formbook | 16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

626KB
MD5

031281aa0667cba260ddad6f77c89ccd
SHA1

17b747e3e1de9296f862d522a9664046d2d3469e
SHA256

16346ed15b2d60e072d99cd110e29c8bef43483b9f8a5f9246123750bc0073d6
SHA512

f4715533c2f535964dc98f581887abc1a9daf68f913b9b316762ddf169b4209458fbeebed8173fca65c7d4732087bf0b0e4369fa440cebd45772d77559820ea2
SSDEEP

12288:bItKcNGvH3x+D0NDO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHS:bItK9H3xbJZlT+lQTD/O3BArRCHS

Score

10^/10

formbook henz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

henz

Decoy

IxWMb+jVsoinShuZJzk=

TPfKgQZ//oGnKr/J

EsK0WxD5kY65XOW1Td/5CxSUpCUytR7M

KebSmiCP9p8yUw==

HAt/ljkEuqMLHOLCi53Pv8MKX9qk

CY4ogZTwJc4vSw==

WWDIx5UYUDyepntE0YIAPca3/rI=

+Pkr01Lfb2rME7bL

S5nyK0p8jS2xdwQ=

W/oqvlO57LfkLcLHnQ==

zrrwtqkTLwxulm4l8FGopw==

AqucYext8bzFbOKthIm8E6gfVkUHxKY=

OfnjeDs78+RTcz4OHRl+

XKf1wwpZR5hLLjHgmUGOpQ==

JMyhSLoJPTCwn5o9zX2d8i1+

Wk54MBsDhWSVbnIRkQ==

7aaYR/tOhh9piTw5/KHSRwuK2iqgafw7pQ==

hH/EYxN+jC2xdwQ=

S0F4ORqDjS2xdwQ=

0o/UwXnuJ+sJp0cOHRl+

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Executes dropped EXE 2 IoCs

pid	Process
2196	mwfkiq.exe
624	mwfkiq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mwfkiq.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 624	2196	mwfkiq.exe	84
PID 624 set thread context of 780	624	mwfkiq.exe	45
PID 4232 set thread context of 780	4232	cmd.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
780	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
2196	mwfkiq.exe
2196	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
624	mwfkiq.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe
4232	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	624	mwfkiq.exe
Token: SeDebugPrivilege	4232	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	mwfkiq.exe
2196	mwfkiq.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2196	mwfkiq.exe
2196	mwfkiq.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2196	4948	file.exe	83
PID 4948 wrote to memory of 2196	4948	file.exe	83
PID 4948 wrote to memory of 2196	4948	file.exe	83
PID 2196 wrote to memory of 624	2196	mwfkiq.exe	84
PID 2196 wrote to memory of 624	2196	mwfkiq.exe	84
PID 2196 wrote to memory of 624	2196	mwfkiq.exe	84
PID 2196 wrote to memory of 624	2196	mwfkiq.exe	84
PID 780 wrote to memory of 4232	780	Explorer.EXE	85
PID 780 wrote to memory of 4232	780	Explorer.EXE	85
PID 780 wrote to memory of 4232	780	Explorer.EXE	85
PID 4232 wrote to memory of 4532	4232	cmd.exe	93
PID 4232 wrote to memory of 4532	4232	cmd.exe	93
PID 4232 wrote to memory of 4532	4232	cmd.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe
    "C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe" "C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe
      "C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe" "C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ispif.hre

Filesize
185KB

MD5
3cfd2fc4bace3b7a026ea386367aeb1c

SHA1
d8c09c5809ae2c09dccd6790bc3f57fa4bc42735

SHA256
75a663272a1cb4a66a727653d4128459844b3f407dc4366d65431331a00c3d5c

SHA512
1023861a2312e5b1607ff99ec0f5061502965339ee21c5719eb74081fe5820538f750ed45158b58cab6e2d27784a1c25e7b6325dfb1590fb97348db3bddf57c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwfkiq.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxvuoazn.heb

Filesize
40KB

MD5
4b48ae58eb0a611ee3be6370c8b16c3f

SHA1
67065f7d57704bef238590ae76ad060c29470dfa

SHA256
394e96cda29cfffff3a9f4ef1e8b2e1751bf22e351d048c374ee8b088172094e

SHA512
a71320b300e23da49b25c0d9875d80e18c9a68660f5616b174ffa3a7b9ecef25418b28a2338a1b8133292600e3826282c9e352d50269f4acd9ad4b941632c06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqclxetbtm.au3

Filesize
9KB

MD5
528e53c721e9a9ddd2b963098da47a1b

SHA1
6e7b4d8a92b14ce4fbbe6eb4ca93b12dd120ae24

SHA256
bcbef065142b2fffd5baa3ce19f0ca347451f2d75cfbea9e3e9cc323c678edd6

SHA512
3c42df1b911768497f2822189ff999f229a904ced51a7e1c8355e73c1e30f4b8fc8ddcca584dccc9a6f482d0f48fb6dece54a73a95eec0c9506e25b5189e4d7c

Download Submit
memory/624-141-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/624-140-0x00000000011D0000-0x000000000151A000-memory.dmp

Filesize
3.3MB

Download
memory/624-137-0x0000000000000000-mapping.dmp

Download
memory/624-139-0x0000000000890000-0x00000000008BF000-memory.dmp

Filesize
188KB

Download
memory/780-149-0x0000000007E70000-0x0000000007FDA000-memory.dmp

Filesize
1.4MB

Download
memory/780-142-0x00000000078C0000-0x0000000007997000-memory.dmp

Filesize
860KB

Download
memory/780-151-0x0000000007E70000-0x0000000007FDA000-memory.dmp

Filesize
1.4MB

Download
memory/2196-132-0x0000000000000000-mapping.dmp

Download
memory/4232-145-0x00000000004F0000-0x000000000054A000-memory.dmp

Filesize
360KB

Download
memory/4232-147-0x0000000000B70000-0x0000000000B9D000-memory.dmp

Filesize
180KB

Download
memory/4232-148-0x0000000001660000-0x00000000016EF000-memory.dmp

Filesize
572KB

Download
memory/4232-146-0x0000000001750000-0x0000000001A9A000-memory.dmp

Filesize
3.3MB

Download
memory/4232-150-0x0000000000B70000-0x0000000000B9D000-memory.dmp

Filesize
180KB

Download
memory/4232-143-0x0000000000000000-mapping.dmp

Download