formbook | e10b38a2a26a1f63a92ed283aabc8aaa3e630a37be1c101a073dc6d1a556dd94

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-01-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
Size

248KB
MD5

50ac8fd3c79049dc16386fe5cba4f734
SHA1

7400121311b7280b4030c96cfbb1dcc46a0c7963
SHA256

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41
SHA512

69ff72c8ac037b470d5789db2c738f9aea82b7e263763f59e85da591ff8795a6bffb16329a69b361998964343b7102f42d389feb12aa3a4fcfddb08f1f4242cd
SSDEEP

6144:Lkw+cH+ONtOz2xxtnwWsJZCnTK6uQQS5BjX85tCW:feONtlfWFCnTK6Qkotf

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exe

pid process

768 tnufmzyerp.exe
860 tnufmzyerp.exe

pid	process
768	tnufmzyerp.exe
860	tnufmzyerp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tnufmzyerp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	tnufmzyerp.exe

Loads dropped DLL 4 IoCs

Processes:

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exetnufmzyerp.exewlanext.exe

pid	process
916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
768	tnufmzyerp.exe
1720	wlanext.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tnufmzyerp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\upkja = "C:\\Users\\Admin\\AppData\\Roaming\\msyragql\\eecyphevfwbp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tnufmzyerp.exe\" C:\\Users\\Admin\\AppData"	tnufmzyerp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exewlanext.exe

description	pid	process	target process
PID 768 set thread context of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 860 set thread context of 1216	860	tnufmzyerp.exe	Explorer.EXE
PID 1720 set thread context of 1216	1720	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

tnufmzyerp.exewlanext.exe

pid	process
860	tnufmzyerp.exe
860	tnufmzyerp.exe
860	tnufmzyerp.exe
860	tnufmzyerp.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exewlanext.exe

pid process

768 tnufmzyerp.exe
860 tnufmzyerp.exe
860 tnufmzyerp.exe
860 tnufmzyerp.exe
1720 wlanext.exe
1720 wlanext.exe
1720 wlanext.exe
1720 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tnufmzyerp.exewlanext.exe

description pid process

Token: SeDebugPrivilege 860 tnufmzyerp.exe
Token: SeDebugPrivilege 1720 wlanext.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE

pid	process
768	tnufmzyerp.exe
860	tnufmzyerp.exe
860	tnufmzyerp.exe
860	tnufmzyerp.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe
1720	wlanext.exe

description	pid	process
Token: SeDebugPrivilege	860	tnufmzyerp.exe
Token: SeDebugPrivilege	1720	wlanext.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exetnufmzyerp.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 916 wrote to memory of 768	916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 916 wrote to memory of 768	916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 916 wrote to memory of 768	916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 916 wrote to memory of 768	916	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 768 wrote to memory of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 768 wrote to memory of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 768 wrote to memory of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 768 wrote to memory of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 768 wrote to memory of 860	768	tnufmzyerp.exe	tnufmzyerp.exe
PID 1216 wrote to memory of 1720	1216	Explorer.EXE	wlanext.exe
PID 1216 wrote to memory of 1720	1216	Explorer.EXE	wlanext.exe
PID 1216 wrote to memory of 1720	1216	Explorer.EXE	wlanext.exe
PID 1216 wrote to memory of 1720	1216	Explorer.EXE	wlanext.exe
PID 1720 wrote to memory of 544	1720	wlanext.exe	Firefox.exe
PID 1720 wrote to memory of 544	1720	wlanext.exe	Firefox.exe
PID 1720 wrote to memory of 544	1720	wlanext.exe	Firefox.exe
PID 1720 wrote to memory of 544	1720	wlanext.exe	Firefox.exe
PID 1720 wrote to memory of 544	1720	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
"C:\Users\Admin\AppData\Local\Temp\ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
"C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe" C:\Users\Admin\AppData\Local\Temp\pwtpij.yv
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
"C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pvhvkzayfr.reh
Filesize
184KB

MD5
af5d35642e375b23e17612550417145a

SHA1
7194cb2e201b10233f7600ea3011f83fbb517bdb

SHA256
c844f734218c48a9e73d7a4bb6387de29c9560155e67c272d846793d7792aa47

SHA512
d038ef5ab9feda8b664e15f09af30add629834a8b74da6e165e07b6d455ac627090fe336270fd30af251eae3f8372aba43bdb07b61b7474d5993772209a7a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwtpij.yv
Filesize
7KB

MD5
eefa8ba94c643e748e1d3d3610cd3b11

SHA1
99d548704223f1f407cb381c2b56f0293429017d

SHA256
ee141c4dcfbb321e62e6c59f1dc566037b048a92c66f14615a4edf07eb591aaa

SHA512
5a923f9c6a80818ef9f353d2704a8fa1a0c6e9c25d17f947c16ab07e1060c3bcacc13acb38fc954f9da69fe21136e0a0f0bd3bac44918bca6e6c1b1f0cf6f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
902KB

MD5
50338cc1fa2582fa0cad8a8fa7ceb4d2

SHA1
ae697ef05b6bec38fb79ff4512ae50a303dcdbce

SHA256
0815a80fa73286d8c6bf0982471c61833821d9f10a20612deaa134562e7a3cda

SHA512
02a006e26b1d08cb53a4b3dab23ce6a6756a7275f8b3ef00b7412f10cff75411685a3542c5dc330dad7c9f7ff26288a2e94254d00bf53c1394e7252e000c9a61

Download Submit
\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
memory/768-57-0x0000000000000000-mapping.dmp

Download
memory/860-67-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/860-69-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/860-68-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/860-70-0x0000000000070000-0x0000000000080000-memory.dmp

Filesize
64KB

Download
memory/860-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/860-64-0x00000000004012B0-mapping.dmp

Download
memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1216-77-0x0000000004CD0000-0x0000000004DFA000-memory.dmp

Filesize
1.2MB

Download
memory/1216-71-0x0000000004B80000-0x0000000004CCE000-memory.dmp

Filesize
1.3MB

Download
memory/1216-80-0x0000000004CD0000-0x0000000004DFA000-memory.dmp

Filesize
1.2MB

Download
memory/1720-72-0x0000000000000000-mapping.dmp

Download
memory/1720-76-0x0000000000890000-0x000000000091F000-memory.dmp

Filesize
572KB

Download
memory/1720-75-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/1720-78-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1720-74-0x00000000000D0000-0x00000000000FD000-memory.dmp

Filesize
180KB

Download
memory/1720-73-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

Filesize
88KB

Download