formbook | e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf

General

Target

Signed PO801221651.exe
Size

225KB
MD5

44d628546ab1eff55064627d70a3cb27
SHA1

2605ad8396b5ea90c8a371fdb76c58b12931d66c
SHA256

e6c4c251d5481c065e23d202620aa2d2d0ebc7e4d159a70c6ac9e377804da5bf
SHA512

4a1123da0df51b8898d59e63613e741fc6746f1233ec97f2c93db77785f4deda06e50a226e2f06db1419a3780c171af71ebbe2c9dec1be8217d57b2866fd241e
SSDEEP

6144:QBn19gIhWchRDSM2RnW9hCcftsLzSjW3qoC6mD:gqPc7SMYnWTCUtTK3qoC9

Score

10^/10

formbook m5oe rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

bunrjzni.exebunrjzni.exe

pid process

3852 bunrjzni.exe
2652 bunrjzni.exe

pid	process
3852	bunrjzni.exe
2652	bunrjzni.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bunrjzni.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bunrjzni.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bunrjzni.exebunrjzni.exeipconfig.exe

description	pid	process	target process
PID 3852 set thread context of 2652	3852	bunrjzni.exe	bunrjzni.exe
PID 2652 set thread context of 2016	2652	bunrjzni.exe	Explorer.EXE
PID 2056 set thread context of 2016	2056	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2056 ipconfig.exe

pid	process
2056	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

bunrjzni.exeipconfig.exe

pid	process
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2016 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

bunrjzni.exebunrjzni.exeipconfig.exe

pid process

3852 bunrjzni.exe
2652 bunrjzni.exe
2652 bunrjzni.exe
2652 bunrjzni.exe
2056 ipconfig.exe
2056 ipconfig.exe
2056 ipconfig.exe
2056 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bunrjzni.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 2652 bunrjzni.exe
Token: SeDebugPrivilege 2056 ipconfig.exe

pid	process
2016	Explorer.EXE

pid	process
3852	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2652	bunrjzni.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe
2056	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	2652	bunrjzni.exe
Token: SeDebugPrivilege	2056	ipconfig.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Signed PO801221651.exebunrjzni.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4760 wrote to memory of 3852	4760	Signed PO801221651.exe	bunrjzni.exe
PID 4760 wrote to memory of 3852	4760	Signed PO801221651.exe	bunrjzni.exe
PID 4760 wrote to memory of 3852	4760	Signed PO801221651.exe	bunrjzni.exe
PID 3852 wrote to memory of 2652	3852	bunrjzni.exe	bunrjzni.exe
PID 3852 wrote to memory of 2652	3852	bunrjzni.exe	bunrjzni.exe
PID 3852 wrote to memory of 2652	3852	bunrjzni.exe	bunrjzni.exe
PID 3852 wrote to memory of 2652	3852	bunrjzni.exe	bunrjzni.exe
PID 2016 wrote to memory of 2056	2016	Explorer.EXE	ipconfig.exe
PID 2016 wrote to memory of 2056	2016	Explorer.EXE	ipconfig.exe
PID 2016 wrote to memory of 2056	2016	Explorer.EXE	ipconfig.exe
PID 2056 wrote to memory of 3112	2056	ipconfig.exe	Firefox.exe
PID 2056 wrote to memory of 3112	2056	ipconfig.exe	Firefox.exe
PID 2056 wrote to memory of 3112	2056	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Signed PO801221651.exe
"C:\Users\Admin\AppData\Local\Temp\Signed PO801221651.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
"C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe" C:\Users\Admin\AppData\Local\Temp\wleqathvh.hy
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
"C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bunrjzni.exe
Filesize
11KB

MD5
d521de81fab51fde9dba5153ae206e27

SHA1
8cb91b5b6d0eb823268ef46888faddd08f1dc47a

SHA256
9bab738bb52c8e11e723842806cca00c889f14d3759f1f8b24b32778715a434b

SHA512
f19b1b12eef5b46b72a6efc1261f0526f7d873a68c8d4b23bef04b47865d80c14387292a4a547ecbbdda02da2440fff5ff3b0cbeb7e082e62ba42ecd9ea95b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfwqhrd.tz
Filesize
185KB

MD5
8eeb36965e6b1e7bcfc2edb596e0670e

SHA1
4660789269f49b1ee51ca1a4e1a1f56331f0047a

SHA256
b54a83eb327a776a5f4237094c41dac137745e301c5aed34f5263cb2cc66af7d

SHA512
b79b5c304eeca1183ecd6dee8cdb323221118aecf4ab979f3a6c7ac7c3f0f45cb4a0f933ae9fb67a75286e397e117c4fd5d8e7ee9837f5b67486a4983a3bb942

Download Submit
C:\Users\Admin\AppData\Local\Temp\wleqathvh.hy
Filesize
5KB

MD5
784c7648266c20dee955060e01472ae6

SHA1
3513ff21fa67d5dc6e44b799b9f8a55c75f41554

SHA256
103be9c12848d6f1fb6d136e0e02262d96c3212459440a9d866d7ea9da3590da

SHA512
95421bb3bd0bfd14dff0ca621751d615954ef7ae7fddbde92f0f69c1165ebe477e51163ae75bc35ea5c816a123cf1127de589f73a647d5758457a605c436d1b5

Download Submit
memory/2016-143-0x0000000002790000-0x00000000028CB000-memory.dmp

Filesize
1.2MB

Download
memory/2016-151-0x0000000007070000-0x00000000071A7000-memory.dmp

Filesize
1.2MB

Download
memory/2016-149-0x0000000007070000-0x00000000071A7000-memory.dmp

Filesize
1.2MB

Download
memory/2056-147-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/2056-144-0x0000000000000000-mapping.dmp

Download
memory/2056-145-0x0000000000C40000-0x0000000000C4B000-memory.dmp

Filesize
44KB

Download
memory/2056-146-0x0000000000D10000-0x0000000000D3D000-memory.dmp

Filesize
180KB

Download
memory/2056-148-0x0000000001260000-0x00000000012EF000-memory.dmp

Filesize
572KB

Download
memory/2056-150-0x0000000000D10000-0x0000000000D3D000-memory.dmp

Filesize
180KB

Download
memory/2652-141-0x0000000001500000-0x000000000184A000-memory.dmp

Filesize
3.3MB

Download
memory/2652-140-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2652-142-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/2652-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-137-0x0000000000000000-mapping.dmp

Download
memory/3852-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads