.exeshwqxoomjp.exeNETSTAT.EXE

pid	process
2060	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1420	shwqxoomjp.exe
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE
1032	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shwqxoomjp.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1420 shwqxoomjp.exe
Token: SeDebugPrivilege 1032 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

shwqxoomjp.exe

pid process

2060 shwqxoomjp.exe
2060 shwqxoomjp.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

shwqxoomjp.exe

pid process

2060 shwqxoomjp.exe
2060 shwqxoomjp.exe

description	pid	process
Token: SeDebugPrivilege	1420	shwqxoomjp.exe
Token: SeDebugPrivilege	1032	NETSTAT.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

61805394.exeshwqxoomjp.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 4972 wrote to memory of 2060	4972	61805394.exe	shwqxoomjp.exe
PID 4972 wrote to memory of 2060	4972	61805394.exe	shwqxoomjp.exe
PID 4972 wrote to memory of 2060	4972	61805394.exe	shwqxoomjp.exe
PID 2060 wrote to memory of 1420	2060	shwqxoomjp.exe	shwqxoomjp.exe
PID 2060 wrote to memory of 1420	2060	shwqxoomjp.exe	shwqxoomjp.exe
PID 2060 wrote to memory of 1420	2060	shwqxoomjp.exe	shwqxoomjp.exe
PID 2060 wrote to memory of 1420	2060	shwqxoomjp.exe	shwqxoomjp.exe
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	NETSTAT.EXE
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	NETSTAT.EXE
PID 3064 wrote to memory of 1032	3064	Explorer.EXE	NETSTAT.EXE
PID 1032 wrote to memory of 3780	1032	NETSTAT.EXE	Firefox.exe
PID 1032 wrote to memory of 3780	1032	NETSTAT.EXE	Firefox.exe
PID 1032 wrote to memory of 3780	1032	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\61805394.exe
"C:\Users\Admin\AppData\Local\Temp\61805394.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe
"C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe" "C:\Users\Admin\AppData\Local\Temp\stfcqudn.au3"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe
"C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\auevr.ov
Filesize
185KB

MD5
9db57de86ecc5747c77d88f1f104113b

SHA1
2d416ddfc9dd593545d5914af7a9ec4eb7151a75

SHA256
ad404543e1c9c291f92b07f4406148bb09d7c7f66dff8ac5bbecd49816f56351

SHA512
5759a2e0176ad3682922716d1f042955d702c12185dc579d419523e698c8f513e1d295d4cb3c7b6e92c0a8da86936abadda68755a717815991573476e0e12629

Download Submit
C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\shwqxoomjp.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\stfcqudn.au3
Filesize
5KB

MD5
9107842e92542383cb40845c12ba4818

SHA1
4d4539c0cd38abcf371f98a2c5ffdb56a3928b6a

SHA256
40cf08fdceb894418843844143e928f763aa0b8ca7ff46b6f8c714c4b77a32a7

SHA512
dd14f81bc38f4a48c3512d638a181936201c5ec3c5baa923418e7836ae4b3d836f4180348a05b7638954059ab16d7d43740955ae1ca40ba74acd5f2c696efd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyjhldcta.g
Filesize
70KB

MD5
660714f5e078d4db25f0453b146ea203

SHA1
b7022965ce621efa6fe828e220300857a097043b

SHA256
bd8bfbbcba56fe92726930e939d9a814be7005efd878158b7bf9bae274a82d7d

SHA512
44637fc06f57f10a7817178956b258b00b12e7727b39ae4a3f3b419927d37fbd0a04d7c413b1a9e57cfd780845c77ab0460784c875a7a17744d7f1c04d25ce65

Download Submit
memory/1032-147-0x0000000000000000-mapping.dmp

Download
memory/1032-155-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/1032-153-0x0000000000E20000-0x0000000000EAF000-memory.dmp

Filesize
572KB

Download
memory/1032-152-0x0000000000EB0000-0x00000000011FA000-memory.dmp

Filesize
3.3MB

Download
memory/1032-151-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/1032-150-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/1420-138-0x0000000000000000-mapping.dmp

Download
memory/1420-145-0x00000000012C0000-0x00000000012D0000-memory.dmp

Filesize
64KB

Download
memory/1420-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-149-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1420-143-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/1420-142-0x0000000001360000-0x00000000016AA000-memory.dmp

Filesize
3.3MB

Download
memory/1420-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-141-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2060-132-0x0000000000000000-mapping.dmp

Download
memory/3064-146-0x0000000008280000-0x00000000083EB000-memory.dmp

Filesize
1.4MB

Download
memory/3064-144-0x00000000078E0000-0x0000000007A43000-memory.dmp

Filesize
1.4MB

Download
memory/3064-154-0x0000000008570000-0x00000000086DA000-memory.dmp

Filesize
1.4MB

Download
memory/3064-156-0x0000000008570000-0x00000000086DA000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads