formbook | e10b38a2a26a1f63a92ed283aabc8aaa3e630a37be1c101a073dc6d1a556dd94

General

Target

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
Size

248KB
MD5

50ac8fd3c79049dc16386fe5cba4f734
SHA1

7400121311b7280b4030c96cfbb1dcc46a0c7963
SHA256

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41
SHA512

69ff72c8ac037b470d5789db2c738f9aea82b7e263763f59e85da591ff8795a6bffb16329a69b361998964343b7102f42d389feb12aa3a4fcfddb08f1f4242cd
SSDEEP

6144:Lkw+cH+ONtOz2xxtnwWsJZCnTK6uQQS5BjX85tCW:feONtlfWFCnTK6Qkotf

Score

10^/10

formbook scse persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exe

pid process

4568 tnufmzyerp.exe
4932 tnufmzyerp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tnufmzyerp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	tnufmzyerp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tnufmzyerp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upkja = "C:\\Users\\Admin\\AppData\\Roaming\\msyragql\\eecyphevfwbp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tnufmzyerp.exe\" C:\\Users\\Admin\\AppData"	tnufmzyerp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exeexplorer.exe

description	pid	process	target process
PID 4568 set thread context of 4932	4568	tnufmzyerp.exe	tnufmzyerp.exe
PID 4932 set thread context of 704	4932	tnufmzyerp.exe	Explorer.EXE
PID 548 set thread context of 704	548	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	explorer.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

tnufmzyerp.exeexplorer.exe

pid	process
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

704 Explorer.EXE

pid	process
704	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

tnufmzyerp.exetnufmzyerp.exeexplorer.exe

pid	process
4568	tnufmzyerp.exe
4568	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
4932	tnufmzyerp.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe
548	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tnufmzyerp.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 4932 tnufmzyerp.exe
Token: SeDebugPrivilege 548 explorer.exe

description	pid	process
Token: SeDebugPrivilege	4932	tnufmzyerp.exe
Token: SeDebugPrivilege	548	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exetnufmzyerp.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 4880 wrote to memory of 4568	4880	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 4880 wrote to memory of 4568	4880	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 4880 wrote to memory of 4568	4880	ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe	tnufmzyerp.exe
PID 4568 wrote to memory of 4932	4568	tnufmzyerp.exe	tnufmzyerp.exe
PID 4568 wrote to memory of 4932	4568	tnufmzyerp.exe	tnufmzyerp.exe
PID 4568 wrote to memory of 4932	4568	tnufmzyerp.exe	tnufmzyerp.exe
PID 4568 wrote to memory of 4932	4568	tnufmzyerp.exe	tnufmzyerp.exe
PID 704 wrote to memory of 548	704	Explorer.EXE	explorer.exe
PID 704 wrote to memory of 548	704	Explorer.EXE	explorer.exe
PID 704 wrote to memory of 548	704	Explorer.EXE	explorer.exe
PID 548 wrote to memory of 3556	548	explorer.exe	Firefox.exe
PID 548 wrote to memory of 3556	548	explorer.exe	Firefox.exe
PID 548 wrote to memory of 3556	548	explorer.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe
"C:\Users\Admin\AppData\Local\Temp\ab70079bd5d9f38db26ee66651c5eb37fa85fb7d42461cde2fc84bdb8df15e41.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
"C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe" C:\Users\Admin\AppData\Local\Temp\pwtpij.yv
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
"C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pvhvkzayfr.reh
Filesize
184KB

MD5
af5d35642e375b23e17612550417145a

SHA1
7194cb2e201b10233f7600ea3011f83fbb517bdb

SHA256
c844f734218c48a9e73d7a4bb6387de29c9560155e67c272d846793d7792aa47

SHA512
d038ef5ab9feda8b664e15f09af30add629834a8b74da6e165e07b6d455ac627090fe336270fd30af251eae3f8372aba43bdb07b61b7474d5993772209a7a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwtpij.yv
Filesize
7KB

MD5
eefa8ba94c643e748e1d3d3610cd3b11

SHA1
99d548704223f1f407cb381c2b56f0293429017d

SHA256
ee141c4dcfbb321e62e6c59f1dc566037b048a92c66f14615a4edf07eb591aaa

SHA512
5a923f9c6a80818ef9f353d2704a8fa1a0c6e9c25d17f947c16ab07e1060c3bcacc13acb38fc954f9da69fe21136e0a0f0bd3bac44918bca6e6c1b1f0cf6f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\tnufmzyerp.exe
Filesize
66KB

MD5
6324dff9004f051aed9026927f7dbbdd

SHA1
06d35c19478d78c6d4df9c34f229c2a27d20287f

SHA256
ae210feed932361ce9c9abded80a4f833cb3ec633dbcd6e4af33c8cacdb63826

SHA512
eed97b183f60b362c7994be05da2c4dcfa93d64a0f9e9998026fb9656637379ba53f1f00b9c16741bcfe8f7650f8f1877aa7798391cdea0e9dce5173e8e99d29

Download Submit
memory/548-147-0x0000000002E50000-0x000000000319A000-memory.dmp

Filesize
3.3MB

Download
memory/548-149-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/548-148-0x0000000002AF0000-0x0000000002B7F000-memory.dmp

Filesize
572KB

Download
memory/548-144-0x0000000000000000-mapping.dmp

Download
memory/548-145-0x00000000005E0000-0x0000000000A13000-memory.dmp

Filesize
4.2MB

Download
memory/548-146-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/704-151-0x0000000007F20000-0x0000000008071000-memory.dmp

Filesize
1.3MB

Download
memory/704-150-0x0000000007F20000-0x0000000008071000-memory.dmp

Filesize
1.3MB

Download
memory/704-143-0x0000000007A60000-0x0000000007B45000-memory.dmp

Filesize
916KB

Download
memory/4568-132-0x0000000000000000-mapping.dmp

Download
memory/4932-137-0x0000000000000000-mapping.dmp

Download
memory/4932-142-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/4932-140-0x0000000000BC0000-0x0000000000F0A000-memory.dmp

Filesize
3.3MB

Download
memory/4932-141-0x0000000000562000-0x0000000000564000-memory.dmp

Filesize
8KB

Download
memory/4932-139-0x0000000000540000-0x000000000056E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads