formbook | 1f13b5415eeb928d53bebf18d722931f88318acf23aba61e8fdb237604fa31e4

General

Target

5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
Size

587KB
MD5

5566e15bfef44a5fd758e80f6dcd2151
SHA1

3c624232ced09083c78e4ae0f188826b9a329ebb
SHA256

5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889
SHA512

54ccac9c782a0d80b8e2e4cefd8263abc7bf95234b7e505eec352e7d9f29663719adfca16e6e8fd411293db32c021e49e711ae3679e32eb0d3220d322f05a000
SSDEEP

12288:pUBw3Cqaa0QxK8rVFsG2jUV+D22CyiGBFxpebbVZ5Px3Y4ke5:9nrPsGYDZhwr5

Score

10^/10

formbook vjw0rm ermr persistence rat spyware stealer trojan worm

Malware Config

Extracted

Family

formbook

Campaign

ermr

Decoy

ErOK6LFCgNIAlQmH54oaYOL/CN29Z78=

qNSdDhu/PT/1fgafDagiCSZH1SY=

wLpPOAkYS8EABl3pHGc4hNT/Q1sHBrU=

jSxRvptHkeTGl7PT0SEmaZmjqzanuA==

b91oL+2wCcpyhnd6yvF6Pg==

mr81yp1/qqZX

hy7Xsz/PU/LWHMcGL4UYJx9n3A==

KlwrHt1gouPaXaWhoQ==

ng8M320IRJL9Ptw=

8GQbOXuaWxvKnNM=

XndOL7E5sNpVUNty4d/a

rryPBBC8PybYb+2h2MF3FHGL

kEoeyERSVCYO0g==

5/P+SBDby5hO

1fYXc30/h9W7iO17

34X+YKR+wRFE

8ir/X2MlVByh5lQ1ow8=

u9ikm2UMZ7J7hpCYow==

FLI+c3clp1BNDjVAfvC2Dnw=

t21Erq8/r09wAzAJTAH3Ng==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX4DUX18FPGL = "C:\\Program Files (x86)\\Jwbcdzlnh\\useronjdb.exe"	NETSTAT.EXE

Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

4 1972 wscript.exe
7 1972 wscript.exe
18 1972 wscript.exe
30 1972 wscript.exe
38 1972 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

bin.exe

pid process

2040 bin.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bin.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation bin.exe

flow	pid	process
4	1972	wscript.exe
7	1972	wscript.exe
18	1972	wscript.exe
30	1972	wscript.exe
38	1972	wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	bin.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PEUuzreAeY.js	wscript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bin.exeNETSTAT.EXE

description	pid	process	target process
PID 2040 set thread context of 1276	2040	bin.exe	Explorer.EXE
PID 2040 set thread context of 1276	2040	bin.exe	Explorer.EXE
PID 1500 set thread context of 1276	1500	NETSTAT.EXE	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

NETSTAT.EXE

description ioc process

File opened for modification C:\Program Files (x86)\Jwbcdzlnh\useronjdb.exe NETSTAT.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1500 NETSTAT.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Jwbcdzlnh\useronjdb.exe	NETSTAT.EXE

pid	process
1500	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

bin.exeNETSTAT.EXE

pid	process
2040	bin.exe
2040	bin.exe
2040	bin.exe
2040	bin.exe
2040	bin.exe
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE
1500	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

bin.exeNETSTAT.EXE

pid process

2040 bin.exe
2040 bin.exe
2040 bin.exe
2040 bin.exe
1500 NETSTAT.EXE
1500 NETSTAT.EXE
1500 NETSTAT.EXE
1500 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bin.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2040 bin.exe
Token: SeDebugPrivilege 1500 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2040	bin.exe
Token: SeDebugPrivilege	1500	NETSTAT.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

wscript.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1092 wrote to memory of 1972	1092	wscript.exe	wscript.exe
PID 1092 wrote to memory of 1972	1092	wscript.exe	wscript.exe
PID 1092 wrote to memory of 1972	1092	wscript.exe	wscript.exe
PID 1092 wrote to memory of 2040	1092	wscript.exe	bin.exe
PID 1092 wrote to memory of 2040	1092	wscript.exe	bin.exe
PID 1092 wrote to memory of 2040	1092	wscript.exe	bin.exe
PID 1092 wrote to memory of 2040	1092	wscript.exe	bin.exe
PID 1276 wrote to memory of 1500	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 1500	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 1500	1276	Explorer.EXE	NETSTAT.EXE
PID 1276 wrote to memory of 1500	1276	Explorer.EXE	NETSTAT.EXE
PID 1500 wrote to memory of 520	1500	NETSTAT.EXE	cmd.exe
PID 1500 wrote to memory of 520	1500	NETSTAT.EXE	cmd.exe
PID 1500 wrote to memory of 520	1500	NETSTAT.EXE	cmd.exe
PID 1500 wrote to memory of 520	1500	NETSTAT.EXE	cmd.exe
PID 1500 wrote to memory of 848	1500	NETSTAT.EXE	Firefox.exe
PID 1500 wrote to memory of 848	1500	NETSTAT.EXE	Firefox.exe
PID 1500 wrote to memory of 848	1500	NETSTAT.EXE	Firefox.exe
PID 1500 wrote to memory of 848	1500	NETSTAT.EXE	Firefox.exe
PID 1500 wrote to memory of 848	1500	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\5f6871902c55755cca82c3323edaa035b9aff50e7d22a98773e3a88c74834889.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PEUuzreAeY.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1972

C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1116

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1404

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1188

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1992

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1988

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2004

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2020

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1964

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1696

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1956

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1888

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1664

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1464

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:468

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2012

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1108

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1680

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
PID:520

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bin.exe
Filesize
177KB

MD5
847f96edff4362a11a17a55a0f777394

SHA1
213b8bd653acaf9749af503b936fde0d9effdff4

SHA256
b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061

SHA512
6aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe
Filesize
177KB

MD5
847f96edff4362a11a17a55a0f777394

SHA1
213b8bd653acaf9749af503b936fde0d9effdff4

SHA256
b7f9d8c856f2a427668235d49710a8ac3caa7bcaf5e317a064205127df431061

SHA512
6aed480e2aca2414e47d44e87ddce59da4809de9629c5fbc9c3e3bd1665a173efec1f13a3275d95ffcc63394b854caf9d2cd7e80af2868a08d0f8885b5470227

Download Submit
C:\Users\Admin\AppData\Roaming\PEUuzreAeY.js
Filesize
98KB

MD5
29e26335e11a3dd5711f04c656a77cce

SHA1
2d816b08438757735204b4393eb690c28d8be31d

SHA256
e340fc4a6738ea2dd109b67be979b987a3b46e0c5f604fdf6e002632d92ae594

SHA512
3914f03fe8988648d2cef0b4be5f89db23419e7b681a02c6360de3a6641a7598b86f657093ae3d913776f2e43b48b8ad7b1a05751404936d854814cadd09589e

Download Submit
memory/520-69-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1276-64-0x0000000004950000-0x0000000004A20000-memory.dmp

Filesize
832KB

Download
memory/1276-74-0x0000000006DE0000-0x0000000006EDD000-memory.dmp

Filesize
1012KB

Download
memory/1276-72-0x0000000006DE0000-0x0000000006EDD000-memory.dmp

Filesize
1012KB

Download
memory/1276-62-0x0000000006560000-0x00000000066A2000-memory.dmp

Filesize
1.3MB

Download
memory/1500-70-0x00000000021B0000-0x00000000024B3000-memory.dmp

Filesize
3.0MB

Download
memory/1500-65-0x0000000000000000-mapping.dmp

Download
memory/1500-67-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1500-66-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/1500-71-0x0000000001EE0000-0x0000000001F70000-memory.dmp

Filesize
576KB

Download
memory/1500-73-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1500-75-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download
memory/2040-63-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2040-61-0x00000000001D0000-0x00000000001E1000-memory.dmp

Filesize
68KB

Download
memory/2040-60-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads