formbook | 37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609

General

Target

37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe
Size

239KB
MD5

61672650363565ad7ce71c5a261a5e7e
SHA1

da70e0ed691217615c57963c58e18de927c13294
SHA256

37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609
SHA512

17b7867c3329a1ccd514cb265622d9bcf8a817d29b49e7c9fd12e49ae905ef09683da32e41ed57054f0451b3fc7f562ad999c59558948659e63cfe17f23fc824
SSDEEP

6144:QBn10ffIoo3VeRy65qQvT1GLwbTWYM89y7rOjPwA:gSR5qubqS96SD

Score

10^/10

formbook n2hm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

49 3504 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

lkhgcvox.exelkhgcvox.exe

pid process

2412 lkhgcvox.exe
800 lkhgcvox.exe

flow	pid	process
49	3504	rundll32.exe

pid	process
2412	lkhgcvox.exe
800	lkhgcvox.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lkhgcvox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	lkhgcvox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

lkhgcvox.exelkhgcvox.exerundll32.exe

description	pid	process	target process
PID 2412 set thread context of 800	2412	lkhgcvox.exe	lkhgcvox.exe
PID 800 set thread context of 2248	800	lkhgcvox.exe	Explorer.EXE
PID 3504 set thread context of 2248	3504	rundll32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

lkhgcvox.exerundll32.exe

pid	process
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2248 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

lkhgcvox.exelkhgcvox.exerundll32.exe

pid process

2412 lkhgcvox.exe
800 lkhgcvox.exe
800 lkhgcvox.exe
800 lkhgcvox.exe
3504 rundll32.exe
3504 rundll32.exe
3504 rundll32.exe
3504 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lkhgcvox.exerundll32.exe

description pid process

Token: SeDebugPrivilege 800 lkhgcvox.exe
Token: SeDebugPrivilege 3504 rundll32.exe

pid	process
2248	Explorer.EXE

pid	process
2412	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
800	lkhgcvox.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe
3504	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	800	lkhgcvox.exe
Token: SeDebugPrivilege	3504	rundll32.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exelkhgcvox.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3720 wrote to memory of 2412	3720	37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe	lkhgcvox.exe
PID 3720 wrote to memory of 2412	3720	37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe	lkhgcvox.exe
PID 3720 wrote to memory of 2412	3720	37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe	lkhgcvox.exe
PID 2412 wrote to memory of 800	2412	lkhgcvox.exe	lkhgcvox.exe
PID 2412 wrote to memory of 800	2412	lkhgcvox.exe	lkhgcvox.exe
PID 2412 wrote to memory of 800	2412	lkhgcvox.exe	lkhgcvox.exe
PID 2412 wrote to memory of 800	2412	lkhgcvox.exe	lkhgcvox.exe
PID 2248 wrote to memory of 3504	2248	Explorer.EXE	rundll32.exe
PID 2248 wrote to memory of 3504	2248	Explorer.EXE	rundll32.exe
PID 2248 wrote to memory of 3504	2248	Explorer.EXE	rundll32.exe
PID 3504 wrote to memory of 3004	3504	rundll32.exe	Firefox.exe
PID 3504 wrote to memory of 3004	3504	rundll32.exe	Firefox.exe
PID 3504 wrote to memory of 3004	3504	rundll32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe
  "C:\Users\Admin\AppData\Local\Temp\37572cb6f2bd3ef772a437f0e91cd813bfd270988f205c7a24f200ba4df6a609.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe
    "C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe
      "C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe" C:\Users\Admin\AppData\Local\Temp\lgjvm.n
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:800
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lgjvm.n

Filesize
5KB

MD5
b5bd1d788ff15db30c33fc6ab63d79cd

SHA1
647cd1cb32eb40fac0c78407e336c904c4326d6d

SHA256
83adcbc73426996a6391f3563af4108fc6fb2d7e3bb43e5964e9a9c638d9b6aa

SHA512
d366cf00d10f6e8353ca0fcb3b1d6a8e54640d3e4092936f269215b53968b3e8981d76389062e10026175bc0fca224be78da6407ad8ab98ee9e669c0b1dea8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkhgcvox.exe

Filesize
58KB

MD5
436337374849644f54f370b2931c5f9c

SHA1
23024687bca7f77b61d5f9c9f08c622998d8798f

SHA256
03a6040822f451f05bc029e2701cfe433947bc4490ca4da37a8a7617e126a493

SHA512
614193c3df8f97f54bf3eace6729b0e42bdc99ed3664df9e153ef0a6c765ff663f57d91acef9525dae5df6ef5f0f96914c8bee09f8c4b663c662e6ad9dac2bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuyts.s

Filesize
185KB

MD5
678721f9a827cc3b51fc472868a84b2a

SHA1
34618073c825161e7d5db23915bda774ef3d12da

SHA256
57595f7432ea33ae2250dc281b6d5c0c87d59de5e0e900fbb50101951f43f1d3

SHA512
4fc867e187a67bfb9d12e9b8ddb55543f9b7b492ae0d1591e042330b70c6c6f2ceb7d75ca535b33c74dbe287fb7b7eab34b2e458373df8e76f1bbbf3eba48727

Download Submit
memory/800-142-0x00000000009A0000-0x00000000009B0000-memory.dmp

Filesize
64KB

Download
memory/800-137-0x0000000000000000-mapping.dmp

Download
memory/800-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-141-0x00000000009E0000-0x0000000000D2A000-memory.dmp

Filesize
3.3MB

Download
memory/800-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-150-0x0000000002CF0000-0x0000000002DD2000-memory.dmp

Filesize
904KB

Download
memory/2248-143-0x0000000002EF0000-0x0000000002FF5000-memory.dmp

Filesize
1.0MB

Download
memory/2248-152-0x0000000002CF0000-0x0000000002DD2000-memory.dmp

Filesize
904KB

Download
memory/2412-132-0x0000000000000000-mapping.dmp

Download
memory/3504-144-0x0000000000000000-mapping.dmp

Download
memory/3504-148-0x0000000002580000-0x00000000028CA000-memory.dmp

Filesize
3.3MB

Download
memory/3504-149-0x00000000022B0000-0x000000000233F000-memory.dmp

Filesize
572KB

Download
memory/3504-147-0x0000000000370000-0x000000000039D000-memory.dmp

Filesize
180KB

Download
memory/3504-151-0x0000000000370000-0x000000000039D000-memory.dmp

Filesize
180KB

Download
memory/3504-146-0x0000000000C60000-0x0000000000C74000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads