formbook | 1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc

General

Target

Invoice.exe
Size

602KB
MD5

75bab4e3e275410ee46f56c96d2ca719
SHA1

ff9f741609c0009d066c33d8fd8d668c66f6c829
SHA256

1cb82faf9f59ad0c5a831297d038b885c4bf15c933a9730abbcbfab86e6eb1cc
SHA512

deb1b0dce46a9bd2b2ee90f61fbe9f41db562b35782c1b83c6ac41ff0c384ea27b828e5ef03e644b9fbd40a1dd0e24a1fa57c4eb625a24752c18b9ac2563ce57
SSDEEP

12288:gOVGmi1JQ52I8sDQJRZ+z+8xmduDYHkUVszxOAzZ21vMiNSpS:gcJAJtESRY+8xiHxefoNSo

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

duvgcae.exeduvgcae.exe

pid process

4968 duvgcae.exe
3764 duvgcae.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

duvgcae.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	duvgcae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duvgcae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fkloxkgy = "C:\\Users\\Admin\\AppData\\Roaming\\mwrmsxfkdml\\gmubcju.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\duvgcae.exe\" \"C:\\Users\\Admin\\AppData\\Loc"	duvgcae.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

duvgcae.exeduvgcae.exemstsc.exe

description	pid	process	target process
PID 4968 set thread context of 3764	4968	duvgcae.exe	duvgcae.exe
PID 3764 set thread context of 964	3764	duvgcae.exe	Explorer.EXE
PID 3764 set thread context of 964	3764	duvgcae.exe	Explorer.EXE
PID 2028 set thread context of 964	2028	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

duvgcae.exemstsc.exe

pid	process
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

964 Explorer.EXE

pid	process
964	Explorer.EXE

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

duvgcae.exeduvgcae.exemstsc.exe

pid	process
4968	duvgcae.exe
4968	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
3764	duvgcae.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe
2028	mstsc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

duvgcae.exemstsc.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3764	duvgcae.exe
Token: SeDebugPrivilege	2028	mstsc.exe
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

duvgcae.exeExplorer.EXE

pid process

4968 duvgcae.exe
4968 duvgcae.exe
964 Explorer.EXE
964 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

duvgcae.exe

pid process

4968 duvgcae.exe
4968 duvgcae.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Invoice.exeduvgcae.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1564 wrote to memory of 4968	1564	Invoice.exe	duvgcae.exe
PID 1564 wrote to memory of 4968	1564	Invoice.exe	duvgcae.exe
PID 1564 wrote to memory of 4968	1564	Invoice.exe	duvgcae.exe
PID 4968 wrote to memory of 3764	4968	duvgcae.exe	duvgcae.exe
PID 4968 wrote to memory of 3764	4968	duvgcae.exe	duvgcae.exe
PID 4968 wrote to memory of 3764	4968	duvgcae.exe	duvgcae.exe
PID 4968 wrote to memory of 3764	4968	duvgcae.exe	duvgcae.exe
PID 964 wrote to memory of 2028	964	Explorer.EXE	mstsc.exe
PID 964 wrote to memory of 2028	964	Explorer.EXE	mstsc.exe
PID 964 wrote to memory of 2028	964	Explorer.EXE	mstsc.exe
PID 2028 wrote to memory of 1372	2028	mstsc.exe	Firefox.exe
PID 2028 wrote to memory of 1372	2028	mstsc.exe	Firefox.exe
PID 2028 wrote to memory of 1372	2028	mstsc.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\duvgcae.exe
"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe" "C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\duvgcae.exe
"C:\Users\Admin\AppData\Local\Temp\duvgcae.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3172

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:664

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2736

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3868

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4624

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4664

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1916

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3236

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1328

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4404

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:548

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4572

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4512

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2428

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1168

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4648

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4420

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:404

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2176

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:460

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2204

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:5024

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:5044

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4820

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1336

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:976

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duvgcae.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\duvgcae.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jptavihvrk.au3
Filesize
5KB

MD5
7e6ba6f36513a2cda69a15eda45b2de9

SHA1
5f528c1bed029bfb1ecc6b0bfaa83fd25ef9bc09

SHA256
b9e3ad91039c82865ffe7e7be634f2168b3a7053b31e8e36e4345430d3c0fa4a

SHA512
44fc44089a9c8d0b9bca7ab29e8e6a868d5041bd7002a255bdfdeb344580d6c696a52aa3176c74a8a25a6179cbbc9bd488fd87a743df1cc5efbe98f18aea7b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lseflylbcc.t
Filesize
184KB

MD5
44241ea99f4c61f04185fa146d8738c4

SHA1
3df2d7145ee69521dc5a0102381777309574d0b0

SHA256
dc0a3b837655f9c3d21c5933e0f92f1f341d2e7a569f123857db046daaac9a84

SHA512
c8dd7e2026b500c4af88876c981a630b26e3b72ff42026539bebf5d9547ebbdd61d427232a9cb123ac2fb5859705e495addb77f9860549dc49661243f5c8b715

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygxmywv.k
Filesize
86KB

MD5
632e8107bcf473c922f1dc510a60d620

SHA1
7f2cf9095a6a09d14a01cc7cf38b704252942eb9

SHA256
edaee34a2d9d5ae9b2bb18be65616404f4b879ee2022f648bc90ce8260949629

SHA512
402e55f52a39f44f5116de38e5c5e267b452ac7f4bb5394a7d9f5ead8081938185a9d16cc0cd071f6c8985df1565d38adc6a1d7490e471a204c4ed5dc121bde7

Download Submit
memory/964-144-0x0000000003720000-0x0000000003805000-memory.dmp

Filesize
916KB

Download
memory/964-157-0x0000000008EE0000-0x0000000009062000-memory.dmp

Filesize
1.5MB

Download
memory/964-155-0x0000000008EE0000-0x0000000009062000-memory.dmp

Filesize
1.5MB

Download
memory/964-153-0x0000000008DB0000-0x0000000008EDF000-memory.dmp

Filesize
1.2MB

Download
memory/964-147-0x0000000008DB0000-0x0000000008EDF000-memory.dmp

Filesize
1.2MB

Download
memory/2028-150-0x0000000000FD0000-0x000000000110A000-memory.dmp

Filesize
1.2MB

Download
memory/2028-151-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/2028-156-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/2028-154-0x0000000002520000-0x00000000025AF000-memory.dmp

Filesize
572KB

Download
memory/2028-152-0x00000000026D0000-0x0000000002A1A000-memory.dmp

Filesize
3.3MB

Download
memory/2028-148-0x0000000000000000-mapping.dmp

Download
memory/3764-142-0x0000000000502000-0x0000000000504000-memory.dmp

Filesize
8KB

Download
memory/3764-143-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

Filesize
64KB

Download
memory/3764-149-0x00000000004E0000-0x000000000050E000-memory.dmp

Filesize
184KB

Download
memory/3764-145-0x0000000000502000-0x0000000000504000-memory.dmp

Filesize
8KB

Download
memory/3764-140-0x00000000004E0000-0x000000000050E000-memory.dmp

Filesize
184KB

Download
memory/3764-146-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/3764-138-0x0000000000000000-mapping.dmp

Download
memory/3764-141-0x0000000001360000-0x00000000016AA000-memory.dmp

Filesize
3.3MB

Download
memory/4968-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads