formbook | e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf

General

Target

Signed PO801221651.exe
Size

225KB
MD5

44d628546ab1eff55064627d70a3cb27
SHA1

2605ad8396b5ea90c8a371fdb76c58b12931d66c
SHA256

e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
SHA512

4a1123da0df51b8898d59e63613e741fc6746f1233ec97f2c93db77785f4deda06e50a226e2f06db1419a3780c171af71ebbe2c9dec1be8217d57b2866fd241e
SSDEEP

6144:QBn19gIhWchRDSM2RnW9hCcftsLzSjW3qoC6mD:gqPc7SMYnWTCUtTK3qoC9

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

bunrjzni.exebunrjzni.exe

pid process

2008 bunrjzni.exe
1452 bunrjzni.exe

pid	process
2008	bunrjzni.exe
1452	bunrjzni.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bunrjzni.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	bunrjzni.exe

Loads dropped DLL 3 IoCs

Processes:

Signed PO801221651.exebunrjzni.execmmon32.exe

pid process

1440 Signed PO801221651.exe
2008 bunrjzni.exe
1232 cmmon32.exe

pid	process
1440	Signed PO801221651.exe
2008	bunrjzni.exe
1232	cmmon32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bunrjzni.exebunrjzni.execmmon32.exe

description	pid	process	target process
PID 2008 set thread context of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 1452 set thread context of 1244	1452	bunrjzni.exe	Explorer.EXE
PID 1232 set thread context of 1244	1232	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

bunrjzni.execmmon32.exe

pid	process
1452	bunrjzni.exe
1452	bunrjzni.exe
1452	bunrjzni.exe
1452	bunrjzni.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

bunrjzni.exebunrjzni.execmmon32.exe

pid process

2008 bunrjzni.exe
1452 bunrjzni.exe
1452 bunrjzni.exe
1452 bunrjzni.exe
1232 cmmon32.exe
1232 cmmon32.exe
1232 cmmon32.exe
1232 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bunrjzni.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1452 bunrjzni.exe
Token: SeDebugPrivilege 1232 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
1244 Explorer.EXE

pid	process
2008	bunrjzni.exe
1452	bunrjzni.exe
1452	bunrjzni.exe
1452	bunrjzni.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe
1232	cmmon32.exe

description	pid	process
Token: SeDebugPrivilege	1452	bunrjzni.exe
Token: SeDebugPrivilege	1232	cmmon32.exe

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

pid	process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Signed PO801221651.exebunrjzni.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 1440 wrote to memory of 2008	1440	Signed PO801221651.exe	bunrjzni.exe
PID 1440 wrote to memory of 2008	1440	Signed PO801221651.exe	bunrjzni.exe
PID 1440 wrote to memory of 2008	1440	Signed PO801221651.exe	bunrjzni.exe
PID 1440 wrote to memory of 2008	1440	Signed PO801221651.exe	bunrjzni.exe
PID 2008 wrote to memory of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 2008 wrote to memory of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 2008 wrote to memory of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 2008 wrote to memory of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 2008 wrote to memory of 1452	2008	bunrjzni.exe	bunrjzni.exe
PID 1244 wrote to memory of 1232	1244	Explorer.EXE	cmmon32.exe
PID 1244 wrote to memory of 1232	1244	Explorer.EXE	cmmon32.exe
PID 1244 wrote to memory of 1232	1244	Explorer.EXE	cmmon32.exe
PID 1244 wrote to memory of 1232	1244	Explorer.EXE	cmmon32.exe
PID 1232 wrote to memory of 1924	1232	cmmon32.exe	Firefox.exe
PID 1232 wrote to memory of 1924	1232	cmmon32.exe	Firefox.exe
PID 1232 wrote to memory of 1924	1232	cmmon32.exe	Firefox.exe
PID 1232 wrote to memory of 1924	1232	cmmon32.exe	Firefox.exe
PID 1232 wrote to memory of 1924	1232	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\Signed PO801221651.exe
"C:\Users\Admin\AppData\Local\Temp\Signed PO801221651.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
"C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe" C:\Users\Admin\AppData\Local\Temp\wleqathvh.hy
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
"C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfwqhrd.tz
Filesize
185KB

MD5
8eeb36965e6b1e7bcfc2edb596e0670e

SHA1
4660789269f49b1ee51ca1a4e1a1f56331f0047a

SHA256
b54a83eb327a776a5f4237094c41dac137745e301c5aed34f5263cb2cc66af7d

SHA512
b79b5c304eeca1183ecd6dee8cdb323221118aecf4ab979f3a6c7ac7c3f0f45cb4a0f933ae9fb67a75286e397e117c4fd5d8e7ee9837f5b67486a4983a3bb942

Download Submit
C:\Users\Admin\AppData\Local\Temp\wleqathvh.hy
Filesize
5KB

MD5
784c7648266c20dee955060e01472ae6

SHA1
3513ff21fa67d5dc6e44b799b9f8a55c75f41554

SHA256
103be9c12848d6f1fb6d136e0e02262d96c3212459440a9d866d7ea9da3590da

SHA512
95421bb3bd0bfd14dff0ca621751d615954ef7ae7fddbde92f0f69c1165ebe477e51163ae75bc35ea5c816a123cf1127de589f73a647d5758457a605c436d1b5

Download Submit
\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
832KB

MD5
07fb6d31f37fb1b4164bef301306c288

SHA1
4cb41af6d63a07324ef6b18b1a1f43ce94e25626

SHA256
06ddf0a370af00d994824605a8e1307ba138f89b2d864539f0d19e8804edac02

SHA512
cab4a7c5805b80851aba5f2c9b001fabc1416f6648d891f49eacc81fe79287c5baa01306a42298da722750b812a4ea85388ffae9200dcf656dd1d5b5b9323353

Download Submit
memory/1232-73-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/1232-71-0x0000000000E00000-0x0000000000E0D000-memory.dmp

Filesize
52KB

Download
memory/1232-76-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1232-74-0x0000000000910000-0x000000000099F000-memory.dmp

Filesize
572KB

Download
memory/1232-70-0x0000000000000000-mapping.dmp

Download
memory/1232-72-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1244-78-0x0000000007100000-0x0000000007284000-memory.dmp

Filesize
1.5MB

Download
memory/1244-75-0x0000000007100000-0x0000000007284000-memory.dmp

Filesize
1.5MB

Download
memory/1244-69-0x0000000004D40000-0x0000000004E50000-memory.dmp

Filesize
1.1MB

Download
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1452-63-0x00000000004012B0-mapping.dmp

Download
memory/1452-68-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1452-67-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/1452-66-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1452-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads