formbook | 862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3

General

Target

862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe
Size

799KB
MD5

dfde7866b2de880f117836aa8d5b8adc
SHA1

66006bb4a7d2a35841bfea14abf1536b20f7a974
SHA256

862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3
SHA512

499f08d5830a9c55c1a3526f54d24247eb16a27145a438496dc7b42698dbb89ae8f1b2773609b2a928ec0843e4bb95778500f9fb97f4b62a2aafa31dadf9d9a6
SSDEEP

12288:OGlaKpWkdJ9pQ15Hzj4WlhjWPPvCLyZ+RvugSrmhktjxGty20qTszOFk:XlppWw9pC4pPPpkR0ymtjxUBYz0k

Score

10^/10

formbook m9ae persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

m9ae

Decoy

nWTQpX6TYm6dfT3Lcw==

7JaBLgMm8EKn2AlTy5Ksj4Jq

yWRJIhE3viQgqEpZS3o=

ES9dFo0bytF8vlvRcg==

aX/aBZn29pD+cg==

lU64sYOZV7ZVpUy1ag==

9BpOCYAPv8L8TyIFAiTp2PSqLg==

uEJ2RyQ1BcBXfFr8kT5Z1KV0

oVM42Ury9pD+cg==

0Zl3VkcuKaY+

OjZeGI8dw67Z6eWtnOoBfoI=

ytwFn9j4i+N8nKYRSgcfh3xn5LU=

xMb1+YkOyxmbxJ53JsP7Pg==

HODQpzTBS1gVoi4X0hStKQ==

fQ417ycwD+ziKt1u0hStKQ==

nsApOqE62sA8uS735uCXVP+YcrQ=

4aobG3oZ3AHqTPs=

P2LEwJatZbQZUTayTW0=

/bopO7NR6clCfT3Lcw==

bBxRRkFY01R+20pZS3o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

rsphjnyos.exersphjnyos.exe

pid process

3200 rsphjnyos.exe
4728 rsphjnyos.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rsphjnyos.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rsphjnyos.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rsphjnyos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eoruthnaadeju = "C:\\Users\\Admin\\AppData\\Roaming\\jtcpo\\ckdijf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\rsphjnyos.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Te"	rsphjnyos.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rsphjnyos.exersphjnyos.exeexplorer.exe

description	pid	process	target process
PID 3200 set thread context of 4728	3200	rsphjnyos.exe	rsphjnyos.exe
PID 4728 set thread context of 1192	4728	rsphjnyos.exe	Explorer.EXE
PID 4804 set thread context of 1192	4804	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rsphjnyos.exeexplorer.exe

pid	process
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1192 Explorer.EXE

pid	process
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

rsphjnyos.exersphjnyos.exeexplorer.exe

pid	process
3200	rsphjnyos.exe
3200	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4728	rsphjnyos.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rsphjnyos.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 4728 rsphjnyos.exe
Token: SeDebugPrivilege 4804 explorer.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rsphjnyos.exe

pid process

3200 rsphjnyos.exe
3200 rsphjnyos.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rsphjnyos.exe

pid process

3200 rsphjnyos.exe
3200 rsphjnyos.exe

description	pid	process
Token: SeDebugPrivilege	4728	rsphjnyos.exe
Token: SeDebugPrivilege	4804	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exersphjnyos.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 432 wrote to memory of 3200	432	862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe	rsphjnyos.exe
PID 432 wrote to memory of 3200	432	862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe	rsphjnyos.exe
PID 432 wrote to memory of 3200	432	862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe	rsphjnyos.exe
PID 3200 wrote to memory of 4728	3200	rsphjnyos.exe	rsphjnyos.exe
PID 3200 wrote to memory of 4728	3200	rsphjnyos.exe	rsphjnyos.exe
PID 3200 wrote to memory of 4728	3200	rsphjnyos.exe	rsphjnyos.exe
PID 3200 wrote to memory of 4728	3200	rsphjnyos.exe	rsphjnyos.exe
PID 1192 wrote to memory of 4804	1192	Explorer.EXE	explorer.exe
PID 1192 wrote to memory of 4804	1192	Explorer.EXE	explorer.exe
PID 1192 wrote to memory of 4804	1192	Explorer.EXE	explorer.exe
PID 4804 wrote to memory of 3584	4804	explorer.exe	Firefox.exe
PID 4804 wrote to memory of 3584	4804	explorer.exe	Firefox.exe
PID 4804 wrote to memory of 3584	4804	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe
"C:\Users\Admin\AppData\Local\Temp\862c17b77ece5eb013bbe5ced057f1a635a80d4a21c43356aed77e19fadcc0e3.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
"C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe" "C:\Users\Admin\AppData\Local\Temp\ruegnseq.au3"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
"C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aomagrjhydq.zd
Filesize
185KB

MD5
3080cac6a6b54539b068349098d18bca

SHA1
b1b729e3f1f05a58322c60037c4a9b517119df07

SHA256
1d95bc52ccb1fefbef0fd922ed362a89c9124ff54dd4b8e88f260b88b07931fe

SHA512
1434959da256a74055a3be42884458b6cb261443a7bf75a85fd5acad9520076e5a8670d8bbf8929228398a3231f766af653786dad788c13154afd8de99bcc7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsphjnyos.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruegnseq.au3
Filesize
6KB

MD5
933d6334c65c9c911cab800fee8d20d5

SHA1
7f737a264b4a32ea0415a2dffc4f885a2c01e45d

SHA256
9a247631b0a296e0ace077af15a6362299b7b2043c97d00ae79bafb42f58f3bb

SHA512
fad050e7283f766d88d5eea5609ee46121e9316a9f2f754eda48035e47ebc27fa5548b893432cf537d00c2568b026c858b09b4a962f55968a4e24f538bfe12bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdvgqo.u
Filesize
84KB

MD5
90107de2c92c5aae6b3d3aae5db5051d

SHA1
8711975380ec1ab309e1f3d280d0648111b103d8

SHA256
ff0121b718cdcc67dcd3dcc08c43a2578ceed445566d1d3e20a51ba4641b283d

SHA512
a0180382b6e5ab61a5f86455695c5cbaf7307926a55bae01415de1b036c1fc53c1c8a06e4e27d5d0a036448c481a6e1b5fc02e3e5a4d6b5e82f424483d2d68d0

Download Submit
memory/1192-152-0x0000000008A60000-0x0000000008BA4000-memory.dmp

Filesize
1.3MB

Download
memory/1192-150-0x0000000008A60000-0x0000000008BA4000-memory.dmp

Filesize
1.3MB

Download
memory/1192-144-0x00000000082B0000-0x00000000083D3000-memory.dmp

Filesize
1.1MB

Download
memory/3200-132-0x0000000000000000-mapping.dmp

Download
memory/4728-143-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download
memory/4728-142-0x00000000008A2000-0x00000000008A4000-memory.dmp

Filesize
8KB

Download
memory/4728-141-0x0000000000E00000-0x000000000114A000-memory.dmp

Filesize
3.3MB

Download
memory/4728-140-0x0000000000880000-0x00000000008AF000-memory.dmp

Filesize
188KB

Download
memory/4728-138-0x0000000000000000-mapping.dmp

Download
memory/4804-145-0x0000000000000000-mapping.dmp

Download
memory/4804-146-0x00000000004C0000-0x00000000008F3000-memory.dmp

Filesize
4.2MB

Download
memory/4804-147-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download
memory/4804-148-0x00000000031E0000-0x000000000352A000-memory.dmp

Filesize
3.3MB

Download
memory/4804-149-0x0000000003050000-0x00000000030DF000-memory.dmp

Filesize
572KB

Download
memory/4804-151-0x0000000000FD0000-0x0000000000FFD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads