formbook | 69894b72ab86939a0a2ef7344f00ced587d007df6cf37b4783ae3537b33c125b

General

Target

Invoice8252752.exe
Size

318KB
MD5

8ea255af1117e83b0c6c4cd1f7ff4eab
SHA1

4c3870aef757ca5efcdc324239a8744ed20c10b9
SHA256

e6d371badc121f232f4305f3a50f0a136d1b7edbc3337414ca692c26ae41986c
SHA512

9a4b185b1836683aec23e037377059d6416c204b4d71fc34942eba0f8d8091a24688d3a1a7f737459bd79ace09b601b8cd72de11616e4eef214c12f0ab54a474
SSDEEP

3072:i/2HRMd/qiEcHUFFms+qCNkkiY0ndiH+Q9y+IZrToLpQwATrJd32Q3z84XvZGX:yQRM1f/0FT+k9YuSFKToVQJrJv3fXvw

Score

10^/10

formbook yx5 discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

yx5

Decoy

ruwbx.com

jasapoleslantai.com

win.xn--io0a7i

ivy0923-aoba.com

petrotaha.com

martinmetlabs.net

centredetherapiebreve.com

pinemountainclubmoderncabin.com

top-tovar.online

wissen-und-kritik.com

preloadmypc.com

client76215.review

mobiledownload.tech

ycphotoshop.com

yimengta.com

bersyedih-4.com

miningbitterweed.info

guitarform.com

dtitc.com

blackhoot.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2656-0-0x00000000003E1000-0x000000000040E000-memory.dmp	formbook
behavioral1/memory/2656-1-0x00000000003E0000-0x0000000000434000-memory.dmp	formbook
behavioral1/memory/2656-2-0x00000000003E0000-0x0000000000434000-memory.dmp	formbook
behavioral1/memory/2656-4-0x00000000003E1000-0x000000000040E000-memory.dmp	formbook
behavioral1/memory/2656-6-0x00000000003E0000-0x0000000000434000-memory.dmp	formbook
behavioral1/memory/2656-9-0x00000000003E1000-0x000000000040E000-memory.dmp	formbook
behavioral1/memory/2656-10-0x00000000003E0000-0x0000000000434000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VHLHZLNHGPHL = "C:\\Program Files (x86)\\Nsfv\\usercd2.exe"	wininit.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2656 set thread context of 1236	2656	Invoice8252752.exe	21
PID 2656 set thread context of 1236	2656	Invoice8252752.exe	21
PID 2792 set thread context of 1236	2792	wininit.exe	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Nsfv\usercd2.exe	wininit.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Invoice8252752.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wininit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wininit.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2656	Invoice8252752.exe
2656	Invoice8252752.exe
2656	Invoice8252752.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe
2792	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2656	Invoice8252752.exe
2656	Invoice8252752.exe
2656	Invoice8252752.exe
2656	Invoice8252752.exe
2792	wininit.exe
2792	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	Invoice8252752.exe
Token: SeDebugPrivilege	2792	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2792	1236	Explorer.EXE	30
PID 1236 wrote to memory of 2792	1236	Explorer.EXE	30
PID 1236 wrote to memory of 2792	1236	Explorer.EXE	30
PID 1236 wrote to memory of 2792	1236	Explorer.EXE	30
PID 2792 wrote to memory of 2832	2792	wininit.exe	31
PID 2792 wrote to memory of 2832	2792	wininit.exe	31
PID 2792 wrote to memory of 2832	2792	wininit.exe	31
PID 2792 wrote to memory of 2832	2792	wininit.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\Invoice8252752.exe
  "C:\Users\Admin\AppData\Local\Temp\Invoice8252752.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Invoice8252752.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5M-MQPVT\5M-logim.jpeg

Filesize
77KB

MD5
911bb21d10f5fdb206a8075d83192983

SHA1
da72162f0300f06b0c97cbecf93a06c6013f7447

SHA256
93bdbdfb9fe94fd38e03d6d6351dccfe7c20698b5555e3ab465e76deaa4f1d84

SHA512
20633e51238766958478441bfcacd54fb39cc817252f257e34b7d9f1e05b32e9ef3703a1d34139a547509161d2909a93b0af5198e03ad52a5c370402c77aa425

Download Submit
C:\Users\Admin\AppData\Roaming\5M-MQPVT\5M-logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\5M-MQPVT\5M-logrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
memory/1236-13-0x0000000006DF0000-0x0000000006EE6000-memory.dmp

Filesize
984KB

Download
memory/1236-3-0x00000000078D0000-0x0000000007A7C000-memory.dmp

Filesize
1.7MB

Download
memory/1236-18-0x0000000005180000-0x000000000523D000-memory.dmp

Filesize
756KB

Download
memory/1236-7-0x00000000078D0000-0x0000000007A7C000-memory.dmp

Filesize
1.7MB

Download
memory/1236-17-0x0000000005180000-0x000000000523D000-memory.dmp

Filesize
756KB

Download
memory/1236-8-0x0000000006DF0000-0x0000000006EE6000-memory.dmp

Filesize
984KB

Download
memory/1236-15-0x0000000005180000-0x000000000523D000-memory.dmp

Filesize
756KB

Download
memory/2656-5-0x00000000003FF000-0x0000000000400000-memory.dmp

Filesize
4KB

Download
memory/2656-10-0x00000000003E0000-0x0000000000434000-memory.dmp

Filesize
336KB

Download
memory/2656-9-0x00000000003E1000-0x000000000040E000-memory.dmp

Filesize
180KB

Download
memory/2656-6-0x00000000003E0000-0x0000000000434000-memory.dmp

Filesize
336KB

Download
memory/2656-0-0x00000000003E1000-0x000000000040E000-memory.dmp

Filesize
180KB

Download
memory/2656-4-0x00000000003E1000-0x000000000040E000-memory.dmp

Filesize
180KB

Download
memory/2656-2-0x00000000003E0000-0x0000000000434000-memory.dmp

Filesize
336KB

Download
memory/2656-1-0x00000000003E0000-0x0000000000434000-memory.dmp

Filesize
336KB

Download
memory/2792-12-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download
memory/2792-11-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads