formbook | afb4878ecf77a506fee3c5d2b817d8197edd0df8baddb32563027023e6bf35cc

General

Target

SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
Size

272KB
MD5

1d4d868cf4d8698f270a73cd58c7f41f
SHA1

1b16a35ff3b7656262ebdce1e2fdc0148ad3bf4e
SHA256

afb4878ecf77a506fee3c5d2b817d8197edd0df8baddb32563027023e6bf35cc
SHA512

7c5ffc0bbb762803b57899dc93055e29c60f4fbbf4577a76d3b81ca60a3a2f9c48c8e20abccc5e8aa009efe3261a96566b350caadac6793358b46e63c92543be
SSDEEP

6144:9kw0oUn1IawKrpSts87Jsaz1Dq5RIzEuSX205hfBO:goU1YKrpStsotDq5R89KrXs

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

otjcwtdly.exeotjcwtdly.exe

pid process

2876 otjcwtdly.exe
208 otjcwtdly.exe

pid	process
2876	otjcwtdly.exe
208	otjcwtdly.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

otjcwtdly.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	otjcwtdly.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

otjcwtdly.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadfi = "C:\\Users\\Admin\\AppData\\Roaming\\mysogpvuay\\jabjklrj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\otjcwtdly.exe\" C:\\Users\\Admin\\AppData\\Lo"	otjcwtdly.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

otjcwtdly.exeotjcwtdly.execontrol.exe

description	pid	process	target process
PID 2876 set thread context of 208	2876	otjcwtdly.exe	otjcwtdly.exe
PID 208 set thread context of 1044	208	otjcwtdly.exe	Explorer.EXE
PID 3596 set thread context of 1044	3596	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

otjcwtdly.execontrol.exe

pid	process
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1044 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

otjcwtdly.exeotjcwtdly.execontrol.exe

pid process

2876 otjcwtdly.exe
208 otjcwtdly.exe
208 otjcwtdly.exe
208 otjcwtdly.exe
3596 control.exe
3596 control.exe
3596 control.exe
3596 control.exe

pid	process
1044	Explorer.EXE

pid	process
2876	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
208	otjcwtdly.exe
3596	control.exe
3596	control.exe
3596	control.exe
3596	control.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

otjcwtdly.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	208	otjcwtdly.exe
Token: SeDebugPrivilege	3596	control.exe
Token: SeShutdownPrivilege	1044	Explorer.EXE
Token: SeCreatePagefilePrivilege	1044	Explorer.EXE
Token: SeShutdownPrivilege	1044	Explorer.EXE
Token: SeCreatePagefilePrivilege	1044	Explorer.EXE
Token: SeShutdownPrivilege	1044	Explorer.EXE
Token: SeCreatePagefilePrivilege	1044	Explorer.EXE
Token: SeShutdownPrivilege	1044	Explorer.EXE
Token: SeCreatePagefilePrivilege	1044	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exeotjcwtdly.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 5068 wrote to memory of 2876	5068	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 5068 wrote to memory of 2876	5068	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 5068 wrote to memory of 2876	5068	SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe	otjcwtdly.exe
PID 2876 wrote to memory of 208	2876	otjcwtdly.exe	otjcwtdly.exe
PID 2876 wrote to memory of 208	2876	otjcwtdly.exe	otjcwtdly.exe
PID 2876 wrote to memory of 208	2876	otjcwtdly.exe	otjcwtdly.exe
PID 2876 wrote to memory of 208	2876	otjcwtdly.exe	otjcwtdly.exe
PID 1044 wrote to memory of 3596	1044	Explorer.EXE	control.exe
PID 1044 wrote to memory of 3596	1044	Explorer.EXE	control.exe
PID 1044 wrote to memory of 3596	1044	Explorer.EXE	control.exe
PID 3596 wrote to memory of 5100	3596	control.exe	Firefox.exe
PID 3596 wrote to memory of 5100	3596	control.exe	Firefox.exe
PID 3596 wrote to memory of 5100	3596	control.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Garf.Gen.6.7190.31519.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
"C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe" C:\Users\Admin\AppData\Local\Temp\zbaerndijaa.sqr
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
"C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4364

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2536

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2916

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3900

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3648

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3564

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3704

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3724

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3488

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3632

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3636

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3948

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3416

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3476

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\axtruztvea.wb
Filesize
184KB

MD5
1a031ef2cb153396b7481e7e4bfafa66

SHA1
60a43557c8d8821d8055379ac0165c6d8e98ecbd

SHA256
20098d4c4c575a2947c0a57bdad6853509ac15ce79a634a0f46468eae0a4117f

SHA512
9fa62c2bac1ae53fea8deb45cd06cb3849388621aee7994e291a34467eeaa2992f42d7b75bf695126a9d0b25a70109c0ab16d89374f459dd2d5711160fb95eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\otjcwtdly.exe
Filesize
140KB

MD5
7ba58c2011de212d4aec024834cef978

SHA1
58362c463dcba5861d65cde59a069ab041258173

SHA256
48677f9d96811ac8197266885800043f89cf86293902aa8a416339d540e4b665

SHA512
3ed1c8b68eee2e7b22ee3f9b03c8b92d775775f9171bfa2b5244841e69886a87b8141c190d8174bf2bd0d87617851ac6ca56fca89809ab91bd7f29136d3e5d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbaerndijaa.sqr
Filesize
7KB

MD5
21acad60952e66249f350dbe2f5ebeb3

SHA1
cd206cc6c2301ae6b14aee46446563ccd9be8ae3

SHA256
47be6918715cb45efa5ec06041ed8bf4637f759b604a1a8e7dc3549462144936

SHA512
3901540c8cc5a43fbcfe0c591e962e66ddd0bb58352e39462d1c51d50aed7c1d609d323d31cf9deaca0dceb8c92f25caa994d968dc6431be4de6726e70a45e90

Download Submit
memory/208-142-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/208-137-0x0000000000000000-mapping.dmp

Download
memory/208-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/208-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/208-141-0x0000000000B60000-0x0000000000EAA000-memory.dmp

Filesize
3.3MB

Download
memory/1044-183-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-171-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-199-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-200-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-198-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-197-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1044-196-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-149-0x0000000008360000-0x0000000008483000-memory.dmp

Filesize
1.1MB

Download
memory/1044-195-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-151-0x0000000008360000-0x0000000008483000-memory.dmp

Filesize
1.1MB

Download
memory/1044-152-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-153-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-154-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-155-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-156-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-157-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-158-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-159-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-160-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1044-161-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1044-162-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-163-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-164-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-165-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-166-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-167-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-168-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-169-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-170-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-143-0x0000000006EF0000-0x000000000700D000-memory.dmp

Filesize
1.1MB

Download
memory/1044-172-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1044-173-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1044-174-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-175-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-178-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-177-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/1044-176-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-179-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-180-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-181-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-182-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-194-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1044-184-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-185-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-186-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-187-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-188-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-189-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-190-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-191-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-192-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1044-193-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2876-132-0x0000000000000000-mapping.dmp

Download
memory/3596-150-0x00000000012F0000-0x000000000131D000-memory.dmp

Filesize
180KB

Download
memory/3596-148-0x0000000003030000-0x00000000030BF000-memory.dmp

Filesize
572KB

Download
memory/3596-147-0x0000000003200000-0x000000000354A000-memory.dmp

Filesize
3.3MB

Download
memory/3596-146-0x00000000012F0000-0x000000000131D000-memory.dmp

Filesize
180KB

Download
memory/3596-145-0x0000000000B10000-0x0000000000B37000-memory.dmp

Filesize
156KB

Download
memory/3596-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads