formbook | bdee6d7a7e7cc141bdb3fc0997cbb07b1a85016e23fd74eec044a5ca52ae5052

General

Target

6.exe
Size

272KB
MD5

110f69d363cea079d6d0bdeff1bb838f
SHA1

324be5674ea782a4eaf68b51b87fc61b0f894044
SHA256

bdee6d7a7e7cc141bdb3fc0997cbb07b1a85016e23fd74eec044a5ca52ae5052
SHA512

c035d86afbd3b548cd6bf08a57838db4735f090fcbb34555179a52ea9b1c377490a8e550a42b5bbcf0d47e0560af9bde920fb16849c16e9add9adaf4beb9baec
SSDEEP

6144:9kw24wUoB7N3lbNKRmqdtK1jdACBqE5ObP8l5i:S4wU6N3xZq/2pAiqE5OkQ

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

pnrhtyb.exepnrhtyb.exe

pid process

1900 pnrhtyb.exe
980 pnrhtyb.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pnrhtyb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pnrhtyb.exe
Loads dropped DLL 3 IoCs

Processes:

6.exepnrhtyb.exechkdsk.exe

pid process

948 6.exe
1900 pnrhtyb.exe
1348 chkdsk.exe

pid	process
1900	pnrhtyb.exe
980	pnrhtyb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pnrhtyb.exe

pid	process
948	6.exe
1900	pnrhtyb.exe
1348	chkdsk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pnrhtyb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rabnvgeeyk = "C:\\Users\\Admin\\AppData\\Roaming\\vkabk\\bvdpbneprit.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pnrhtyb.exe\" C:\\Users\\Admin\\AppData\\Local\\"	pnrhtyb.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

pnrhtyb.exepnrhtyb.exechkdsk.exe

description	pid	process	target process
PID 1900 set thread context of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 980 set thread context of 1268	980	pnrhtyb.exe	Explorer.EXE
PID 1348 set thread context of 1268	1348	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

pnrhtyb.exechkdsk.exe

pid	process
980	pnrhtyb.exe
980	pnrhtyb.exe
980	pnrhtyb.exe
980	pnrhtyb.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

pnrhtyb.exepnrhtyb.exechkdsk.exe

pid process

1900 pnrhtyb.exe
980 pnrhtyb.exe
980 pnrhtyb.exe
980 pnrhtyb.exe
1348 chkdsk.exe
1348 chkdsk.exe
1348 chkdsk.exe
1348 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pnrhtyb.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 980 pnrhtyb.exe
Token: SeDebugPrivilege 1348 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1900	pnrhtyb.exe
980	pnrhtyb.exe
980	pnrhtyb.exe
980	pnrhtyb.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe
1348	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	980	pnrhtyb.exe
Token: SeDebugPrivilege	1348	chkdsk.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6.exepnrhtyb.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 948 wrote to memory of 1900	948	6.exe	pnrhtyb.exe
PID 948 wrote to memory of 1900	948	6.exe	pnrhtyb.exe
PID 948 wrote to memory of 1900	948	6.exe	pnrhtyb.exe
PID 948 wrote to memory of 1900	948	6.exe	pnrhtyb.exe
PID 1900 wrote to memory of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 1900 wrote to memory of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 1900 wrote to memory of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 1900 wrote to memory of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 1900 wrote to memory of 980	1900	pnrhtyb.exe	pnrhtyb.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	chkdsk.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	chkdsk.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	chkdsk.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	chkdsk.exe
PID 1348 wrote to memory of 616	1348	chkdsk.exe	Firefox.exe
PID 1348 wrote to memory of 616	1348	chkdsk.exe	Firefox.exe
PID 1348 wrote to memory of 616	1348	chkdsk.exe	Firefox.exe
PID 1348 wrote to memory of 616	1348	chkdsk.exe	Firefox.exe
PID 1348 wrote to memory of 616	1348	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
"C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe" C:\Users\Admin\AppData\Local\Temp\pnuhuhyrkcu.s
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
"C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
Filesize
141KB

MD5
e6366cf29bc69431f338125292bf75d5

SHA1
4f5fac42967462b478a82b03ddf2788e666502eb

SHA256
b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9

SHA512
9f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
Filesize
141KB

MD5
e6366cf29bc69431f338125292bf75d5

SHA1
4f5fac42967462b478a82b03ddf2788e666502eb

SHA256
b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9

SHA512
9f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
Filesize
141KB

MD5
e6366cf29bc69431f338125292bf75d5

SHA1
4f5fac42967462b478a82b03ddf2788e666502eb

SHA256
b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9

SHA512
9f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnuhuhyrkcu.s
Filesize
7KB

MD5
2a81348d4e1afe228867ea7f9e3c5c1a

SHA1
fe9c9129d36c6492afe7088855d50f6aa209496d

SHA256
e9499c9d2eae7d655a93ced0da9b30156f63de4d094ffc5fa06067fb5355aacc

SHA512
8bd4e5efcd86b175fc8300c87ed06b0304ed909bbca2d133ec5452a4a310b4d57b9cf2f560670a7dfdd7d8349335e41e29cfb7afda0b1ff8a514b3d73b4c8148

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtlhwzub.z
Filesize
184KB

MD5
fcb71430f99c4abc15f26c4a672dc9ac

SHA1
351dff9775946672145e07f2a3e12ca4e797dd01

SHA256
9131243092bf48835bf0760c4a1c85b2acf53136e82cdeb0339b18cb4febde17

SHA512
35045726a0c11009eb3b5d65ff62fc29c6fd835287ee2e31f38f2d6f24b144f4f66bd0b4f20946e486f057382d2dac0ae8f647e52eac135a43fc24467b6c92ae

Download Submit
\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
Filesize
141KB

MD5
e6366cf29bc69431f338125292bf75d5

SHA1
4f5fac42967462b478a82b03ddf2788e666502eb

SHA256
b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9

SHA512
9f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24

Download Submit
\Users\Admin\AppData\Local\Temp\pnrhtyb.exe
Filesize
141KB

MD5
e6366cf29bc69431f338125292bf75d5

SHA1
4f5fac42967462b478a82b03ddf2788e666502eb

SHA256
b5a0d29be1de9fad206d74df477d616b3772ab66d28b238e9b3b1af49a6bb5a9

SHA512
9f0555e4f2b41a95039d5611d72084d92c79e97b41492155de4c14163aa9fdcacccbe802470efe68711d890ae255dfd70f4f47a8c6bc464a57add894f7c3ac24

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
910KB

MD5
d79258c5189103d69502eac786addb04

SHA1
f34b33681cfe8ce649218173a7f58b237821c1ef

SHA256
57d89a52061d70d87e40281f1196d53273f87860c4d707d667a8c7d9573da675

SHA512
da797f4dd1ad628aa4e8004b2e00b7c278facbc57a313f56b70dc8fcfbdb0050ea8b025b3475098223cce96ea53537d678273656d46c2d33d81b496d90da34b2

Download Submit
memory/948-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/980-67-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/980-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/980-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/980-68-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/980-63-0x00000000004012B0-mapping.dmp

Download
memory/1268-75-0x0000000006B90000-0x0000000006C82000-memory.dmp

Filesize
968KB

Download
memory/1268-69-0x0000000004E10000-0x0000000004F1B000-memory.dmp

Filesize
1.0MB

Download
memory/1268-78-0x0000000006B90000-0x0000000006C82000-memory.dmp

Filesize
968KB

Download
memory/1348-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1348-71-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/1348-74-0x0000000001E70000-0x0000000001EFF000-memory.dmp

Filesize
572KB

Download
memory/1348-73-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/1348-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1348-70-0x0000000000000000-mapping.dmp

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads