formbook | afb4878ecf77a506fee3c5d2b817d8197edd0df8baddb32563027023e6bf35cc

General

Target

SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
Size

272KB
MD5

1d4d868cf4d8698f270a73cd58c7f41f
SHA1

1b16a35ff3b7656262ebdce1e2fdc0148ad3bf4e
SHA256

afb4878ecf77a506fee3c5d2b817d8197edd0df8baddb32563027023e6bf35cc
SHA512

7c5ffc0bbb762803b57899dc93055e29c60f4fbbf4577a76d3b81ca60a3a2f9c48c8e20abccc5e8aa009efe3261a96566b350caadac6793358b46e63c92543be
SSDEEP

6144:9kw0oUn1IawKrpSts87Jsaz1Dq5RIzEuSX205hfBO:goU1YKrpStsotDq5R89KrXs

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

otjcwtdly.exeotjcwtdly.exe

pid process

1992 otjcwtdly.exe
1028 otjcwtdly.exe

pid	process
1992	otjcwtdly.exe
1028	otjcwtdly.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

otjcwtdly.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	otjcwtdly.exe

Loads dropped DLL 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exeotjcwtdly.exehelp.exe

pid process

2036 SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
1992 otjcwtdly.exe
996 help.exe

pid	process
2036	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
1992	otjcwtdly.exe
996	help.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

otjcwtdly.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\gadfi = "C:\\Users\\Admin\\AppData\\Roaming\\mysogpvuay\\jabjklrj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\otjcwtdly.exe\" C:\\Users\\Admin\\AppData\\Lo"	otjcwtdly.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

otjcwtdly.exeotjcwtdly.exehelp.exe

description	pid	process	target process
PID 1992 set thread context of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1028 set thread context of 1288	1028	otjcwtdly.exe	Explorer.EXE
PID 996 set thread context of 1288	996	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

otjcwtdly.exehelp.exe

pid	process
1028	otjcwtdly.exe
1028	otjcwtdly.exe
1028	otjcwtdly.exe
1028	otjcwtdly.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

otjcwtdly.exeotjcwtdly.exehelp.exe

pid process

1992 otjcwtdly.exe
1028 otjcwtdly.exe
1028 otjcwtdly.exe
1028 otjcwtdly.exe
996 help.exe
996 help.exe
996 help.exe
996 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

otjcwtdly.exehelp.exe

description pid process

Token: SeDebugPrivilege 1028 otjcwtdly.exe
Token: SeDebugPrivilege 996 help.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE

pid	process
1288	Explorer.EXE

pid	process
1992	otjcwtdly.exe
1028	otjcwtdly.exe
1028	otjcwtdly.exe
1028	otjcwtdly.exe
996	help.exe
996	help.exe
996	help.exe
996	help.exe

description	pid	process
Token: SeDebugPrivilege	1028	otjcwtdly.exe
Token: SeDebugPrivilege	996	help.exe

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exeotjcwtdly.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2036 wrote to memory of 1992	2036	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 2036 wrote to memory of 1992	2036	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 2036 wrote to memory of 1992	2036	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 2036 wrote to memory of 1992	2036	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 1992 wrote to memory of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1992 wrote to memory of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1992 wrote to memory of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1992 wrote to memory of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1992 wrote to memory of 1028	1992	otjcwtdly.exe	otjcwtdly.exe
PID 1288 wrote to memory of 996	1288	Explorer.EXE	help.exe
PID 1288 wrote to memory of 996	1288	Explorer.EXE	help.exe
PID 1288 wrote to memory of 996	1288	Explorer.EXE	help.exe
PID 1288 wrote to memory of 996	1288	Explorer.EXE	help.exe
PID 996 wrote to memory of 1176	996	help.exe	Firefox.exe
PID 996 wrote to memory of 1176	996	help.exe	Firefox.exe
PID 996 wrote to memory of 1176	996	help.exe	Firefox.exe
PID 996 wrote to memory of 1176	996	help.exe	Firefox.exe
PID 996 wrote to memory of 1176	996	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
"C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe" C:\Users\Admin\AppData\Local\Temp\zbaerndijaa.sqr
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
"C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1148

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:516

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:588

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:472

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:948

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1076

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1512

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:580

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:524

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1180

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1804

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1204

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:856

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1920

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1420

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:840

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1976

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:916

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:904

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1576

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:992

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1640

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1324

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1548

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:700

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1676

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axtruztvea.wb
Filesize
184KB

MD5
1a031ef2cb153396b7481e7e4bfafa66

SHA1
60a43557c8d8821d8055379ac0165c6d8e98ecbd

SHA256
20098d4c4c575a2947c0a57bdad6853509ac15ce79a634a0f46468eae0a4117f

SHA512
9fa62c2bac1ae53fea8deb45cd06cb3849388621aee7994e291a34467eeaa2992f42d7b75bf695126a9d0b25a70109c0ab16d89374f459dd2d5711160fb95eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbaerndijaa.sqr
Filesize
7KB

MD5
21acad60952e66249f350dbe2f5ebeb3

SHA1
cd206cc6c2301ae6b14aee46446563ccd9be8ae3

SHA256
47be6918715cb45efa5ec06041ed8bf4637f759b604a1a8e7dc3549462144936

SHA512
3901540c8cc5a43fbcfe0c591e962e66ddd0bb58352e39462d1c51d50aed7c1d609d323d31cf9deaca0dceb8c92f25caa994d968dc6431be4de6726e70a45e90

Download Submit
\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
825KB

MD5
00a91261929192a7facc32a9f330029a

SHA1
7df4ffdf48a6df0bac21a82d6db56aa11db470dc

SHA256
c1de8eca6419634c5f6e0e8c6ef14d9b3daa28fa28e8d1c4ce0175dbc310a77f

SHA512
18a178ca0e70fa6e8f04b4ae229cfd6ef0df252e3fd85d09cf79f89e69ada89e3479db83227095a8c16325b1dc27c9ec0c782af304f7ce0afa78c2e25b49b01e

Download Submit
memory/996-73-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/996-70-0x0000000000000000-mapping.dmp

Download
memory/996-76-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download
memory/996-74-0x0000000000640000-0x00000000006CF000-memory.dmp

Filesize
572KB

Download
memory/996-72-0x0000000000120000-0x000000000014D000-memory.dmp

Filesize
180KB

Download
memory/996-71-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/1028-67-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1028-68-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1028-63-0x00000000004012B0-mapping.dmp

Download
memory/1028-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1028-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1288-69-0x0000000007BD0000-0x0000000007D48000-memory.dmp

Filesize
1.5MB

Download
memory/1288-75-0x00000000065C0000-0x00000000066C5000-memory.dmp

Filesize
1.0MB

Download
memory/1288-78-0x00000000065C0000-0x00000000066C5000-memory.dmp

Filesize
1.0MB

Download
memory/1992-56-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads